By Ash Bhatnagar
Ash Bhatnagar CFP®, is president of RIA Independence Company and Preiva Wealth. Preiva Wealth offers smaller advisers (less than $50 million) a working independent platform. RIA Independence Company specializes in helping the breakaway broker. Contact him at ash@riaico.com.
E-mail has become one of the biggest headaches for any industry, not just financial services. E-mails can be sent to anyone from anywhere with anything in them; it has become one of the primary methods of communication globally. Since e-mail communication has many risks, software companies have built security software to protect systems (such as Spam Filters, Virus Scan, Ad Aware, etc.).To understand the checks and balances that compliance managers should place at their firms, an overview of e-mail systems is needed.
The brain of an e-mail system is the server. It receives all the e-mail in a company and then distributes the e-mail to the correct person.
The "correct person" receiving the e-mail normally has software on their computer to help them manage their e-mail with functions such as reply, create folders, etc. This individual software is called the "client."
Firms that own their own mail server tend to use a Microsoft Exchange Server and firms that do not own their server use an external e-mail service. (More on mail servers later in the article.)
External E-mail Services
When the firm does not own the e-mail server, the assumption is that you are a smaller firm with less than five people. Here, the expense of buying and managing a server most likely does not make sense, so you use an outside, basic e-mail service. This service will essentially download the e-mail to your hard drive and you read it via your client software. For this discussion I am assuming that software is Outlook.
Monitoring Employee E-mail
Because the firm does not own or manage the server, the compliance person needs to access employees' e-mail and then manually check each e-mail. I have not seen regulators ask the small firm to verify that they are monitoring employee's e-mail, but considering the environment today, I am sure they will.
So how do you monitor employee e-mail when you do not have a server? You will need to rely on your Outlook software to help you meet your compliance needs. First, ensure your Code of Ethics is updated as discussed in the server section. You should also keep all your e-mails on a central hard drive or in a Network Area Storage (NAS). By keeping all your e-mail on a NAS you can check your employee's e-mail anytime.
Second, you will need to use the features in your Outlook (depending on the version) to carbon copy you on e-mail that meet your key words list. To create a key words list, go under "Tools" and then "Rules and Alert" section. Setup a "New Rule" with all the key words you wish to use. Once complete, you will need to repeat the procedure for all the users in the office. If you need specific instructions, check your MS Outlook owner's manual.
Spam Filters
When using the basic e-mail service, today many e-mail service providers offer virus protection and spam protection. Do not allow your e-mail service provider to automatically delete e-mail thinking it is spam. You should physically review and delete e-mail in the spam folder.
Outsourced Services
Some users may be tempted to use outsourced MS Exchange Server services. Although this seems like a good idea at first, it may not do everything you need. You may not have all the freedom you need to add your own key words, alerts, etc. Additionally, most of these services do not provide archiving, so you have to pay additionally for an archiving service.
Archiving E-mail
I have heard many confusing comments on archiving e-mail, so here is my opinion. Having an archiving service just for your e-mail does not make sense. Your policy should be the same for all electronic archiving. If you own your own server, think about buying co-hosted space for offsite archiving. Smaller firms should be on a NAS ,which should be archived at an offsite location with a second NAS. Remember, you need to archive your Web site, marketing material, Word documents, trade blotters, etc. E-mail is just one part of archiving.
Mail Servers
For firms that own their mail server, the good news is that they are able to better control their e-mail. By understanding your e-mail system, a compliance manager may reduce his or her compliance burden by automating some functions.
Before instituting any of the ideas presented here, ensure that your Code of Ethics specifically states that all e-mail incoming and outgoing from the firm can and will be reviewed by the firm. The technology department should have implemented software to filter out spam or junk e-mail. This software uses algorithms that determine if an e-mail is spam and places it in the spam folder. The client may then either delete them or the server can automatically delete them after a certain period of time. Unfortunately, anti-spam software was built by humans and therefore is not perfect. There have been many instances where I had sent an e-mail to someone and my message went into the spam file. It has gotten so bad, that many just ask me to call instead of sending them an e-mail. For compliance managers, this should be a big concern as customer complaints may actually wind up in the spam folder.
One of the features you should use is key words. Key words are used by the e-mail server to do a variety of things such as halt e-mail for compliance checking. Normally these checks are related to insider trading, front running, harassment or just vulgarity. There should also be a set of key words for customer complaints. Some of the words or phrases you can add related to customer complaints:
- Complaint
- Loss
- Losses
- Unreasonable
- Unhappy
- Esquire
- Esq
- Attorney
- Not Satisfied
- Satisfaction
Remember, the compliance manager is not limited to these words. You may continue to add words as you see fit. You can also limit the search to communications outside the company only. This way you are not constantly monitoring internal communication about a complaint.
If you have a client e-mail list, you can have the e-mail server do a crosscheck. If the crosscheck matches, the system will not spam the e-mail. Additionally, if any of the key words match, a blind copy of the e-mail can be automatically sent to the compliance department. The compliance department should have a person performing systematic checks on the flagged e-mail for anything your firm considers a violation or a concern.
Personal E-mail and Business Information
Another concern is employees using personal e-mail to communicate business information. A great first start is to have your technology department block all personal e-mail access as well as "bad" sites from the office computer. There are software products that can help the technology department with this task. However, the bigger concern is when employees work offsite and send business communication using their personal e-mail address. It is next to impossible to check someone's personal e-mail. But here are steps that a compliance manager can take to protect the firm:
- Ensure that your Code of Ethics clearly states that employees may not use their personal e-mail to communicate any business related issues, especially with clients.
- State that any employee getting business communication from another employee via non-business e-mail must report this violation to compliance.
- Clearly state that the firm will be checking for these violations.
- Clearly state the violation penalty. First time warning, second time fine, etc.
- Setup an employee personal e-mail list and then have technology perform an automated crosscheck. When an employee uses that e-mail address to send e-mail to the office, the employee will get an automated response explaining the violation. Of course compliance should get a carbon copy.
- Setup internal procedures to ensure that the checks are working at least semi-annually.
If you use these automated checks, as a compliance officer you should have a procedure in place to review your methodology. For instance, should the e-mails be sent with a blind cc to compliance, should they be halted for compliance approval, should there be an auto response with the e-mail? Since the server is owned by the firm, you are in complete control.
Although controlling e-mail can seem like a daunting task, key words could offer the control that a compliance manager needs. And depending on your firm's needs, you can add and subtract these key words as needed.
