Recent disclosures by several of the world’s largest financial institutions indicate that the Securities and Exchanges Commission’s (SEC) and Commodity Futures Trading Commission’s (CFTC) scrutiny of the use of unapproved messaging platforms for business communications continues across the industry. This follows these agencies’ recent enforcement actions against a broker-dealer subsidiary of a major U.S. financial institution, accompanied by the “invitation” to other industry participants to self-disclose their own use of personal devices for business purposes, without mention of any potential safe harbor or cooperation credit.
The SEC’s and CFTC’s willingness to bring enforcement actions based solely on underlying violations of records retention rules signals a more aggressive near-term enforcement posture in this space. Given the prevalence of personal (and ephemeral) messaging platforms and the rigors of statutory and regulatory requirements such as those found in the Exchange Act and the SEC’s Compliance Rule, this more aggressive posture further underscores the critical importance for the broker-dealer and investment adviser community of ensuring the adequacy and effectiveness of recordkeeping policies and procedures and otherwise continuing to take measures to strengthen compliance programs.
Records retention practices related to the intersection of business communications and personal messaging applications will soon feature in SEC examinations, more formal enforcement investigations, and even in whistleblower claims. Leveraging the lessons of recent enforcement activity and agency guidance regarding compliance with recordkeeping requirements will enable firms to adjust their compliance programs to mitigate this heightened enforcement risk.
Industrywide Scrutiny and Additional Enforcement Risk
Any hope that the SEC’s and CFTC’s recent enforcement actions based on use of personal messaging platforms—including personal text messages, WhatsApp messages, and personal emails—to communicate about business matters might be a one-off has proven to be misplaced. A series of recent disclosures by a number of global financial institutions indicates that the SEC and CFTC have contacted these firms about their use of unapproved messaging systems or that these firms have proactively initiated their own reviews. While the ultimate outcome of this enforcement scrutiny is uncertain, its breadth signals the SEC’s and CFTC’s appetite for additional enforcement actions based on similar violations and also has implications beyond the messaging-related investigations themselves.
For example, entities currently subject to the terms of a deferred- or nonprosecution agreement, as well as entities facing Department of Justice (DOJ) scrutiny for matters entirely unrelated to recordkeeping, may be questioned by the DOJ about whether they have implemented “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.” Failures of the sort identified by the SEC and CFTC in their current enforcement initiative could heighten enforcement risk from other agencies. And if the use of personal messaging occurs in connection with suspect trading patterns or other suspicious conduct, it may considerably expand that risk.
Opportunities to Identify and Close Compliance Gaps
Financial firms should anticipate that the SEC and CFTC will continue to focus on appropriate recordkeeping in examinations and, as may now become more likely following recent enforcement actions and disclosures by other industry participants, in response to whistleblower complaints. In addition, a firm’s ability to demonstrate acquisition and retention of electronic communications from diverse sources may also arise in the context of regulatory investigations, including in response to subpoenas and in connection with investigative testimony.
This renewed enforcement focus on the surveillance, retention, and retrieval of electronic communications provides opportunities for firms to revisit current practices and to consider whether additional mitigation may be appropriate. Among other things, firms should:
- Review their bring your own device (BYOD) policies and user acknowledgements to ensure that the firm’s ability to monitor, obtain, retain, and review communications is clear and in compliance with applicable U.S. or other foreign laws, as appropriate.
- Review the firm’s acceptable use or similar, user-facing policies that make clear that firm information is firm property (regardless of where it is stored) and therefore needs to be accessible to the firm.
- Review applicable agreements with third-party messaging service providers as well as their surveillance and storage capabilities and configurations to be sure these providers are retaining communications in a format that can be monitored, retrieved, archived, and backed up compatibly with the firm’s other technology resources.
- Review and test the firm’s ability to retrieve the various approved electronic communications from backups.
- Consider whether additional data mapping may be helpful to ensure that the firm has identified all approved electronic communications and that these are accessible for purposes of regulatory compliance.
- Review training modules to ensure employees understand stated policies and procedures for limitations on the use of personal electronic communications and the monitoring, retention, and potential uses of those electronic communications.
- Review employee attestation and disciplinary policies to ensure employees both attest to their compliance and understand the sanctions for noncompliance.
- Consider implementing or enhancing an audit, review, or follow-up mechanism to verify that firm supervisors are ensuring compliance with stated policies and procedures.
- Review the firm’s ability to assess emerging electronic communications platforms that may be attractive to employees and its process for considering and approving or preventing such communication methods.
Use of personal devices and messaging platforms for business purposes is both convenient and ubiquitous. While federal agencies recognize the compliance challenges posed by these practices, as evidenced by their guidance, the SEC’s and CFTC’s recent activities—including their recently settled enforcement actions and their reportedly ongoing investigations of similar conduct at other institutions—nevertheless demonstrate that firms may be held accountable for the use of unapproved electronic communications by employees in the ordinary course of business.
Although compliance challenges associated with identifying unapproved communications and assessing new technologies will persist, proactive assessment and mitigation of issues related to the surveillance, retention, and retrieval of electronic communications will pay dividends in limiting enforcement risk.