Recent Enforcement Action
The requirement that financial firms preserve books and records is nothing new. But how do such firms keep track of employees’ communications on applications like Signal or WhatsApp? Those apps can enable users to automatically delete communications after a certain amount of time has elapsed. The use of so-called ephemeral communications was at the heart of the regulators’ recent groundbreaking $1.8 billion settlement involving some of the biggest names on Wall Street.[1] This settlement came on the heels of an SEC enforcement action for JP Morgan’s recordkeeping failures involving the same types of communications.[2]
The SEC and other agencies have become increasingly concerned about apps that allow for ephemeral messaging. These apps complicate discovery and investigations, raising issues of spoliation and failure to preserve records. As early as December 14, 2018, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert outlining the compliance challenges and risks of investment advisers using their personal phones, messaging applications, and various other forms of communications for business purposes.[3]
Focus on Funds and Registered Investment Advisers
The SEC’s scrutiny of ephemeral message recordkeeping has previously been aimed mostly at broker-dealers, despite the 2018 Risk Alert. But yesterday Reuters reported that the SEC is conducting a sweep of investment funds and registered investment advisers.[4] The SEC reportedly has asked funds and advisers to preserve records about their policies and procedures for off-channel business communications. And it has also asked firms to provide information on such policies and procedures, according to Reuters.
How to Comply?
These apps raise challenging compliance issues. How is a firm to ensure that it is capturing all business communications engaged in by its employees through these third-party apps?
It is essential to have policies and procedures in place designed to capture such data. But simply having policies and procedures is not enough; the policies and procedures must be followed. Firms should establish training, testing, and enforcement relating to the policies and procedures. Agencies will ask what companies are doing to address message retention, monitor the use of personal devices, and keep track of the messaging platforms used for interpersonal company communications and communications outside of the company.
RIAs can comply by preparing a list of approved communication platforms (which must be monitored if used for business communications); get quarterly attestations from employees; and educate employees regarding appropriate business communications and the consequences, including termination and referral to regulators, for violations of the policies.
FOOTNOTES
[1] SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures (Sept. 27, 2022), available at https://www.sec.gov/news/press-release/2022-174
[2] JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges (Dec. 17, 2021), available at https://www.sec.gov/news/press-release/2021-262
[3] SEC.gov | Observations from Investment Adviser Examinations Relating to Electronic Messaging
[4] https://www.reuters.com/business/sec-scrutiny-into-wall-street-communications-widens-investment-funds-sources-2022-10-11/
Julia Hood also contributed to this article.