On September 27, 2022, 15 broker-dealers and one investment adviser agreed to pay more than $1.8 billion in total civil penalties to the US Securities and Exchange Commission (SEC), and, for those same companies or affiliates acting as swap dealers and futures commission merchants, to the Commodity Futures Trading Commission (CFTC) for failing to maintain and preserve business-related communications on personal devices in violation of the recordkeeping and supervision requirements of the Securities Exchange Act of 1934, as amended, the Investment Advisers Act of 1940, as amended, and the Commodity Exchange Act, as amended, and related rules and regulations.¹

As the regulators found in the settlements, the firms’ employees, including senior executives, engaged in business-related conversations with one another and with clients, counterparties, and brokers using text messaging applications, including third-party platforms such as WhatsApp and Signal, on their personal devices. According to the SEC, the firms did not “maintain or preserve the substantial majority of these off-channel communications.” In addition, the SEC alleged that the firms’ failures “likely deprived” the Commission of these off-channel communications in various investigations. The CFTC also alleged that, in some circumstances, the failure to capture required records resulted in records relevant to investigations not being produced to the government.²

To resolve the charges, the firms agreed to pay civil penalties ranging between $16 million and $225 million each. As part of the settlements, the firms also agreed to various compliance undertakings, such as retention of compliance consultants to review the firms’ recordkeeping practices, policies, and procedures related to the retention of electronic communications on their personal devices and an obligation to report to the government on a periodic basis on compliance with personal device recordkeeping policies and procedures.

These settlements stem from a risk-based investigation into whether broker-dealers, swap dealers, and other registrants were retaining business-related communications made on personal devices. In December 2021, the SEC and CFTC settled with a different firm that agreed to pay $200 million in civil penalties to resolve similar charges, which set the stage for these latest enforcement actions.³ After those settlements were announced, some of the 16 financial institutions that are part of the most recent settlements disclosed that they were involved in the SEC’s investigation and could face civil penalties.

On September 23, 2022, the Financial Industry Regulatory Authority (FINRA) brought a similar case against a broker-dealer, its president/head of investment banking, and its director of research.⁴ The broker-dealer agreed to a $1.5 million fine to resolve allegations that it had failed to preserve and reasonably supervise business-related text messages, which prevented FINRA from fully investigating two matters. According to the settlement, at least 24 employees, including the firm’s president and other senior management, texted about firm business on their personal devices and outside of the firm’s approved communications platforms.

* * *

If the December 2021 settlement was a warning shot to the industry, then these latest settlements are a full-scale attack. Issues surrounding the preservation and retention of messaging on personal devices and third-party applications remain at the forefront of regulators’ minds.

Firms should not breathe a sigh of relief because they escaped this round of enforcement actions. Instead, they should take this opportunity to reasonably ensure that they have functioning guidance and controls in place to properly retain and supervise all required business records and communications, including text messages, emails, and communications on other messaging platforms, whether on business or personal channels or devices. As SEC Deputy Director of Enforcement Sanjay Wadhwa stated, “The time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel.”⁵

The increased use of personal devices will likely raise pervasive, ongoing issues, as work from home arrangements have become a widely-accepted alternative to conducting business in traditional settings and are likely here to stay. It is crucial that companies address the attendant compliance risks by reviewing their own compliance and, where necessary, implementing policies and controls that are practical and enforceable. Companies that do not adopt and enforce such policies and controls expose themselves to allegations of failing to retain required records and failing to properly supervise employees.

Firms that review their own compliance may have to consider whether to self-report to the regulators. For example, broker-dealers may need to review FINRA Rule 4530(b), which requires firms to report violations of securities laws, rules, and regulations if they have “widespread or potential widespread impact to the member, its customers or the markets,” or if violations arose from “a material failure” of the firm’s “systems, policies or practices involving numerous customers, multiple errors or significant dollar amounts.”

Depending on an individual firm’s operations and circumstances, it may be able to prohibit the use of personal devices to conduct business; however, the ban must be supported by robust training, procedures, and surveillance. Here, the firms did maintain policies and procedures governing the use of personal email, chats, and applications—they prohibited them. But the regulators found that the firms violated the recordkeeping and supervision requirements because they did not monitor the implementation of or enforce those policies.

Given the potential difficulties of enforcing complete bans on the use of personal devices, companies may wish to explore alternatives to ensure they are equipped to retain and supervise these channels, as required. Measures could include, for instance, implementing enterprise versions of messaging platforms that are specifically designed for business use and allow companies to customize security and data retention settings.

Whatever approach a firm decides to take, however, senior leadership must clearly commit to complying with and enforcing the policies and procedures. The settlement actions noted that senior level executives and employees were among those who violated the firms’ policiesAnchor, and regulators are already focusing on holding individuals accountable on these issues. For example, in the FINRA action cited above, the firm president was sanctioned. Similarly, in August 2022, FINRA brought two nearly-identical cases against individuals who engaged in business-related communications via text messaging on unauthorized personal devices.⁶ In both cases, the firms maintained written supervisory procedures that provided that electronic business communications could only be transmitted through systems authorized and approved by the firm. The representatives’ use of unapproved channels to discuss business violated the firms’ policies and prevented the firms from preserving the text messages.

Advisory firms may want to pay particular heed to these issues. One of the latest enforcement actions illustrates that it is not just broker-dealers, but also investment advisers, that are in the SEC’s cross-hairs.⁷ This enforcement action follows a National Exam Program Risk Alert that “remind[ed] advisers of their obligations when their personnel use electronic messaging[.]”⁸ Thus, this action reinforces the need to review and improve as necessary recordkeeping practices across the entirety of a financial services complex, and not just for the brokerage business.

Lastly, it is worth noting that the SEC, CFTC, and FINRA are not the only enforcement agencies focused on the compliance risks associated with personal and ephemeral messaging, and that the need to preserve such communications extends beyond registrants subject to the recordkeeping and supervision requirements of federal securities and commodities laws. For example, earlier this month, the US Department of Justice issued new guidance on corporate criminal enforcement addressing, among other things, the importance of having policies and controls on the use of personal devices to engage in business communications.⁹ Even companies that are not subject to express legal recordkeeping or supervision requirements are expected to have and enforce policies and procedures around conducting company business on personal devices. All corporations should consider taking proactive measures to mitigate compliance risks that can arise from employee use of personal devices.

____

[View source.]