On September 27, the Securities and Exchange Commission and Commodity Futures Trading Commission separately announced charges against an array of Wall Street firms for failing to preserve electronic communications as required by federal law. The firms collectively agreed to pay approximately $1.8 billion in civil penalties to resolve agency allegations that they had allowed their traders and other personnel to conduct business using third-party messaging platforms on their mobile devices. These enforcement actions follow similar agency settlements with other large Wall Street entities earlier this year.
Registered investment advisers and broker-dealers of all sizes should anticipate continued SEC and CFTC focus on the use of personal and ephemeral messaging platforms, not just from agency enforcement staff but also agency examination staff. Indeed, the SEC Examinations Division’s August 2022 review of its examination of over 450 advisers to municipal entities clearly showed that examination staff will consider the use of personal devices and personal messaging platforms to conduct business. Such increased scrutiny will surely be accompanied by an increase in enforcement referrals and actions.
Moreover, the SEC and CFTC are not alone in increasing their focus on the use of personal devices and third-party messaging platforms. In a memo to federal prosecutors in September, Deputy Attorney General Lisa Monaco directed Department of Justice prosecutors to consider companies’ policies and practices both when evaluating the effectiveness of corporate compliance programs in connection with potential criminal charges and when considering imposing ongoing obligations as part of corporate criminal resolutions. Reiterating this directive in a later speech, Monaco’s principal deputy said, “[h]owever a company chooses to address the use of personal devices or messaging platforms for business communications, the end result must be the same: companies need to prevent circumvention of compliance protocols through off-system activity, preserve all key data and communications, and have the capability to promptly produce that information for government investigations.”
In effect, these DOJ statements and the SEC’s and CFTC’s settlements may have created a standard of care for compliance in this area that SEC and CFTC examination staff could apply to both registered and unregistered entities of all sizes. To prepare for these heightened industry standards and increased civil and criminal enforcement risks, firms should ensure the existence of and employee adherence to clear and effective policies and procedures for the use of personal devices and third-party messaging platforms for business purposes to ensure appropriate preservation of any business-related data and communications. Further, firms should review and test their ability to retrieve appropriate electronic communications from backups, as well as consider whether additional data mapping is required to track approved communications to ensure access for compliance purposes.
Employee training will also be imperative, along with – as the DOJ has admonished – enforcement of company policies when violations are detected. Firms should review their training modules and employee attestations to ensure employees understand the risks associated with violating these rules.
Finally, it is critical that registered investment advisers, broker-dealers, and other registrants with exposure in this space work with counsel and consultants that can help develop effective policies and offer expertise and experience in acquiring and processing data from mobile devices, should doing so become necessary in response to regulatory or enforcement scrutiny.