In the wake of the collapse of two major U.S. banks, America’s public attention has refocused once again on the oversight and integrity of the financial markets. Amidst this backdrop, on March 10, 2023, Edward D. Jones & Co., L.P. (“Edward Jones”) disclosed that it is cooperating with an investigation from the Securities and Exchange Commission (the “SEC”) related to the firm’s retention of employee electronic communications hosted on personal devices or unauthorized messaging platforms. This investigation demonstrates the SEC’s continued focus on investigating and enforcing compliance with federal recordkeeping regulations.

On March 10, 2023, Jones Financial Companies L.L.L.P. (“JFC”) disclosed in its annual report on Form 10-K that Edward Jones, JFC’s principle operating subsidiary, has been responding to SEC information requests related to the SEC’s ongoing investigation into recordkeeping compliance amongst broker-dealers, investment advisors, and other Wall Street financial institutions.¹ According to JFC, “[t]he investigation relates to retention of electronic communications stored on personal devices or messaging platforms that have not been approved by Edward Jones for business use by its employees.”² JFC stated that Edward Jones is cooperating with the investigation.

In order to promote compliance and support regulatory oversight, federal law imposes rigorous recordkeeping requirements on financial-market participants — which includes records of oral and written business communications. In the securities market, for example, SEC Rule 17a-4(b)(4) requires registered members, brokers, and dealers to preserve, for at least three years, original copies of all communications sent and received by the registrant that relate to its business.³ As for participants in the commodities and derivatives markets, the Commodities Exchange Act and its implementing regulations impose similar requirements on swap dealers and futures commission merchants (“FCMs”) to preserve all communications and records relating to their derivatives trading activities and business dealing in commodity interests.⁴ Entities covered by either regulatory scheme are expected to both ensure institutional-level compliance with recordkeeping requirements and maintain reasonable measures to supervise compliance amongst employees, or else risk facing enforcement actions.⁵

Typically, financial institutions have policies restricting business conversations to particular, monitored methods of communication. For many individuals, however, the availability of secure messaging applications and the convenience associated with communicating through text, WhatsApp, or other messaging applications on their personal device can be alluring. Institutions may be left exposed to regulatory risk when their staff develop a culture of leniency towards using such unapproved and unpreserved platforms. Though the threat posed by engaging in unmonitored business communications could seem benign, federal regulators rely on fulsome recordkeeping compliance to reliably fulfill their oversight responsibilities. According to the SEC, recordkeeping requirements “are an integral part of the investor protection function of the Commission, and other securities regulators, in that the preserved records are the primary means of monitoring compliance with applicable securities laws.”⁶

On September 27, 2022, the SEC simultaneously announced charges and settlements with 16 Wall Street firms related to alleged failures by the firms and their employees to maintain and preserve electronic communications.⁷ Specifically, the SEC said its investigation uncovered pervasive use of unsanctioned communications platforms, including the WhatsApp encrypted messaging application and other unapproved communications software hosted on personal devices by financial services workers to discuss and conduct business with internal personnel, broker-dealer customers, and other participants in the securities industry. The SEC reported that staff members at all levels of seniority were found to have regularly engaged in off-channel communication practices. According to the SEC, use of these unsanctioned communication platforms violated both federal law and many of the firms’ own communications and records retention policies.

Since communications sent and received on these platforms were generally not preserved, the SEC concluded that the firms likely deprived the SEC of records they were required to produce in connection with any SEC information request issued during the audited period.⁸ Although many firms did have policies prohibiting exactly the types of unapproved communications practices that were uncovered, the SEC concluded that they ultimately failed to implement a system sufficient to reasonably assure that institutional policies and federal regulations were being followed. The firms consented to civil monetary penalties cumulatively surpassing $1.1 billion, of which the median penalty was $125 million, and agreed to institute remedial supervisory measures. On the same day, the Commodity Futures Trading Commission (the “CFTC”) also announced settled charges with 11 swap dealers and FCMs — some of which were institutions also subject to the SEC action — for the same recordkeeping failures involving off-channel communication practices.⁹ The FCMs consented to similar remedial measures and civil monetary penalties totaling $711 million — the median penalty being $75 million.

The SEC’s investigation into Edward Jones represents the latest example of federal regulators’ dedication to curbing potential impediments to their ability to monitor and regulate financial markets and market participants. As CFTC Commissioner Goldsmith Romero sees it, “[t]hese cases shut down and bring transparency and public accountability to Wall Street’s pervasive and evasive bank practices that jeopardize market integrity and violate the law.”¹⁰ SEC leadership has likewise described recordkeeping requirements as “sacrosanct” and integral to maintaining public trust in the markets.¹¹ The U.S. Department of Justice has also weighed in, recently issuing an update to its Foreign Corrupt Practices Act Corporate Enforcement Policy to address ephemeral messaging¹² Given this rhetoric and the ubiquitous interest in off-channel messaging among federal authorities, the regulators’ investigative resolve is not likely to end anytime soon.

Additionally, in future investigations into other allegations of wrongdoing, federal regulators are likely to also inquire into the target company’s policies governing off-channel business communications and records preservation, as well as the company’s history of and mechanisms for enforcing those policies. Unsatisfactory answers not only risk drawing additional charges, but also jeopardizing potential settlements or resolutions with the agency — since the recordkeeping failure may undermine investigators’ confidence that they have the whole picture. The American public’s renewed interest in banking oversight and investigation may soon migrate towards securities and commodities sectors as well, which could result in an increased volume of regulatory audits and more opportunities for a “pop quiz” on the registrant’s recordkeeping measures.

In light of these trends, companies subject to SEC or CTFC regulations should consider reviewing their own communications policies and their effectiveness at ensuring compliant recordkeeping. The SEC, for its part, has promulgated a list of recommendations for potentially compliant policies. This list includes, among other things: (1) prohibiting the use of ephemeral messaging applications; (2) instituting procedures to monitor and retain business communications hosted on personal devices; and (3) deploying supervisory and security software on employees’ personal devices designed to identify and archive business communications hosted on the device.¹³ Companies might also consider instituting periodic imaging of all personal devices known to be used for business communications or investing in the development of messaging software tailored to meet the needs of its staff and customers while still facilitating compliant recordkeeping. However, even where a company successfully shepherds all business communications to its approved and monitored systems, the company must also ensure that their procedures for retaining those communications are compliant. Automatic deletion procedures for internal employee instant messaging platforms, for example, may expose companies to risk if not carefully calibrated to accord with federal law or any other preservation obligations that may arise.¹⁴

That said, many of the companies that have been charged by the SEC or CFTC did have policies on the books that expressly prohibited the very off-channel communications at issue. That the regulators charged the companies with failure to supervise nevertheless demonstrates that merely adopting policies which facially accord with federal law may not be enough to avoid federal regulators’ ire if the company’s culture and enforcement of those policies fail to produce substantial compliance. Companies should also consider maintaining detailed records of their enforcement history and disciplinary measures related to recordkeeping policies, as well as retaining outside consultants or auditors to conduct a periodic review into whether those procedures have successfully secured compliance, in practice, with both internal policies and federal law.

Finally, regulators have consistently encouraged registrants to “self-report and self-remediate any deficiencies” in their compliance with federal recordkeeping requirements.¹⁵ If widespread non-compliance is ultimately found, registrants should work closely with counsel to develop the necessary remedial measures and report their internal investigation to the appropriate authorities.

¹ Jones Financial Companies L.L.L.C., Annual Report (Form 10-K), at 68 (March 10, 2023).

² Id.

³ 17 C.F.R. § 240.17a-4(b)(4).

⁴ See, generally, 7 U.S.C. §§ 6g, 6s(f)(1)(B), 6s(g)(1), (3); 17 C.F.R. §§ 1.31, 1.35, 23.201(a), 23.202(a)(1), (b)(1).

⁵ See Section 15(b)(4)(E) of the Securities Exchange Act, codified at 15 U.S.C. § 78o(b)(4)(E) (making it unlawful to fail to reasonably supervise another person who commits a violations of the securities statutes and regulations); 17 C.F.R. § 23.602(a) (“[e]ach swap dealer and major swap participant shall establish and maintain a system to supervise, and shall diligently supervise, all activities relating to its business performed by its partners, members, officers, employees, and agents”).

⁶ Sec & Exch. Comm’n, Commission Guidance to Broker-Dealers on the Use of Electronic Storage Media under the Electronic Signatures in Global and National Commerce Act of 2000 with Respect to Rule 17a-4(f), 17 C.F.R. Part 241, Exchange Act Release No. 34-44238 (May 1, 2001).

⁷ Press Release, U.S. Sec & Exch. Comm’n, SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures, (Sept. 27, 2022), https://www.sec.gov/news/press-release/2022-174.

⁸ Rebecca Fike, Jake Beach, and Jacob Mathew, Don’t Forget the G: After Years of “Environmental” and “Social” Regulations and Enforcement, the SEC’s Recent Priorities Demonstrate a Focus on “Governance”, Vinson & Elkins Regulatory Roundup, Nov. 4, 2023, https://www.velaw.com/insights/dont-forget-the-g-after-years-of-environmental-and-social-regulations-and-enforcement-the-secs-recent-priorities-demonstrate-a-focus-on/.

⁹ Press Release, Commodity Futures Trading Comm’n, CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods (Sept. 27, 2022), https://www.cftc.gov/PressRoom/PressReleases/8599-22.

¹⁰ Christy Goldsmith Romero, Commodity Futures Trading Comm’n, Statement of Commissioner Christy Goldsmith Romero Regarding Holding Wall Street Accountable (Sept. 27, 2022), https://www.cftc.gov/PressRoom/SpeechesTestimony/romerostatement092722.

¹¹ Accord, supra note 7.

¹² Rebecca Fike, et al., Updated DOJ Guidance on Devices and Ephemeral Messaging, V&E White Collar Update, Mar. 16, 2023, https://www.velaw.com/insights/updated-doj-guidance-on-devices-and-ephemeral-messaging/.

¹³ See generally, Office of Compliance Inspections & Examinations, U.S. Sec & Exch. Comm’n, Observations from Investment Adviser Examinations Relating to Electronic Messaging, (Dec. 14, 2018), https://www.sec.gov/ocie/announcement/ocie-risk-alert-electronic-messaging.

¹⁴ See, generally, In re Google Play Store Antitrust Litig., No. 21-md-02981-JD (N.D. Cal. Mar. 28, 2023) (concluding that defendant’s policy of deleting all “one-on-one” communications hosted on its internal messaging platform after 24 hours breached its common law duty to preserve relevant, discoverable information in civil lawsuits because employees frequently used “one-on-one” communications to discuss business potentially related to the claims at issue).

¹⁵ Accord supra note 7.