The RIA's Guide to
An in-depth guide to archiving compliance for
investment adviser firms.
To remain compliant with state and federal regulations, registered investment advisers ("RIA") firms must adhere to various record retention rules and requirements. This guide provides an overview of industry recordkeeping requirements.
Recordkeeping requirements for RIA firms are set at a high bar. After all, your firm is dealing with vital personal documents for people and businesses. This is an important vault that you need to keep secure, but also ensure that appropriate supervisors have quick access to retrieve specific information, if necessary.
- Business and Financial Accounts
- Investment Advice and Transactions in Client Accounts
- Client Communications and Recommendations
- Records that Document Your Authority to Conduct Business in Client Accounts
- Advertising and Performance Records
- Violations of the Code of Ethics Rule
- Registration and Client Disclosure Documents
- Solicitor Arrangements
- Policies and Procedures Adopted and Implemented Under Compliance Program Rule
- Political Contributions
- Custody of Client Assets
- Proxy Voting on Behalf of Clients
The Books and Records rule also states that all RIA firms must maintain and preserve their required books and records for no less than five years and must be readily accessible for the most recent two years of the
A website is one of the most effective and efficient communication tools for 21st-century advisers. By leveraging it properly, you can reach a larger audience than ever before—just make sure you’re keeping a proper record of it.
Many advisers post blogs and videos to their website multiple times per month, and update the text on different web pages a few times every year. On top of that, websites are incorporating more and more dynamic content, whether it’s video backgrounds or varying content based on a visitor’s specific information. Without a thorough and reliable archiving solution, your RIA firm could end up with gaps in its data history.
If and when your firm gets audited, you need to be prepared to provide the federal or state regulatory examination staff with a proper archive of the firm's website history. Additionally, in order to protect your firm, it’s important to have records that cannot be edited, revised, or deleted. Unfortunately, complaints from former clients can come down to something as simple as how you phrased one sentence in a blog you wrote five years ago. If you don’t have a record of that sentence, then a complaint or dispute may become your word against theirs.
To follow industry best practices, we recommend that your firm assigns a supervisor, typically the CCO or
compliance team to analyze the content periodically. RIAs typically redesign their websites every five or ten years,
and every time they do, they tend to lose everything from the previous version. An archiving solution serves as your firm’s own “Wayback Machine,” with greater detail and while simultaneously fulfilling your firm's regulatory
Communication and prospecting in the wealth management industry have changed dramatically over the years. The COVID-19 pandemic accelerated the digital evolution already in progress, driving RIA firms to find new, virtual ways to connect with current clients and engage prospects.
So, where are investment advisers turning? Social media channels.
The increase in social media usage among investors, combined with the new SEC marketing rule, allows social media to be an appealing marketing tool for investment advisers — but not without proper archiving and disclosures in place.
Nearly 50% of investors indicate that social media impacts who they hire, and 30% say they seek financial advice online, according to a survey conducted by Hartford Funds. Social media isn’t just for prospecting, either; it can be a great way to stay top-of-mind for current clients and provide them with relevant, timely educational content, deepening trust and solidifying your expertise.
As an adviser, one of the most important things to do to stay on the right side of compliance is make sure to archive all of your social media content and communications and to be sure all your social media content and communications include appropriate disclosures.
Social media use by advisers triggers the requirement to retain records of all communications, written and oral recordings, posts, media, comments, and all content, as it is updated on the adviser's social media pages.
Rule 204-2 states that firms must maintain copies of all advertisements, written and oral materials, all disclosures provided, and supporting documentation to back up the integrity and facts relied upon to create the advertising. RIA’s must retain versions of website content and social media profile(s). Moreover, the RIA firm must keep evidence of reviewing such advertisements as part of its book and records for at least five years from the end of the calendar year in which the advertisement was published or distributed.
What Needs to be Archived?
According to the guidance on social media and other business communications, RIA's should archive all customer queries, advertisements, and posts associated with your social media accounts. (All this material would be covered according to SEC Rule 204-2 and similar state rules mentioned above).
While social media can be a valuable resource for firms to communicate with the public in many ways, it can be a tough road to navigate in terms of properly archiving material. It is advisable to employ archiving technology that takes the burden off your RIA firm and ensures compliance is maintained. RIA firms can use an automated archiving system to remain compliant and be well-prepared for audits, discovery, and any other information requests.
A Few Substantive Compliance Issues to Keep in Mind
Making sure you have a solid archiving plan included in your policies and procedures manual is the first step to take before amplifying your social media presence, but there are many other compliance concerns to keep in mind. In 2020, the SEC updated its stance on advertising for the first time since 1961, with the finalization of the Marketing Rule. The rule reflects the massive evolution in technology, communication, content consumption, and general buyer behavior the world has seen over the past several decades. We address a few of the more prominent issues below.
- Testimonials and Endorsements: We touched on this point above, but let’s dive a little deeper. The SEC’s new allowance of testimonials opens up the traditional RIA referral marketing play from a one-to-one, difficult-to-measure strategy to a scalable, one-to-many opportunity. However, it’s important for advisers to understand and adhere to the SEC’s guidelines, such as clear and prominent disclosures, and maintain records of written agreements with their promoters and endorsers as applicable.
- Performance: The SEC prohibits the publication of performance results without having a basis for the data and following several guidelines when disseminating performance advertising to any audience. In fact, it’s probably best for advisers to avoid sharing performance information on social media, since the potential for unintentionally stepping out of line with compliance is significant. The SEC’s guidance regarding performance information includes specific conditions on the presentation, including using net versus gross of fees results, specific time periods for comparison, proper disclosures, and consideration of the intended audience.
- Predictions: Avoid using social media channels to make predictions or to give blanket financial advice. Not only is this a red flag for compliance, but it could also be seriously detrimental to your firm’s reputation.
Did you know There are over 319.6 billion emails sent and received globally daily? Email has become the crux of how we communicate with both clients and colleagues. We can send important documents, accept offers, and have full conversations all through email.
What is Email Archiving?
Email archiving is the process of capturing, storing, and properly maintaining records of your email communications and associated attachments on a long-term basis. This process keeps all content unchanged, helps to prevent data loss and serves as record documentation.
This process is distinct from email backup. Archiving takes the actual email and stores it in a new location outside of your email system for an extended period of time. You should have quick and easy access to specific emails that have been archived. Whereas, an email backup copies all the files, saves them in a new location for a limited period of time, and it is used to restore data in case of a breach or compromise. Backups are typically used for large-scale
Why is it Necessary for RIAs to Archive Emails?
- Compliance - All individuals at your RIA firm who send and receive emails with clients are held to the regulatory requirements related to archiving. Per SEC Rule 204-2, all client-facing communications, including emails must be archived as a part of your books and records.
- Data Storage - In addition to ensuring that your firm is compliant with the books and records requirements for investment advisers, data storage can be imperative to reducing performance issues with servers. Given that all email services have a limited amount of data storage capabilities, you may find yourself or your team deleting emails that you believe to not need now, but may be needed in the future. Email archiving can move data off of the server on an intermittent basis to assure that there is enough storage space, while maintaining records.
- Data Security - Hackers can access many areas of old records and electronic communication files that are believed to be out of the inbox and safely stored. Deleting emails and filing away in a location out of your inbox are generally not secure methods. Email archiving solutions can help protect your data from security threats and hackers, preventing permanent loss of email and all attachments in case of a data breach or disaster.
- Record Keeping - Email archiving is a great way to keep your firm’s records up-to-date and organized. Since archiving maintains all data and attachments, your firm will have a record of all communications with a client, as well as any important documents that may need to be accessed or reviewed at any time.
To enhance productivity, many firms are turning to automated archiving systems. Manual systems require employees to spend time transferring emails into storage or deleting emails to prevent capacity limits from being reached. Many companies are also familiar with the downtime caused when employees need to involve IT for help with email storage or transfer issues. Automating the archiving process helps to enhance operational efficiencies by making archiving duties simple for your employees, so they can focus on building client relationships.
It is beneficial to your firm to select a system that is user-friendly and has a simple interface. This will help new users get connected to the system in an efficient manner and can simplify the process for the supervisor to access and complete email review duties.
According to Rule 206(4)-7 of the Investment Advisers Act of 1940, RIA firms must do the following:
- Implement written policies and procedures reasonably designed to prevent violation by the firm’s employees,
- Conduct an annual review (at minimum) of the adequacy and effectiveness of the policies and procedures in place, and
- Designate a Chief Compliance Officer to administer the policies and procedures.
An RIA firm's policies and procedures manual needs to detail how the firm will archive its communications and how often the data will be reviewed. In a risk alert released this past November, the SEC staff stated that a firm’s policies and procedures should address “the accurate creation of required records and their maintenance in a manner that protects them from unauthorized alteration or use and protects them from untimely destruction."
Policies and procedures must be reviewed annually and updated to address changes in business practices or compliance matters as they occur. Among the SEC's Division of Examination’s list of most common investment adviser regulatory compliance deficiencies was the lack of proof that an annual review was conducted or failure to identify significant compliance concerns during the annual compliance program review. Regulators expect firms to complete compliance tasks throughout the year and to have these tasks documented for review in their annual report.
Keep in mind, the CCO is ultimately responsible for administering the firm’s compliance policies and procedures.
Data is the backbone of many businesses. While there are many ways to archive your firm’s data, here are some tips to help you avoid common pitfalls while setting up the right system for your firm.
- Automate Your Archiving System: One of the most common misconceptions for archiving is thinking that one person, or one team can handle this alone. Compliance is everyone’s job first and foremost. Secondly, due to the substantial amount of data required to remain archived to meet your RIA firms compliance requirements, even the best teams can fall short without a proper system in place. Creating a manual process for archiving is the number one mistake you can make while putting this system in place. Having an automated solution that archives items based on time limits set by you, as well as backing up data consistently, will save time, avoid costly errors, and help protect against regulatory issues.
Back It Up: The second most common mistake is not having the proper backup process in place for your system to run smoothly. An archive should have a secure data backup process and it should occur frequently enough to be available for timely reviews by the RIA firm's CCO.
It is a good idea to set parameters around what types of data are collected, such as emails, websites, and social media content when determining software to help with the archiving process. Having a retention policy for data is just as important as storing it in the first place.
- Test the System: Although the new system generally allows you to “set it and forget it”, make sure to schedule time to test the success of your system, perhaps on a monthly or quarterly basis. During these tests, you will assess whether your archiving activities are being executed consistently with what is outlined in your policies and procedures. Specifically, you will confirm that the right data is being captured and the frequency of data collection is occurring as stated.
It is also important to set aside time to reevaluate the keywords in place that automatically flag any potential risks or wrongdoing. Are any of your current keywords causing an influx of acceptable emails to be flagged? Are there any new key words you should consider due to recent events or any newly popular terms or acronyms to add to your list?
- Keep It Current: Make sure your policies for archiving are reviewed frequently, especially during your annual review process. Update policies with any new rules for compliance, and revisit any specific policies created by your firm to improve the system. Additionally, if you are updating equipment of any kind, make sure that your current system and technology works with your backup solutions. Outdated backup drives can cause many issues if they are not compatible with all your systems.
- Keep It Secure: Out of sight and out of mind should not be the way that you think about archived data. It is just as important to protect and secure the backup data locations, as it is to have security with the current data files. Do not skimp on your privacy and data security for your backup locations. Simple steps should be taken like changing passwords (especially when individuals leave your company). Additionally, take in consideration who has access and make specific policies to limit and be discretionary with access.
RIA in a Box LLC is not a law firm or investment advisory firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. The above information is not a comprehensive list of all relevant guidelines and should not be relied upon. You should always consult your relevant regulatory authorities or legal counsel if applicable.