• An investment management company was recently hit with $200 million in fines for failing to track employees’ use of personal messaging apps, which resulted in the loss of communications that were subject to regulatory recordkeeping rules.
• Although the company had a policy prohibiting the use of personal messaging apps for business purposes, it was nevertheless culpable for failing to adequately supervise and enforce employees’ compliance with its rules.
• This incident highlights the need for discovery practitioners to pay close attention to whether communications from personal devices are subject to legal hold, which raises the importance of early discussions with key custodians about their practices.

Firms could face harsh penalties for failing to adequately supervise employees’ compliance with data retention policies, even with respect to employees’ use of personal messaging apps. In December 2021, an investment management company was hit with $200 million in fines for failing to keep track of employees’ use of personal messaging apps, resulting in the loss of communications that were subject to SEC and CFTC recordkeeping rules.[1] Over 100 employees’ communications regarding market strategies, client meetings, and market events/trends evaded the firm’s recordkeeping protocols. The SEC’s enforcement division has announced that it is now looking at whether other brokerages committed similar failures.

Employees are increasingly using texts and real-time messaging apps on handheld devices to communicate about work rather than using solely company-managed email or office messaging platforms that get automatically archived.  This trend requires companies to consider their employees’ use of personal devices in crafting and enforcing retention policies, including provisions that govern how employees should communicate.  Such policies must do more than merely prohibit the use of personal messaging apps.  In the matter at hand, the brokage’s policies did indeed forbid the use of personal apps for business purposes; the firm’s culpability stemmed from its failure to adequately supervise employees’ compliance with its rules.

This incident highlights the need for discovery practitioners to pay close attention to whether communications from personal devices are subject to legal hold and potentially at play in discovery, which raises the importance of early discussions with key custodians about their practices.  Regulators learned of the company’s recordkeeping violations because it failed to produce communications with a third-party in response to a subpoena – communications that regulators knew existed based on communications they received from that third-party.  Such a failure in litigation could give rise to claims of misconduct, spoliation, or sanctions resulting in costly motion practice and close scrutiny of a party’s discovery practices.

[1] [1] Exchange Act Rules 17a-3 and 17a-4, specify minimum requirements with respect to the records that broker-dealers must make, how long those records and other documents relating to a broker-dealer’s business must be kept and in what format they may be kept. The SEC requires that broker-dealers create and maintain certain records so that, among other things, the SEC, self-regulatory organizations ("SROs") and state securities regulators may conduct effective examinations of broker-dealers.

[View source.]