I read about a new red flag in the Securities and Exchange Commission’s exam process for investment advisers. Examiners are looking for Chief Compliance Officers with web-based email addresses. So, if your CCO uses a gmail, or yahoo.com email address on your Form ADV filing, the SEC will treat that as a red flag.
This comes from a story in IA Watch. According to the story, a senior person in the SEC’s Office of Compliance Inspections and Examinations mentioned the email address as part of the red flags for cybersecurity sweeps.
I would guess the alternate address for a contact on the Form ADV is subject to this same red flag.
Personally, I’m not sure I completely understand why this is a red flag. Some of the web-based email are just as secure as firm-run email server. For smaller shops, it may be even more secure. I feel certain that Gmail has better tech than a small IA shop.
I can see the web-based email as indicator of an outsourced CCO. Of course, the Form ADV now requires a firm to flag that it has an outsourced CCO. Perhaps it’s a red flag to see web-based email and not state that the firm has outsourced CCO. I can also see searches of “compliance” in the email address as another way to potentially find firms that did not state their CCO role was outsourced.
Sources:
- OCIE to launch another cybersecurity sweep exam within a year in IA Watch (subscription required)