SEC Warns Never Before Examined Advisors - We're Coming!
Sunday, February 23, 2014 08:14

Are you ready for an SEC Exam?


If you are SEC registered and have yet to receive an exam, you better prepare.

For months the SEC has alluded to its focus on "never-before examined advisers".

This Website Is For Financial Professionals Only

On February 20, 2014, despite tight resources at the SEC, they formally issued a letter to Firm Owners and Chief Compliance Officers.


"Our [SEC] records indicate your firm is a registered investment adviser that has never been examined by the Office of Compliance Inspections and Examinations (“OCIE”) within the United States Securities and Exchange Commission (“Commission”)." [See SEC Letter dated February 20, 2014.]


So, we have established they are coming. Now we are left with "when" and are you ready?

As a compliance consultant, I can attest that the SEC has been active. We have been neck deep in supporting advisor exams throughout the fall and coming into 2014. However, it is quite doubtful that they will get to all NBE Advisers in 2014, but your firm must prepare as if your turn is imminent.

The SEC has disclosed two approaches towards these examinations, including: a risk assessment reviews and focused reviews.

Risk-Assessment Reviews
are broader examinations that cover your entire compliance program. These reviews will focus on the effectiveness of your overall compliance program in preventing, detecting and correcting violations of the securities laws. In these examinations, the SEC will examine your overall business model and ensure you not only have the policies and procedures in place, but that your firm adheres to these policies consistently. The SEC will focus on your documentation and its consistency. [Note: If you can prove you completed a task or action, it did not happen in the eyes of the regulators. So please maintain proper documentation of business and compliance activities.]

Focused Reviews
will target specific areas of your business model, including the Compliance Program, Filings/Disclosures, Marketing, Portfolio Management, and Safety of Client Assets. While these items may sound focused, they are both broad and inherent in most aspects of your enterprise risk and compliance. If the SEC finds some areas of weakness, they are very likely to continue into a deeper examination. In addition, the SEC recently announced their 2014 Priorities, which may yield some additional insights into the topics for Focused Reviews.

So how do you prepare?

There is no single answer to this question, but certainly taking no action has a certain end result. Here are some suggestions:

  • Risk Inventory. Start with developing a risk matrix that identifies all the business and compliance processes of your firm. Rank each items for their level of risk, impact, frequency and other parameters. The outcome of this activity should be a sortable list of your risk areas that can serve as the basis to formulate priorities.
  • Review Action Plan. Develop a reasonable and continuous action plan to review the target areas on your risk assessment. [Note: you will want to cover all areas of your business over time.]
  • Document. Document. Document. It is imperative that you document the details of your reviews. If you find areas of material weakness, you may want to consult your compliance or legal partners before committing the issues to writing. However the key takeaway is that you must be able to demonstrate [through evidence] that you perform these reviews of your firm. The approach towards documentation is not defined by the regulations, but it must sufficient to demonstrate the effectiveness of the control environment.
  • Leverage your Team. Compliance has largely been left on the shoulders of the Chief Compliance Officer. An effective compliance program contemplates a "culture of compliance". Leaving the risk management to the CCO is not an effective way to manage risk and it naturally results in a low return on your investment. Integrating risk management into your organization brings accountability to all supervised persons of your firm and creates a stronger risk environment.
  • Seek External Support. If you have areas of your compliance program that require immediate attention or you are not sure how to get started, it is often best to engage external compliance resources. Mock examinations, structured compliance programs and targeted support are some of the options that are available.

Best of luck in your preparation.

2014 RIA Compliance: 23 Questions From Advisors And Answers
Thursday, January 16, 2014 11:43

Tags: account aggregation | compliance | RIA compliance

At an A4A webinar last Friday, I covered the major issues compliance RIAs need to know about to be prepared for a regulatory exam in 2014. The session covered a wide range of issues, including some sticky ones about how using an account aggregation application can trigger custody rules that are quite rigorous.  Here's below are the questions and my answers. If you have follow up questions, please don't hesitate to post them here. (A4A members ($60 annually) can see a replay of the webinar now.)

Q: You talked about account aggregation apps unintentionally deeming an advisor to have taken custody of a client’s assets. Can you elucidate? Let’s an RIA is using ByAllAccounts, a popular account aggregation app for RIAs to track 401(k) assets, what might you do to trigger a problem?

This Website Is For Financial Professionals Only

A: Aggregation applications are intended to assist an advisor in avoiding custody — and, of course, enhancing their ability to provide advice on all client assets, even those held away. The challenge that advisors face is that many clients expect their advisor to take care of these administrative items. Just like logging into their 401(k) account as the client could possibly result in the advisor having custody, obtaining the client’s credentials to setup the aggregation service gives you the same level of access. These services strive to make it easy for the client to self-administer these accounts to provide the advisor with access. Advisors must resist the urge to accept the credentials and must insist that the client set up the aggregation feature themselves.
Regarding the custody rules: If an advisor has the ability to log into the client’s account as the client and change the contact information (email address, home address, phone, etc.) without some safeguard, the advisor has custody. The regulators look at this situation with the point that they can redirect information so that the client is unaware of what is happening with the account, thereby giving the advisor complete control. Advisors that must access an account at the client should perform requisite due diligence to make sure the level of access does not result in custody.
Q: ByAllAccounts only solves the custody problem with TRACKING, but it does not solve the problem of TRADING the 401k accounts.  Advisors must have the client's credentials to place trades.  How do you avoid custody if you want to manage 401k accounts?
A: Great question. As discussed above, aggregation tools are great for the investment decisioning, reporting and risk management. However, I have not encountered any tool that will enable trade execution. Some 401(k) providers and platforms allow advisors to create their own account access and link client accounts. However, it is very likely that an advisor in the business will have one, if not many, accounts that don’t provide any tools for the advisor. So the advisor must login as the client to trade. The next safeguard to check is to see if you have the ability to: 1) move money outside the account without the client involvement or 2) if you can change the contact information without notification.
Often withdrawals are handled outside the system or require completion of some additional paperwork. For contact information changes, if the plan sends an email to the client notifying the client that you made the change or sends a letter to the current address of record, that should be sufficient controls to demonstrate that you cannot change the client's information. You will want to validate this through contact to the provider. It would not generally be a good idea to just give it a try.
Q: ByAllAccts still requires us to have the access information for the 401(k), unless we have the client log in for us, which is still very problematic from the point of view of both the client and logistics for the advisor.  It does not solve the custody issue.
A: As noted before, the custody rule is truly a burdensome rule and I encourage advisors to speak up about it. Let’s be honest…those that intend to do harm to clients by unauthorized movement of funds are likely not flagging in their ADVs that they have custody. Advisors know every bit of information about their clients, including social security numbers and other private information. Those that wish to do harm already have all the tools they need. I am not sure this rule has any real protections.
To answer the question, it does not solve the custody issue at all if you cannot get your clients to setup the aggregation themselves.
Q: Can you address the question about held-away accounts a little more in detail?  How can we substantiate that we are unable to change data without actually attempting to do so on the site, which I would never do?
A: Great question. We don’t want to break the law to prove we are on the right side of it. While there is no great answer to this question, the best approach is to contact the platform, administrator or sponsor for guidance or assistance. The plan sponsor is a fiduciary for the plan, so they should be able to help you get info intended to protect the plan’s participants. I would suggest documenting the efforts, interactions and testing.
Q: We also use ByAllAccounts and we log into client accounts daily to download the data into Portfolio Center.  We bill for this service the same as if the money was sitting in Schwab.  Do we have to test every account to see whether we can change an email address or request a withdrawal to an address other than the client's? And, Andy - please don't use my name!
A: You do not need to test every account that is on the same platform or using the same administration, just the different providers. Different plans and sponsors may have different settings of some platforms. Through testing and communication with the platform, you will likely be able to determine the appropriate sample set. I would also perform annual due diligence on these accounts and providers to determine if anything has changed.
Q: If I confirm with a 401k plan client the trades to be made, AND contact the investment provider to have them make the trades (either rebalancing existing or future monies), wouldn't this be a work around in lieu of having online account access and making the changes online - if the call to the client is documented and the call to the investment provider is always recorded and there is a confirmation #?  Wouldn't this be a way around custody?
A: This is certainly a work around the custody issue as you are not accessing the account to make the trades.
Q: If an advisor is deemed to have custody by virtue of accessing someone's 401k plan, for example, does this then connote custody for ALL other accounts for purposes of the SEC rule?
A: No and Yes. First, if you have custody for one account, you are an advisor with custody and subject to surprise inspections, disclosures, etc. However, you can demonstrate to the auditor that your custody is limited to specific accounts. The can validate the block of accounts to exclude from their examination and focus just on the accounts with custody. The ADV1 also requires that you only disclose the figures for the actual assets where custody applies.
Q: For advisors who have fees deducted quarterly from the custodian, assuming (a) client's have signed off on this arrangement and (b) receive invoices/the quarterly fees prior to the debits, would you see any reason why this would involve custody - using an independent custodian?
A: This is a common area of confusion. Thanks for accurately pointing this out.
However, if the advisor has certain safeguards in place, they do not have to deal with the implications of custody (surprise audits, ADV disclosure, financial requirements). As noted in the question, these safeguards, include:
1)  Client account is held at a qualified custodian and the custodian provides the client with statements, at least quarterly.
2)  Client provides written authorization to the advisor to have the fee deducted from the account. This is included in both your client agreement and the custodian account opening documents.
3)  When the Advisor invoices the custodian, the advisor also sends a copy of the methodology to clients so that they can compare your statement to the custodian statement and have the ability to recalculate the fee.
Note: SEC advisors generally do not need to send the statement to clients as listed in item 3. Most, but not all, state advisors must follow this requirement.
Q: Chris said if you can move money you have custody. When I think of custody I think of can you move money OUT of the clients account -- a la Madoff....
A: Custody in the eyes of the regulators includes not only the ability to move money, but also the ability to redirect information regarding the account without the knowledge of the client. If the advisor is the only person with access to the account information the regulators view the advisor is controlling that account.

Q: Any recommendations for specific tools or software to help manage the compliance process?
A: The best tools for compliance are likely the tools you already have to run the business. The most effective compliance programs are those that are integrated into the operations of your business. Consider your CRM, reporting system, email and document management tools and an intranet as the most important compliance tools. A strong portion of risk management and compliance stems from strong recordkeeping and the ability to identify risks or errors.
A CRM can be a great compliance tool to help you:
  • manage and test client suitability
  • track gifts and entertainment
  • track trade errors
  • track complaints
  • ensure that you have completed all annual compliance meetings
  • develop a compliance calendar and document testing results for a client sample
  • deliver your ADV
  • document correspondence

Your portfolio reporting system can often generate reports to look at your business from a risk management perspective and not just a client perspective. For example:

  • accounts with no/low activity
  • accounts with high or low cash balances
  • comparison to model, strategy or suitability
  • periodic fee analysis
  • review of trading costs
  • portfolio concentration
  • firm level composite portfolio concentration
  • transaction level testing and verification
In addition, there are tools available for compliance monitoring, testing and general compliance knowledge. AdvisorAssist provides each client with an Advisor Compliance Portal. The Advisor Portal is a secure, cloud-based application (extranet) that houses all compliance documents, versions, testing activities, compliance certifications, compliance tasks, filings and communications relating to the compliance program. We use this application to avoid version control issues, maintain a sound audit trail and make sure compliance tasks are completed.
Advisors can implement these types of tools for their own business as well. An intranet is right up there with CRM in terms of impact to an organization. While having a network drive creates a common place for storage, it is far too easy to lose control over the structure and content. A well-designed user interface that makes it easy to find the necessary tools, documents, policies, etc. can be invaluable.
An intranet can be very cost-effective to implement. Google Apps for Business, Office 365 Sharepoint, 3rd Party Intranets, Wordpress and Joomla (secured sites) can be implemented without significant cost. As your needs grow you can integrate other tools.
Q: Do you have any recommendations for a sole proprietor?  How does one do all this efficiently?
A: Great question. The best answer is to make sure you are not using a compliance program for a large firm. Far too often we encounter single person firms with 200+ page compliance manuals that we leveraged from another firm. The regulators take issue with policies that do not accurately reflect your business model. Make sure to customize and right-size your policies.
In addition to having a compliance program that fits, single person firms should seek outside support. This could be a compliance firm, another advisor that has a similar model, educational resources, etc. There’s quite a bit of information out there, but the rules and expectations continue to evolve. As the single person firm must cover every other aspect of the firm, we often see the compliance for the single person firm slip in favor of other critical business activities.
I suggest maintaining a compliance calendar or checklist to help you chip away at compliance at a steady pace throughout the year. While this rotational approach may be good advice for firms of any size, it has more impact for the smaller firm.
Q: With the way the SEC is now doing the inspections, how do you think exam will be handled when Dodd frank is implemented? I know that’s charged with political considerations, but who do you think will end up regulating RIAs?  FINRA? 
A: You nailed it – political considerations. FINRA has been quietly maneuvering and lobbying for a role in the RIA segment. While most advisors seek to keep them out of the mix, there is the possibility FINRA will have a role. There is the belief that they may at least obtain the right to examine and oversee hybrid firms. I do not anticipate that the state regulation for advisors will be disbanded.
Q: Some months ago, I (Andy Gluck) posted a blog suggesting the states be given responsibility for regulating RIAs with under $500 million AUM, up from the current $100 million. And I recently heard that one or two of the financial advisor professional associations with a stake in the debate was actually going to lobby regulators for approval of that scheme. Have you heard anything about that?
A: Many states have really increased their effectiveness with respect to the oversight of advisors (Effectiveness measured as increases in examinations, frequency of exams, educational programs, and addressing wrongdoing). There are some states that do not have a supervisory system in place (New York and Wyoming). I think the states are generally doing a solid job, but have some work to do before increasing the burden. There are also a significant number of firms in the $100 to $500 million band. The states will need to ensure they have the talent and resources to address more firms and likely those with more complexity. NASAA groups are working on some harmonization of regulations across states, which would need to be addressed before such a change could reasonable be implemented. An advisor would several hundred million is far more likely to have multiple states. I think the states would need to have a plan to truly leverage the home state examiners.
Q: On slide 21, aren’t these documents just templates you can buy and how to you know the difference between a template kept on file and an implemented policy acted upon by your RIA firm?
A: You can certainly purchase a baseline for your firm, but you do need to customize your compliance documents to reflect the business activities, risks and policies of your business. In addition, just having the documents is not enough. Advisors must know what is in the compliance program to be able to follow its policies.
Q: Can you talk more about the Firm Presentation?
 A: The regulators need to understand your business to evaluate how effective your firm is at meeting its compliance obligations. I believe it is best to help articulate your business model to the examiners, instead of having them try to figure it out from document requests. The primary goal of this document is for an efficient audit but it has many other benefits.
  • Help the examiners to understand your business model:
  • Investment philosophy and process
  • Client service model
  • Your team and everyone’s roles
  • Service providers and technologies you leverage
  • Control environment
We find that advisors often don’t articulate all the risk management activities that they perform in a given day, week, month or year. When the topic of compliance comes up, the compliance manual and some testing activities seem to be the focus. As you think about your people, processes and controls consider all the risk management activities you perform.
Q: Do examiners always call before arriving?
A: No, unfortunately. They generally have the ability to just show up unannounced. Many states and the SEC will provide a few days notice for an exam to avoid unfair disruption. However, they generally do not afford enough time that you can perform a rush clean-up of your firm. If the regulators are there for cause, they often will not provide notice.
Q: How can you review your examiner’s background before he arrives?
A: This of course depends on the information you have about who is coming and the general composition of the team. If you have the opportunity to talk with the examiners prior to the exam, take it. Ask about their exam process, expectations for timing, time period under review, and other pertinent information.
Ask who will be coming so that you are prepared. For example, when the SEC comes, you will want to know the specialty or division. Is the examiner from inspections or enforcement. Will there be one, two or more examiners?
Q: What do you mean “request an exit exam?” Do you mean ask to meet with the examiners before they leave your office?
A: “Exam” is the wrong choice of word. Request an “Exit Interview”. Before the end of the onsite exam, request a meeting to share preliminary findings. Remember that their job is to make sure you follow the rules. If there is a deficiency, the sooner you address it the better. The examiners may not be ready to speak to all topics in detail, but will generally provide some directional guidance. It never hurts to be able to state that you corrected the deficiency before the exam concluded and you have a plan to prevent future occurrence.
Q: How friendly can you be with an examiner? Can you ask your examiner to join you for lunch?
A: This is a judgment area. The examiners are there to do a job and typically don’t take anything personal regarding your business. It is certainly OK to be cordial and joining them for lunch may be appropriate for the situation. I would suggest not offer to purchase lunch or anything that can be misconstrued. Making a comfortable environment for the examiner is generally appreciated by them. Remember, they have seen just about everything in their travels. So in short, polite and conservative is the best route.
Q: You talked about putting your examiner in a comfortable spot to work. How long will they be there and should it be in a bullpen or private office?
A: I would suggest that they examiners are provided a private space. You have a business to run while the exam is going on and they have work to do and will need to have private discussions. While you may have nothing to hide, limiting the conversations they have access to and providing a spot that allows them to be efficient is the best approach.
Q: What makes a wrap fee program a wrap fee?  How is it different from a TAMP?
A: A wrap fee program is a structured investment program where a single fee is charged to the client. The “wrap fee” includes the advisory fees, transaction fees, and other fees wrapped together in a single fee. A Turn-key asset management program (TAMP) may employ a wrap fee model or have the clients responsible for paying the transaction costs for trades in their accounts.
Q: What is the bare-bones compliance regimen required for a solo, fee-only advisor operating without custody of client assets? What is the realistic risk of penalties for such a ""pure"" advisory practice?
A: This is a tough question to answer. As discussed above, while a solo-RIA is subject to the same rules as a firm with more than one supervised person, there is of course the reality of self-checking and a lack of separation of duties. The rules must be followed regardless of headcount. The best advice for a solo firm is to keep it simple and have a program that is aligned with the operations of the business. As there is one person to execute and supervise, it can be even more important to have good documentation.
Penalties don’t really differ based on headcount. The regulators have a mandate to protect investor interests. In the RIA realm, minor compliance shortcomings typically result in a deficiency letter and an opportunity for corrective action. Fines, suspensions and other actions don’t usually come into play unless there have been clients harmed, failure to supervise, or repeat issues.
Q: Can you have Chris provide an overview of services available from AdvisorAssist and cost estimates for different levels?
A: AdvisorAssist provides several support models for state and SEC advisory firms of all sizes. Our compliance support programs are tailored to the business models, scope of services and general risk model of each firm. 
Our Compliance Essentials program is designed for smaller advisory firms. It covers the core annual compliance program for the firm, ADV amendments, maintenance of compliance tools and support in completing compliance tasks during the year. We provide guidance on SEC and state regulations and assist in preparing for and responding to regulator deficiencies. In addition to the core scope, we provide an allocation of flexible consulting hours to assist with other business and compliance projects.
Our Compliance Advantage program expands upon the Essentials, with proactive compliance management meetings, risk assessments, advertising reviews, and other testing. Often firms with more than one supervised person engage for this service level as it includes code of ethics administration and other oversight activities. The Compliance Advantage has different levels based on frequency of calls and the allocation of work between AdvisorAssist and the advisor.
In addition, we also develop customized solutions.
Pricing is determined based on the business model complexity, level of interactions and other aspects of the scope. Our pricing and service options are aligned for advisory firms of all sizes from the single person firm to large national RIAs.


Questions About ByAllAccounts And When Account Aggregation Of 401(k) Assets Triggers Onerous Custody Rules Become Focus Of Webinar About 2014 SEC Examination Priorities For RIAs
Saturday, January 11, 2014 15:01

Tags: compliance | Dodd-Frank

Account aggregation app, ByAllAccounts, is the most popular account aggregation application among RIAs advising individual investors.

So it was surprising when the app became a central focus of this week's webinar about 2014 RIA compliance priorities.
Chris Winn of AdvisorAssist, an operations and compliance consultant, was the speaker at A4A’s weekly professional education session. The timing of his session, “2014 Compliance: Are You Ready For An Exam?” could not have been better: Winn had just spent a week with an SEC examiner on-site at a client’s office assisting the RIA being inspected by the SEC.

This Website Is For Financial Professionals Only

In addition, the SEC a day earlier, had published its list of Examination Priorities for 2014.
Winn’s comments about how account aggregation might unintentionally subject an RIA to onerous custody rules drew a flurry of questions and comments s from attendees. A third of the approximately 25 questions from attendees were about ByAllAccounts and the dreaded custody rules, a strong reaction to one topic.  
Taking custody of assets triggers regulations that are costly for a small financial advisory firm to comply with. Depending on exactly how an RIA advises an account — how the RIA logs into a 401(k) website, the functionality provided by a 401(k) provider, and other minutia —an RIA could be required by the SEC to comply with the onerous custody rules.  
The custody issue was the most controversial topic to come up but Winn, who has a couple of decades of experience in RIA compliance and operations, offered tips on a broad range of compliance issues.
Winn’s presentation received 4.6 out of five stars and the comments from attendees (below) show how helpful the session was to some advisors. A4A members ($60 annually) can see a replay of the webinar now. Winn will be posting answers to attendee questions in the next few days. Look for that post because he will go into more detail about compliance issues we did not have time to cover at the session, including the custody issue.




-- Excellent.

-- Good Information and recommendations

-- This is possibly the best compliance session I have attended in my 17 years in the business.  Chris was very specific about our responsibilites and that is rather unusual... in a good way.

-- I would be interested in a Part 2.

-- Very insightful.  I have a rather small firm and have been audited by the state of Texas three different times in a 10 year span.

-- Quality Information,  Thanks,

-- Would have been more effective to have shown an example of compliance calendar.

-- Very informative

-- Andy -- I have to thank you. Without you I would have never met Chris Winn--he is now my most trusted partner at 7Twelve. I didn't know guys like this even existed before I saw him for the first time on A4A. I certainly sleep better and run a better shop because of Chris!

-- Better tan most on this subject.

-- Very professional, although too quick for level of information desired.

-- This subject can be very uncomfortable for most advisors. It can also be emotionally draining and cause a lot of angst. Chris has presented before, and he is always measured and matter of fact in his delivery. That being said, there are times when I will ask "is he kidding"? Of course, Chris is only the messenger, and you aren't supposed to shoot the messenger. Nice job on a difficult topic for advisors.

-- Yes as a CFP working in an RIA, I listened even though I got no credit.  My firm went through an audit last year and I wanted to make certain that I/we got a refresher on the topic.  Chris's presentation reinforced what I thought was important to do as a followup to that audit and on an ongoing basis

-- This is a topic that needs to be on the list more often.




For Small BDs And Clearing Firms, FINRA Legal Action Serves As a Cautionary Tale On Anti-Money-Laundering Compliance
Tuesday, December 17, 2013 09:36

Tags: broker-dealers | compliance

FINRA announced yesterday that it imposed a $1 million fine on a Nebraska clearing firm for repeatedly violating anti-money laundering (AML), financial reporting and supervisory requirements.  The announcement serves as a good checklist for compliance and supervisory personnel about the types of matters FINRA may investigate during firm audits.


This Website Is For Financial Professionals Only

FINRA asserted that Omaha-based COR Clearing LLC’s AML surveillance program failed to reasonably address risks given the company's business model, because the type of accounts it deals with have a higher risk of money laundering and other fraudulent activity.


Among other findings, FINRA determined that COR’s anti-money laundering surveillance system nearly collapsed for a portion of 2012, and as a result, the firm failed to conduct any systematic reviews to identify and investigate suspicious activity.  FINRA also asserted that, in 2009, COR instituted a so-called "defensive SARS" program, under which it filed suspicious activity reports without actually completing the investigation necessary to support the reports' filings.


The regulator alleged COR committed multiple supervisory violations as well, relating to the outsourcing of back-office functions, funding and liquidity. COR also allegedly neglected to save and review emails of one of its executives and failed to ensure that its president was properly registered as a principal.  Additionally, COR was also accused of making multiple financial reporting errors, including repeatedly making erroneous customer reserve and net capital computations, and filing inaccurate financial and operational combined uniform single reports with FINRA.


The alleged violations came to light during several examinations of COR from 2009 to 2013 and included numerous repetitive violations from year to year. The sanction also resolves charges brought in an April 2012 FINRA complaint as well as additional alleged violations discovered recently.


The fine is part of a settlement resolving the allegations against COR, which neither admitted nor denied any wrongdoing.  In addition to the fine, COR was ordered to hire an independent consultant to conduct a comprehensive review of its policies, systems and training, to submit new clearing agreements for FINRA approval during the review and, for a period of one year, to have its CEO and chief financial officer certify that each executive has reviewed the firm’s customer reserve and net capital computations for accuracy prior to submission.


The case is FINRA Department of Enforcement v. Legent Clearing LLC, case number 2009016234701, in the FINRA Office of Hearing Officers. For BDs and clearing firms, FINRA's findings and actions serve as a cautionary tale.

RIA Fires Google Apps After Google Notifies Advisor Of A 15-Month Failure In Gmail's Archiving System; Gmail Archiver Accidentally Deleted Messages It Was Supposed To Retain
Thursday, December 12, 2013 13:32

Tags: advisor technology | client emails | compliance | email | FINRA | google | RIA compliance

An Investment Advisor rep with a background as a programmer recently replaced Google Apps' email archiving system after being notified that Gmail's archiver accidentally deleted messages that should have been retained for the 15-month period from March 28, 2012 to June 18, 2013. 

Google notified the advisor on September 5 of the failure, gave him a refund, and apologized profusely. In a lengthy mea culpa to Gmail archiving users affected by the failure, Google said it has rectified the problem and lists numerous steps it has taken to reduce the risk of another such failure. (The email sent by Google to the financial advisor about the failure of the Google Vault archiving system is pasted below.)

This Website Is For Financial Professionals Only


The failure was specifically attributed by Google to its Vault, where email archives are retained. Google says Vault failed to archive messages deleted by users. That’s not supposed to happen. To be clear, when a Gmail archiving user deletes an email from his mailbox, it’s supposed to be retained by Google's archiving system. That’s the system of record for an RIA, where regulators should be able to access all emails—especially the ones you've deleted.  

“In the weeks since we discovered the problem in July, we researched methods to identify and recover the deleted messages,” Venkat Panchapakesan, Vice President, Engineering at Google wrote in the September 5 email sent to Google Gmail archiving users who lost emails an unknown amount of emails. “We were able to restore messages that users deleted between June 19, 2013 and July 17, 2013 to the Vault archive. However, as part of normal operations, Gmail systems purge and permanently remove older messages, and we could not retrieve messages that users deleted between March 28, 2012 and June 18, 2013.”
Ironically, the RIA, whose owner asked not to be named, is run by an advisor who knows how to code in several computer programming languages and is a sophisticated technology buyer.
It's interesting to note that, if you search Google for press coverage failure of Google Vault to archive emails, you won't readily find any results or social banter mentioning Gmail archiving failure.  
“What I learned from this instance is that using software designed to be compliant for our industry is the most efficient way to handle these things,” he says. “While Google Apps was a cheap alternative, their history with snooping, changing terms and conditions, and deleting supposedly archived emails has very much soured me on them.”


From: Google Apps Vault [mailto: This e-mail address is being protected from spambots. You need JavaScript enabled to view it ]

Sent: Thursday, September 5, 2013 4:10 PM


Subject: Please Read: Archiving issue with your Google Apps Vault service


Dear Google Apps Vault Administrator,

We want to inform you of an issue that occurred with your Google Apps Vault service. Vault is designed to keep an archive of your organization's messages, including messages that your users delete. However, Google recently determined that the Vault service did not retain some deleted messages as it should have. Messages under legal hold were properly archived and not affected by the issue.

In this letter, we’ll explain what happened and how we fixed the problem, the refund you will receive, and how to contact us for any assistance.

Background: Vault retention rules

Admins can set up a default retention rule to control how long Vault retains their organizations’ messages. For example, the default rule can be set to retain all messages for 3 years. When users delete messages from Gmail, the messages are removed from their mailboxes, but should remain available in Vault.

Admins can also set custom retention rules in Vault. For example, they can set a custom rule to retain some users’ messages for 7 years instead of the 3-year default retention rule for all users. In the event of an investigation, admins can place a user on a legal hold so the user’s messages are exempt from deletion by any retention rules.

What happened with the Vault archive

On July 17, 2013, we discovered that the default retention rule had not been working as intended since March 28, 2012, the initial release of the service.

If a user deleted a message from their mailbox, the default retention rule did not archive the message in Vault. Instead, these deleted messages were permanently removed from Google's servers by the normal Gmail deletion process. This means:

             The default retention rule did not retain messages that users deleted between March 28, 2012 and June 18, 2013. As a result, these messages deleted by users are not included in your archive, unless they were subject to a custom retention rule or legal hold.

             All messages that your users did not delete have been archived by your default retention rule as expected.

             All messages subject to legal holds and custom retention rules have been archived as expected. Custom retention rules and legal holds were unaffected by this issue.

We have fixed this issue, and messages deleted by users after June 19, 2013 are now properly archived by the Vault default retention rule.

We sincerely apologize to your organization and users for not archiving your messages according to the default retention rule. We understand that you entrusted Vault with your messages, and we fell short of providing you with the complete service you expected and paid for.

The impact of this issue

In the weeks since we discovered the problem in July, we researched methods to identify and recover the deleted messages. We were able to restore messages that users deleted between June 19, 2013 and July 17, 2013 to the Vault archive. However, as part of normal operations, Gmail systems purge and permanently remove older messages, and we could not retrieve messages that users deleted between March 28, 2012 and June 18, 2013.

After thorough investigation, we determined that we do not have data about the number of messages affected by this issue. We regret that this information is unavailable. The actual impact to your organization depends on which messages were subject to the default retention rule (and not retained by any legal holds or custom rules), and how many of those messages your users deleted. Many Gmail users tend to archive rather than delete, in which case the messages were retained in Vault as expected. If you want to review your retention and archiving rules, please see these step-by-step instructions.

Ensuring the reliability of the service

We want to share our findings about the cause and how we will prevent issues like this from recurring. Our initial implementation of the default retention rule contained a defect in the archiving of deleted messages. As we did not have the correct monitoring in place, the retention defect persisted until we recently discovered the issue.

The Vault team and other engineers at Google investigated our internal processes and performed a complete technical review from development to production. Here are the actions we are taking:

             In engineering: We are expanding engineering reviews for all changes and new features to ensure that the code does what it's meant to do and works well with other Google systems. For the product requirements and development phases, we have developed more detailed use cases that describe combinations of default retention rules, custom rules, and legal holds.

             In testing: We are overhauling our quality assurance processes and rebuilding the test environment. To better detect potential issues, we are increasing our testing rigor and coverage—expanded reviews of quality assurance plans, improved tests, and more test cases, with deeper focus on retention.

             In use: We are improving our system reporting and analytics to monitor the health of Vault and its retention system as customers use the service—for example, to automatically alert the engineering and support teams of any unusual changes in the volume of archived messages. This will help us both detect and respond quickly to any issues that may arise in production.

Your service refund

Because Vault did not perform as intended, we are issuing you a full refund from the day you began payment for the service through July 31, 2013.  Within the next 30 days, we will send you information about receiving your refund.

Our commitment to you

We want you to know that our team is taking this issue extremely seriously. The Vault service has not lived up to the standards that you, as our customer, expect from us. We apologize to you for this issue—we can and will do better for you.

We are committed to providing an archiving service that's reliable, secure, and responsive to your business needs. We use Vault for our own retention of email, and we are confident in the service's capabilities. In the coming months, we will be working hard to earn back your trust.

If you have questions or need assistance, please contact us at our hotline at 1 855-675-1504 toll free in North America or 1 604-675-1504 (between 8AM to midnight EST, Monday through Friday) or by email at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .


Venkat Panchapakesan

Vice President, Engineering




© 2013 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043.

You have received this mandatory email service announcement to update you about important information regarding your Google Apps Vault product or account.






<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

Page 1 of 61



Hot Topics