Are Your Employees Talking Business on Their Personal Devices?
February 07, 2023
Are Your Employees Talking Business on Their Personal Devices?DownloadsDownload Article
In September 2022, the U.S. Securities and Exchange Commission (“SEC”) reached settlements with 16 financial services firms totaling over a billion dollars related to investigations of off-channel communications (“O-C-C”), a term for business communications by employees, including the use of their personal devices, that is not captured by their firm’s established platforms.1
This has been a red flag in the broker-dealer community since at least December 2021.2 This article briefly summarizes these settlements and offers some practical recommendations to help proactively address any potential regulatory inquiries in this area.
Regulators Turn Up the Heat
Financial services firms and other businesses have faced significant challenges regarding monitoring and preserving employee communications. In 1997, the SEC established that all electronic communications, including personal emails, texts and chat room conversations, that are used for business communications are “books and records” and subject to SEC Rule 17a-4 and its requirements to retain, supervise and produce upon demand.3 Rule 204-2 of the Investment Advisor’s Act covers the same requirements for investment advisory firms.4
In the wake of mass work-from-home during the pandemic and with the growing acceptance of flexible remote work, the use of electronic communications on platforms such as WhatsApp, WeChat Telegram and Signal, has exploded, in part as a substitute for in-person communications. In October 2021, the SEC opened a broad inquiry with numerous financial institutions to determine how they were documenting and reviewing work-related communications on their employees’ personal devices in the pandemic era.5 The shoe dropped in December 2021 when the SEC6 and the Commodities Futures Trading Commission (“CFTC”)7 announced a $200 million settlement with a broker-dealer of a global financial institution for failing to preserve business-related text messages, despite the company having a policy that prohibited use of such communications. Employees at the firm often communicated about securities business matters on their personal devices but they were not preserved as required by the federal securities laws and therefore could not be reviewed.8 Less than a year later, in September 2022, the SEC and the CFTC announced more charges based on failures by certain registered firms and their employees to maintain and preserve electronic communications.9, 10 The SEC charged 16 Wall Street firms, including registered broker-dealers and an affiliated investment advisor. The CFTC charged 11 Wall Street firms, including registered or provisionally registered swap dealers and registered futures commission merchants. The firms admitted to engaging in willful misconduct and agreed to pay fines to the SEC and CFTC totaling more than $1.8 billion and to implement improvements to their compliance policies and procedures.11, 12 As part of the settlements, the firms were required to retain an independent compliance consultant to conduct a comprehensive review related to O-C-C, assess the progress of the review under its internal audit function, and report its findings to the SEC.13
The O-C-C issue has spread like wildfire throughout the U.S. regulatory framework. In September 2022, the Department of Justice (DOJ) published the “Monaco Memorandum” that directed prosecutors in evaluating corporate cooperation, to take into consideration whether the corporation “has implemented effective policies and procedures governing the use of personal devices and third party-messaging platforms to ensure that business-related electronic data and communications are preserved.”14 The corporation must be able to show that in connection with an investigation that it has “instituted policies to ensure that it will be able to collect and provide to the government all non-privileged responsive documents relevant to the investigation, including work-related communications (e.g., texts, e-messages, or chats), and data contained on phones, tablets, or other devices that are used by its employees for business purposes.”15
The DOJ’s interest in O-C-C is significant because it potentially expands the need for all corporations to engage in preservation of all O-C-C and not just broker-dealers and investment advisors.
Practical Solutions for Regulatory Compliance
Any financial services or potentially at-risk corporations with outstanding subpoenas or regulatory inquiries from the DOJ, SEC, CFTC, Financial Industry Regulatory Authority (“FINRA”), or other regulators should check with legal counsel to see if O-C-C are within the scope of the inquiry so they can determine if any of the firm’s employee/custodians have any potentially responsive O-C-C. This will likely require discussions with the relevant employees and potentially even former employees. If it turns out that responsive, non-privileged O-C-C exists, they will likely need to be preserved, extracted, reviewed and produced – assuming the government or regulator has the appropriate authority to compel production of the O-C-C. Depending on the volume of communications, the firm may need to outsource the process to a consulting company familiar with collecting, transferring, hosting, and reviewing data from O-C-C devices and platforms.
Going forward, the firm must understand how its employees are currently communicating, how they wish to communicate in the future, and whether this desire is in line with senior management’s expectations. This process can be done in-house or with the help of consultants with financial services and enterprise technology expertise.
Conducting an Internal Review
To initiate an internal review or audit of O-C-C, the firm can start by reviewing the items raised in the recent SEC and CFTC settlements, which include the following:16, 17
- Policies and procedures regarding preservation;
- Training materials, including employee attestations regarding compliance;
- Surveillance and Supervision program measures related to preservation of electronic communications;
- Tracking of employee usage of any solutions;
- Measures used to prevent unauthorized communication methods;
- Surveillance routines for approved electronic channels are incorporated in the firm’s overall communications surveillance program; and;
- Framework in place to address issues of non-compliance, including consequences that include compensation, promotion, and termination.
The SEC and CFTC are not going to tell a firm how exactly to conduct this review or even what the benchmarks are for each of the seven items listed above, but the list above does provide a high-level outline of what the review should entail.
The firm may also need to initiate a historical review of subpoenas/regulatory inquiries to see if it has a potential issue regarding O-C-C. The firm may be able to conduct a sample review, which can help it determine if further review is warranted. Ultimately, the firm’s historical review will enable it to consider whether to self-report to relevant regulators and/or engage in any remediation efforts.
More fundamentally, going forward the firm will need to decide if it is going to even allow employees to use chat and text applications to discuss business matters on personal devices. If so, the firm will need to utilize a technology-related solution that archives and manages such communications in accordance with relevant preservation and review requirements. Given the world today, it seems untenable to not allow some forms of O-C-C to become “on-channel,” or centrally preserved within the firm.
A consulting firm with financial services and enterprise technology expertise can assist with the internal review or audit; help benchmark the firm’s current state; offer practical solutions going forward; and bring the firm into full compliance.
For example, a consulting firm can help decide on the right technology solution for their specific business needs. Certain applications can be configured to delete messages as soon as they are read (ephemeral messages) or after a certain required time period (retention policy). Privacy considerations are also important. Certain applications use end-to-end encryption, but others are not encrypted. Lack of encryption could lead to data breaches, while encrypted messages can pose review challenges.
Given the choice between retaining a compliance consulting firm before or after a settlement with a regulator, most firms would opt for the former. Managing a consultant that you choose is much easier than managing the consultant a regulator forces you to choose. Being proactive with a compliance consulting firm can mitigate the risk of any potential government investigations and/or litigation.
Looking to the Future
The cat is out of the bag when it comes to the use of personal devices, and all corporations, not just regulated entities, should take heed and implement the technology, policies, and procedures to allow them to identify and produce all responsive communications. Based on the recent activity, regulators are expected to focus on O-C-C during exams and investigations and will likely continue to bring enforcement actions related to O-C-C (failure to maintain books and records) and, where warranted, potentially append them onto other enforcement charges (for example, Rule 10b-5 that targets securities fraud).18, 19 This is especially likely in heavily regulated industries.
In fact, the SEC’s Division of Examinations recently sent inquiries to certain investment funds and investment advisers regarding O-C-C.20 The SEC asked for organization charts and information about prior violations and remediation steps. And in November 2022, the SEC’s O-C-C probe reached into the private equity space.21
On top of the above, it is likely that DOJ will continue to focus on electronic communications and will likely expand its scope.22
The failure to preserve and failure to have and/or enforce relevant policies and procedures will be a roadblock to any corporation seeking credit for cooperation with the government.
There will always be new technologies and innovations related to communications. This requires companies, through compliance and supervision, to be vigilant in ensuring that they are properly reacting to these changes and effectively mitigating risk.
1: “SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures,” SEC.gov, (Sep. 27, 2022). https://www.sec.gov/news/press-release/2022-174.
2: Jason Sabot, “SEC Announces Investigations of Broker-Dealer Employee Communications on Personal Devices and Encourages Self-Reporting of Possible Violations,” LinkedIn, (Jan. 7, 2022). https://www.linkedin.com/pulse/sec-announces-investigations-broker-dealer-employee-personal-sabot?trk=articles_directory.
3: Gary Gensler, “Statement on Final Rule Amendments to Electronic Recordkeeping Requirements,” SEC.gov, (Oct. 12, 2022). https://www.sec.gov/news/statement/gensler-statement-electronic-recordkeeping-requirements-101222.
4: 17 CFR § 275.204-2.
5: Chris Prentice & Jody Godoy, “U.S. SEC opens inquiry into Wall Street banks' staff communications,” Reuters, (Oct. 12, 2021). https://www.reuters.com/legal/litigation/exclusive-us-sec-opens-inquiry-into-wall-street-banks-staff-communications-2021-10-12/.
6: “JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges,” SEC.gov, (Dec. 17, 2021). https://www.sec.gov/news/press-release/2021-262.
7: “CFTC Orders JPMorgan to Pay $75 Million for Widespread Use by Employees of Unapproved Communication Methods and Related Recordkeeping and Supervision Failures,” CFTC.gov, (Dec. 17, 2021). https://www.cftc.gov/PressRoom/PressReleases/8470-21.
9: SEC supra note 2.
10: “CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods,” CFTC.gov, (Sep. 27, 2022). https://www.cftc.gov/PressRoom/PressReleases/8599-22.
11: SEC, supra note 2.
12: CFTC, supra note 10.
13: SEC, supra note 2.
14: Memorandum from The Deputy Attorney General on Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group to Assistant Attorney General, et al., U.S. Department of Justice – Office of the Deputy Attorney General (Sep. 15, 2022), https://www.justice.gov/opa/speech/file/1535301/download.
16: SEC, supra note 2.
17: CFTC, supra note 12.
18: SEC supra note 2.
19: 17 C.F.R. § 240.10b-5.
20: Chris Prentice, “SEC Scrutiny into Wall Street communications shifts to investment funds – sources,” Reuters (Oct. 11, 2022), https://www.reuters.com/business/sec-scrutiny-into-wall-street-communications-widens-investment-funds-sources-2022-10-11/.
21: Manya Saini, “Major private equity firms become latest targets in SEC's communication probe”, Reuters (Nov. 9, 2022), https://www.reuters.com/legal/major-private-equity-firms-become-latest-targets-secs-communication-probe-2022-11-09/.
22: DOJ, supra note 14.
February 07, 2023
Senior Managing Director
Senior Managing Director, Head of Information Governance, Privacy & Security
Senior Managing Director