In an increasingly digital world, financial firms need to be mindful of the variety of electronic communication channels that their employees use for work. Even where firms require employees to use firm-managed email networks to communicate electronically about business matters, employees may also use unapproved, or “off-channel,” messaging platforms, such as iMessage and WhatsApp, to communicate with each other or their clients. This development presents a host of risks for financial firms that do not maintain records of these communications or enforce policies designed to crack down on this practice.

Since 2021, the U.S. Securities and Exchange Commission (“SEC”) and U.S. Commodity Futures Trading Commission (“CFTC”) have brought and settled multiple enforcement actions against financial firms, arising from their employees’ use of these unapproved messaging platforms to communicate—both internally and externally—regarding firm business. The SEC and CFTC have taken the position that firms must keep these communications and failure to do so violates the record-keeping provisions of the Securities Exchange Act and Commodity Exchange Act and their implementing regulations. They have also claimed that the use of these off-channel communication methods for business purposes constitutes a failure to reasonably supervise firm personnel.

The SEC’s and CFTC’s enforcement efforts in this area show no signs of abating. On August 8, 2023, the SEC announced that it had settled record-keeping charges against ten firms in their capacity as broker-dealers and one dually registered broker-dealer and investment adviser for failing to maintain and preserve off-channel communications. It also settled charges that the firms had failed to reasonably supervise their employees’ compliance with firm policies relating to the use of these channels for business-related communications. The SEC press release stated the firms had agreed to pay combined penalties of $289 million and had taken steps to implement improvements to their compliance policies and procedures.¹ That same day, the CFTC announced that it had settled similar charges against swap dealer and futures commission merchant affiliates of four financial institutions, totaling $260 million in penalties.² To date, the SEC has brought 30 enforcement actions and ordered over $1.5 billion in penalties for similar record-keeping and failure to supervise violations,³ and the CFTC has brought actions relating to off-channel communications against 18 financial institutions and imposed over $1 billion in penalties.⁴

These recent enforcement actions demonstrate that the SEC and CFTC remain focused on efforts to circumvent record-keeping requirements.

And the message from regulators is clear: the failure to maintain all communications relating to a registrant’s business, and the failure to properly supervise employees’ compliance with company policies and procedures relating to how business matters are communicated, will result in enforcement actions and significant penalties. Indeed, the Director of the SEC’s Division of Enforcement, Gurbir S. Grewal, has called on firms who have not yet taken the necessary compliance steps to self-report potential violations and cooperate in any related investigations.⁵

Financial firms should be sure to consult with counsel when deciding whether to self-report potential record-keeping violations related to off-channel communications. In addition, to minimize the risk of enforcement, employers should ensure that they have clear policies regarding the use of personal devices for business-related communications that comply with applicable regulatory requirements. They should also provide training on those policies so that employees are aware of and understand them. Furthermore, they should have processes in place to monitor their employees’ compliance to protect against enforcement risk.
¹ https://www.sec.gov/news/press-release/2023-149.
² https://www.cftc.gov/PressRoom/PressReleases/8762-23.
³ https://www.sec.gov/news/press-release/2023-149.
⁴ https://www.cftc.gov/PressRoom/PressReleases/8762-23.
⁵ https://www.sec.gov/news/press-release/2023-149 (“‘Compliance with the books and records requirements of the federal securities laws is essential to investor protection and well-functioning markets. . . . So here are three takeaways for those firms who haven’t yet done so: self-report, cooperate and remediate. If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.’”).