Key Takeaways

• HSBC Securities (USA) Inc. (HSBC) and Scotia Capital (USA) Inc. (Scotia Capital) paid a combined $37.5 million in fines to settle actions with the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) for violations arising from the firms’ failure to maintain and preserve employees’ business-related communications on personal devices.
• These enforcement actions follow years of increased regulator focus on employee use of personal devices as well as recent policy revisions by the Department of Justice (DOJ) concerning employees’ use of third-party messaging apps on personal devices.
• Employers should ensure that they maintain and consistently update policies and compliance procedures regarding record retention and the use of personal devices as regulators and prosecutors continue to focus on off-channel communications.

Background

The SEC and CFTC settlements with HSBC and Scotia Capital come after years of federal regulators’ and prosecutors’ steadily increasing scrutiny of off-channel communications. Anchoring these settlements are long-standing books and records requirements of the SEC and the CFTC regulating the maintenance and preservation of documents. Specifically, Section 17(a)(1) of the Securities Exchange Act of 1934 (the Exchange Act) authorizes the SEC to issue rules requiring broker-dealers to maintain and preserve records as necessary or appropriate in the public interest. The SEC adopted Rule 17a-4 pursuant to this authority, which, among other things, requires that broker-dealers preserve all communications received and all communications sent relating to the firm’s business.[1] Similarly, the Commodity Exchange Act (the CEA) requires registrants to “keep books and records of all activities related to its business as a swap dealer.”[2] Registrants are also required to “keep full, complete, and systemic records” of all swap activities, including “[r]ecords of each transaction.”[3]

In December 2021, the SEC and the CFTC imposed a combined total of $200 million in fines on JPMorgan Chase for the loss of work-related messages that were sent via apps on employees’ personal devices. The regulators stepped up their enforcement efforts the following year, and in September 2022, the SEC and the CFTC announced settlements with 11 major financial firms for a stunning combined total of $1.81 billion in fines in connection with the firms’ failure to maintain and preserve off-channel communications. This trend continued into 2023, as there were news reports that the SEC conducted a targeted sweep focused on private equity and hedge fund firms’ use of personal devices and on whether those communications were authorized or preserved. These reports prompted 10 financial industry trade associations to issue an open letter to SEC Chairman Gary Gensler in January of this year, criticizing the commission’s actions as exceeding the scope of the recordkeeping provisions of the Investment Advisers Act of 1940.[4]

The DOJ has also turned its attention to employees’ use of personal devices and ephemeral messaging apps. In a DOJ-wide memorandum issued in September 2022, Deputy Attorney General Lisa Monaco stated that the ubiquity of personal devices and the increased use of messaging platforms, including those that offer ephemeral and encrypted messaging, pose “significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation.” Monaco stated that when evaluating a corporation’s compliance program for purposes of a potential resolution with the department, prosecutors should consider whether there are effective policies and procedures in place to ensure business-related communications are preserved.

Further, under recent revisions to the Evaluation of Corporate Compliance Program guidelines, prosecutors will assess whether a company’s policies governing personal devices, electronic communications platforms and messaging apps are “tailored to the corporation’s risk profile and specific business needs” and whether “business-related electronic data and communications are accessible and amenable to preservation by the company.” Specifically, prosecutors will assess (1) what channels of communication are used or are authorized to be used to conduct business as well as the mechanisms the company uses to manage and preserve data within each of the channels; (2) the policies and procedures that allow companies to monitor, preserve and review business-related communications on personal devices; and (3) the risk management policies in place, including consequences for employees who refuse the company access to their business communications.

Emphasizing the DOJ’s focus on this issue and the need for employers to adopt robust compliance policies, in March of this year, Assistant Attorney General Kenneth Polite Jr. stated that “prosecutors will not simply accept a company’s inability to produce messages from third-party applications without adequate explanation.”

Recent Enforcement Actions

HSBC and Scotia Capital are the latest financial firms to pay penalties for violating the recordkeeping provisions of the Exchange Act. HSBC agreed to settle with the SEC and pay a $15 million fine, and Scotia Capital agreed to settle with the SEC and pay a $7.5 million fine. The press release regarding the settlements stated that there were “widespread and longstanding failures by both firms and their employees to maintain and preserve electronic communications,” but it noted that the penalties were reduced in consideration of the voluntary self-disclosure and remediation efforts undertaken by both firms. The CFTC separately settled with Scotia Capital and the Bank of Nova Scotia for $15 million, while its settlement with HSBC remains pending. As part of the SEC settlement, Scotia Capital and HSBC also agreed to “retain compliance consultants to, among other things, conduct comprehensive reviews of their policies and procedures relating to the retention of electronic communications found on personal devices and their [enforcement of such] policies and procedures.”

While both firms adopted policies that forbid the use of personal apps for business purposes, they allegedly failed to adequately implement enforcement mechanisms to ensure compliance with such policies. HSBC and Scotia Capital admitted that their employees used personal messaging apps for business purposes and failed to maintain internal controls to prevent such use. As a result, the majority of these communications were not maintained or preserved. As to Scotia Capital, the CFTC stated “some of the very same supervisory personnel responsible for ensuring compliance with the firms’ policies and procedures themselves used non-approved methods of communication to engage in business-related communications, in violation of firm policy.”

Conclusion

Federal regulators and prosecutors continue to focus on the unsanctioned use of off-channel communications, and this trend shows no signs of slowing. The use of personal devices exploded during the pandemic, and employees are still communicating on work-related matters through personal messaging apps and texts on personal devices despite company policies to the contrary. In light of the rise in the use of personal devices by employees and the increased attention from regulators and prosecutors to these communications, we can expect existing cases to gain speed and new actions to be initiated swiftly and aggressively.

Employers are well advised to adopt robust policies governing the use of personal devices and to have existing policies reviewed by outside counsel as the government continues to scrutinize off-channel communications. In addition, regulators have made clear they expect regular compliance with such policies in order for prosecutors to afford corporations cooperation credit. There is no single common approach to effective policies and procedures. Any program should meet applicable regulatory requirements, emphasize practicality, reflect the business needs of the corporation, and evidence meaningful training and enforcement. Finally, since the identification of potentially relevant chats, instant messages and texts implicates numerous technical and practical challenges, e-discovery counsel should be consulted when the need for preservation and collection arises.

[View source.]