Introduction
On 7 February 2023, the U.S. Securities and Exchange Commission (SEC) Division of Examinations (the Division) released it 2023 examination priorities. As expected, the Division’s priorities highlight areas that were the subject of 2022 rulemaking or Division of Enforcement initiatives, including recordkeeping and supervisory programs related to business-related electronic communication.1 As the 2023 SEC examination period begins, alongside continuing SEC sweep examinations into electronic communication and record keeping,2 firms should be on alert for compliance with communication policies and be prepared to demonstrate an effective and robust recordkeeping program.
The Division’s examination of recordkeeping for electronic communication follows a series of well-publicized enforcement actions by both the SEC and Commodity Futures Trading Commission (CFTC) against major financial institutions for failing to implement and maintain proper controls for business-related communication. Starting with a December 2021 settlement for US$200 million, and carrying through to late September 2022 settlements with 15 major financial institutions, the SEC and CFTC have sent a clear message that regulated entities must comply with recordkeeping requirements.3 SEC Chair Gary Gensler stated last fall that the SEC was only just getting started in its enforcement efforts and that companies should expect substantial penalties to come from record retention enforcement actions.4
This alert recaps the recent government actions relating to electronic recordkeeping, identifies the types of off-channel communication regulators are targeting, and offers tips on how firms can best stay out of the SEC and CFTC’s crosshairs for failing to monitor and retain off-channel communication.
Applicable Agency Rules
Broker-dealers are subject to record retention requirements enumerated in Exchange Act Rule 17a-4 (Rule 17a-4)5 and investment advisers are subject to record retention requirements set forth in Advisers Act Rule 204-2 (Rule 204-2).6 Additionally, Sections 4g and 4s of the Commodity Exchange Act, and the regulations implemented thereto, require that swap dealers and other CFTC registrants retain comprehensive records of their business-related communication.7
These requirements apply to all business-related communications that fall into one or more of the categories of records that are required to be maintained under the applicable rule. For the past two decades, business communication has largely taken place over email or company-maintained messaging services, where longstanding technology has been capable of capturing and retaining such records. Notably, preservation of business email became standard practice following actions brought by the SEC in the early 2000s as email communication became the norm.8 As communication practices have evolved with technology, aided in part by the rise of messaging platforms during pandemic-era remote work, the SEC has been clear that the same recordkeeping requirements apply to off-channel communication, including ephemeral messaging platforms such as WhatsApp and social media messaging services, as well as personal email and text-messaging.
Regulated entities must also be aware of the requirement to supervise their employees to prevent or detect violations of applicable laws and regulations.9 As the recent enforcement actions indicate, failures to implement procedures and preserve communications will also likely result in additional violations for failure to properly supervise employees.10
Sending the Message: Recent Enforcement Actions and Inquiries
The first signal that the SEC and CFTC were serious about enforcing record retention requirements for off-channel communication came in December 2021. The SEC and CFTC resolved charges against a major Wall Street firm, resulting in a combined penalty of US$200 million for “widespread and longstanding failures by the firm and its employees to maintain and preserve” business-related communication occurring over text message, WhatsApp, and personal email accounts.11 After the settled charges were announced, Gensler noted the importance of recordkeeping requirements, particularly in light of ever-evolving technology.12
Then, on 27 September 2022, the SEC and CFTC announced a group of settled enforcement actions, involving charges against 15 high-profile broker dealers and one investment advisor and a total of US$1.1 billion in penalties.13 The charges centered on the firms’ respective failures to implement and maintain proper controls for business-related communications, including monitoring and retaining business-related communication conducted over “off-channel” mediums.
The September 2022 charges closely mirrored those alleged in the previous December 2021 settlement. In the September 2022 orders, the regulators focused on the following facts:
-
The widespread and pervasive use of unrecorded business-related communication conducted through “off-channel” mediums, including text messages, personal email, WhatsApp, and Signal.
-
The existence of record retention policies and procedures that were not followed, enforced, or reviewed.
-
Management and supervisors tasked with enforcing policies and procedures related to record retention and off-channel communication violated such policies and procedures themselves.
In addition to civil money penalties, each of the firms subject to the September 2022 orders were required to, among other things, retain an independent consultant to review and report on policies, procedures, training, and other implemented measures related to the preservation of electronic communication and the use of unauthorized communication channels.14
While the SEC has not announced additional charges or settlements since last fall, reports indicate investigations of electronic communication retention practices are in full swing. In November 2022, three large private equity firms disclosed in quarterly filings they were responding to SEC inquiries into their business-related messaging. At the start of February, two hedge funds disclosed that the SEC had asked to review the mobile phones of certain employees for off-channel business communication.15 A French bank also recently announced the SEC asked for information related to “compliance with recordkeeping requirements in connection with business-related communications on messaging platforms that were not approved by the firm[.]”16
Scope of the Applicable Requirements
The recent enforcement actions reiterate the SEC and CFTC’s long-standing positions that not all employee personal text or email, WhatsApp, Signal, or other off-channel communications must be preserved. Instead, regulators are focused on ensuring the preservation of all records that are required to be maintained under applicable law, which capture certain off-channel business-related communications between colleagues, clients, broker-dealer customers, and other persons connected to securities, commodities, or swaps-related businesses.17
While the SEC and CFTC have refrained from specifically defining “business-related,” the SEC has interpreted the term as including communication related to investment strategies and discussions of client meetings. The agency has also taken issue with communication related to the “market, analysis, activity trends or events.”18 In the Deutsche Bank order, the SEC specifically noted that a senior investment banker “sent and received a substantial number of off-channel text messages” about, among other things, “market color, analysis, activity trends or events in the technology industry[,]” and identified such communication as that which should have been preserved.19
Firms should be mindful that the content of the communication, not the medium used, is determinative of whether retention requirements apply. In an adopting release of Rule 17a-4, the SEC noted that “the content of the electronic communication is determinative” when deciding whether it relates to a broker-dealer’s business and should be retained.20 This guidance remains particularly relevant as communication technology shifts to new platforms, where both business and personal communication regularly occur.
What Is Next and How to Prepare:
It is clear the SEC is just getting started. Following actions targeting major financial firms, communication and record retention practices at smaller entities are likely to be next in line. In a speech delivered on 2 November 2022, Gensler projected the use of “sweeps, initiatives, and undertakings” to actively enforce federal record retention requirements, putting firms of all sizes on notice of the SEC’s enforcement focus.21 Penalties from such initiatives are also likely to be substantial. In announcing the SEC’s Fiscal Year 2022 Enforcement Results on 15 November 2022, the SEC noted it had “recalibrated penalties” for certain violations, and pointed to the cumulative US$1.235 billion in penalties from recordkeeping violations as an example of ensuring such penalties are “not just a cost of doing business.”22
Moving forward, in light of the regulators’ renewed focus and evolving uses of technology, regulated entities should consider whether existing practices and procedures address the issues emphasized by the SEC and CFTC in the recent enforcement proceedings. Practices and procedures regulated entities may wish to consider include:
-
Institute and/or evaluate current and prior policies pertaining to electronic records preservation and the use of communication channels. Among other things, such policies should address permitted (and prohibited) communication channels, types of communications permitted on approved channels, record retention requirements, and supervision. Policies should be clear that any business-related communications through employees’ personal devices, if permitted, are subject to firm policies. Policies should be periodically analyzed to confirm they are being followed, enforced, and are effective. Firms should also consider requiring their employees to certify compliance with such policies quarterly.
-
Conduct routine employee trainings, including initial and annual training, regarding the firm’s policies and procedures regarding electronic communications and proper use of electronic communications, including electronic communication preservation and the use of personal text and email, WhatsApp, Signal, and other off-channel mediums to discuss business-related matters. Firms should consider making these trainings mandatory for all employees.
-
Institute technological measures that preserve and flag off-channel communication, or prohibit the download or use of certain applications where message retention is not possible. Such measures may include surveillance of tracked communications, such as firm email accounts, for indications that employees may be taking business-related communications into an unmonitored medium.
-
Issue company-owned phones or company-managed phones through which employees can message others about business-related matters. Such communication should be preserved. Additionally, companies should require that only business-related communication is occurring over company-owned or managed phones.
-
Firm policies should include a clear statement that violation of the policy can result in serious disciplinary actions, including fines and termination of employment. Moreover, firms should be ready to take strong disciplinary action when violations of the policies are discovered. In fact, one firm subject to the SEC’s September 2022 settlements announced it had fined certain employees up to US$1 million for off-channel business communication.23 Disciplining employees that violate policies can effectively deter future violations and demonstrate to regulators that the firm is serious about following record retention laws and regulations. Firms should also consider self-reporting recordkeeping violations, which the SEC encouraged in one recent action.24
FOOTNOTES
1 U.S. Sec. & Exch. Comm’n, 2023 Examination Priorities, available here; see also Hayley Trahan-Liptak & Anna L’Hommedieu, United States: SEC Division of Examinations Announces Examination Priorities, K&L GATES (Feb. 7, 2023), available here.
2 Jessica Corso, SEC Chair Gensler Warns Of Further WhatsApp Sweeps, LAW360 (Nov. 2, 2022).
3 Notably, FINRA has also brought cases related to electronic communications failures. See, e.g., Fin. Indus. Regul. Auth., Letter of Acceptance, Waiver, and Consent, No. 2020066674001 (noting respondent failed to establish, maintain, and enforce a reasonable supervisory system with respect to the review of electronic communications), available here.
4 Corso, supra note 2.
5 Rule 17a-4, among other things, requires broker-dealers to “preserve in an easily accessible place originals of all communications received and copies of all communications sent relating to the firm’s business as such.” See also In re Morgan Stanley & Co. LLC & Morgan Stanley Smith Barney LLC, SEC Release No. 34-95924 (Sept. 27, 2022) (settled order), ¶¶ 11–12, available here; 17 C.F.R. § 240.17a-4(b)(4).
6 Rule 204-2 requires, among other things, “that investment advisers preserve in an easily accessible place originals of all communications received and copies of all written communications sent relating to, among other things, any recommendation made or proposed to be made and any advice given or proposed to be given.” See also In re Deutsche Bank Sec. Inc., DWS Inv. Mgmt. Ams., Inc., & DWS Distribs., Inc. SEC Release No. 34-95928 (Sept. 27, 2022) (settled order), ¶ 13, available here; 17 C.F.R. § 275.204-2(a)(7).
7 See 7 U.S.C. § 6g; see also id. § 6s(f)(1)(C); 17 C.F.R. §§ 1.31(b)(4), 1.35(a)(1), 23.201(a), 23.202(a)(1), (b)(1); In re Barclays Bank PLC & Barclays Cap. Inc., CFTC No. 22-39 (Sept. 27, 2022), at 4–6.
8 See, e.g., In re Deutsche Bank Sec., Inc., Goldman, Sachs & Co., Morgan Stanley & Co. Inc., Salomon Smith Barnkey Inc., & U.S. Bankcorp Piper Jaffray Inc., SEC Release No. 34-46937 (Dec. 3, 2002) (settled order), available here.
9 See 7 U.S.C. § 6s(h)(1)(B); see also 15 U.S.C. §§ 78o(b)(4)(E), 80b–3(e)(6); 17 C.F.R. §§ 23.602(a), 166.3.
10 In re Deutsche Bank Sec. Inc., DWS Inv. Mgmt. Ams., Inc., & DWS Distribs., Inc., SEC Release No. 34-95928 (Sept. 27, 2022) (settled order), ¶¶ 30–31, available here; In re Barclays Bank PLC & Barclays Cap. Inc., CFTC No. 22-39 (Sept. 27, 2022), at 6–8.
11 Press Release, U.S. Sec. & Exch. Comm’n, JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges, (Dec. 17, 2021), available here; see also Press Release, Commodity Futures Trading Comm’n, CFTC Orders JPMorgan to Pay $75 Million for Widespread Use by Employees of Unapproved Communication Methods and Related Recordkeeping and Supervision Failures, (Dec. 17, 2021), available here.
12 Press Release, U.S. Sec. & Exch. Comm’n, JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges, (Dec. 17, 2021), available here.
13 Press Release, U.S. Sec. & Exch. Comm’n, SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures, (Sept. 27, 2022), available here; Press Release, Commodity Futures Trading Comm’n, CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods, (Sept. 27, 2022), available here.
14 See, e.g., In re Morgan Stanley & Co. LLC & Morgan Stanley Smith Barney LLC, SEC Release No. 34-95924 (Sept. 27, 2022) (settled order), at 6–10, available here; see also Press Release, U.S. Sec. & Exch. Comm’n, SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures, (Sept. 27, 2022), available here; Press Release, Commodity Futures Trading Comm’n, CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods (Sept. 27, 2022), available here.
15 SEC asks big hedge funds for employee phone review - Bloomberg News, REUTERS (Feb. 2, 2023), available here.
16 Societe Generale drawn by U.S. SEC into its widening messaging probe, REUTERS (Feb. 8, 2023), available here.
17 See, e.g., In re Morgan Stanley & Co. LLC & Morgan Stanley Smith Barney LLC, SEC Release No. 34-95924 (Sept. 27, 2022) (settled order), at 4, available here; see also, e.g., In re Credit Suisse Sec. (USA) LLC, SEC Release No. 34-95926 (Sept. 27. 2022) (settled order), at 4, available here; In re Barclays Bank PLC & Barclays Capital Inc., CFTC No. 22-39 (Sept. 27, 2022), at 2–3; In re Citibank, N.A.; Citigroup Energy Inc.; & Citigroup Glob. Mkts. Inc., CFTC No. 22-46 (Sept. 27, 2022), at 2, 4.
18 In re Cantor Fitzgerald & Co., SEC Release No. 34-95927 (Sept. 27, 2022) (settled order), at 4, available here; see also In re Nomura Sec. Int’l, Inc., SEC Release No. 34-95925 (Sept. 27, 2022) (settled order), at 4, available here.
19 In re Deutsche Bank Sec. Inc., DWS Inv. Mgmt. Ams., Inc., & DWS Distributors, Inc., SEC Release No. 34-95928 (Sept. 27, 2022) (settled order), ¶ 24, available here.
20 See Reporting Requirements for Brokers or Dealers under the Securities Exchange Act of 1934, Rel. No. 34-38245 (Feb. 5, 1997), available here.
21 Corso, supra note 2. Additionally, it is also likely questions related to off-channel business-related communication and retention will become an increasing focus of SEC exams.
22 Press Release, U.S. Sec. & Exch. Comm’n, SEC Announces Enforcement Results for FY22 (Nov. 15, 2022), available here; see also Keri E. Riemer et al., United States: A Record Year: SEC FY 2022 Enforcement Actions Bring Big Penalties, K&L GATES (Nov. 16, 2022), available here.
23 Josh Mitchell, Morgan Stanley Fines Bankers Up to $1 Million for Chat-App Use, WALL ST. J. (Jan. 26, 2023), available here.
24 See In re Barclays Cap. Inc., SEC Release No. 34-95919 (Sept. 27, 2022) (settled order), ¶ 29, available here.