Over the last several years, the Securities and Exchange Commission (“SEC”) has been laser-focused on the use of so-called “off-channel communications” in the financial services industry. On the theory that employees’ use of personal devices and platforms (such as WhatsApp) to communicate about business violates the “books and records” requirements applicable to financial institutions, the regulator has conducted intrusive and extensive investigations. To respond to the SEC, many companies have required employees to have their personal cell phones copied and reviewed.
The sweep began with large broker-dealers, resulting in more than $1.1 billion in fines in September 2022 against sixteen entities. The SEC then moved on to smaller broker-dealers, settling with another eleven institutions in August 2023 for a combined $289 million. In February 2024, sixteen firms settled with the SEC and collectively paid $81 million in fines.
Although many of these fines have been against entities that are dually registered as broker-dealers and investment advisers, or investment advisers affiliated with broker-dealers, the SEC has not yet announced a multiple-entity round of settlements aimed exclusively at registered investment advisers unaffiliated with any broker-dealer, such as many hedge funds and private equity firms. The books and records rule applicable to investment advisers is narrower than the rule that covers broker-dealers, leading many observers to speculate that the SEC recognizes it does not have the same authority to impose large fines against investment advisers. However, in a recent development that may indicate much more activity to come, the SEC announced a settlement with a single entity operating solely as an investment adviser.
On April 3, 2024, the SEC announced a settlement with an investment adviser resolving violations stemming from employees’ off-channel communications. The firm had policies and procedures prohibiting off-channel communication “for any business purpose.” The order filed in connection with the settlement states that — despite this company policy — employees, including senior officers, sent and received thousands of business-related messages. “Numerous” of those messages related to matters within the scope of Advisers Act books and records provision, Rule 204-2(a)(7), according to the order, and thus were required to be preserved, including communications concerning investment recommendations made or proposed to be made and advice given or proposed to be given about securities. The order also referenced that three of the senior employees had auto-delete activated on their personal devices, which the SEC asserted prevented the firm and the SEC from quantifying the actual number and subject matter of all off-channel communications. This conduct amounted to both recordkeeping and failure to supervise violations, according to the order.
This settlement suggests that even if messages fall outside the contours of the SEC’s investment adviser recordkeeping rule, the SEC may nonetheless lodge failure to supervise claims if policies and procedures called for the retention of a broader swath of business-related communications that were not captured. The firm was fined $6.5 million for these violations. As with prior settlements, the SEC required that the firm engage a compliance consultant to undertake a remedial review and issue recommendations.
Also on April 3, 2024, the SEC’s Deputy Director of Enforcement, Sanjay Wadhwa, made remarks at a conference about five factors the SEC considers when assessing civil penalties in connection with off-channel communication matters:
- The size of the firm, determined by reviewing the firm’s revenues from regulated parts of the business to ensure the size of the penalty is adequately tailored to deter future violations;
- The scope of the violations, including the number of individuals communicating off-channel and the number of off-channel communications, with the caveat that the SEC’s sampling review of individuals and messages prevents strict correlation between these numbers and the size of penalties;
- The firm’s efforts to comply with recordkeeping obligations and prevent off-channel communications, including by timely adopting meaningful technological or other solutions;
- Prior settlement precedent, used as a non-determinative guide; and
- Whether the firm self-reported and cooperated with the SEC.
Deputy Director Wadhwa noted that self-reporting “is the factor most likely to significantly lower the penalty we recommend.”
Public reports and SEC filings by several of the largest private equity firms have confirmed that these institutions are in the process of responding to SEC inquiries relating to off-channel communications. As such, a round of settlements involving larger institutions may be on the horizon.
There are steps private equity firms can take now to prepare for an SEC inquiry relating to off-channel communications. According to SEC Enforcement Director Gurbir Grewal, firms should “self-report, cooperate and remediate. If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.”
Self-Reporting: The SEC has repeatedly insisted that self-reporting firms have received preferential treatment. In the most recent round of settlements, a self-reporting firm paid a $1.25 million fine, while the next lowest fine was $8 million. As such, firms should consider performing an internal review and self-reporting if violations are identified.
Remediation, Policies and Procedures, Monitoring, and Training: If a firm becomes aware of violations, it should remediate by, at minimum, taking steps to ingest into its systems whatever business-related communications remain available on off-channel devices and platforms such as WhatsApp. Regardless of whether remediation is required, firms should revisit their policies and procedures to ensure they adequately address this subject and clearly reflect lessons learned from this regulatory sweep. SEC settlement orders have underscored the importance of firms proactively reviewing past requests for information or subpoenas to ensure that all relevant communications on personal phones or off-channel platforms have been captured and produced, if responsive. Settlement orders have also underscored the importance of compliance on a going-forward basis. As such, firms should ensure technological solutions are in place to not only collect business-related communications, but also to monitor them for “red flags” that may signal non-compliance with firm policies. Finally, it is critical that employees are properly trained on this subject, and firms should establish a disciplinary policy in the event of non-compliance.
Cooperation: Responding to SEC inquiries in this matter has presented unique challenges as it often requires the collection and review of the contents of employees’ personal devices, which invokes privacy concerns. It is important to pursue this process in a manner that both exhibits full cooperation with the SEC as well as sensitivity to employees’ privacy interests. Firms can begin proactively thinking about what approach would make sense for them and their employees if an inquiry is made.
As this subject remains a central focus of the SEC’s regulatory agenda, firms should consult with counsel to address the issues raised by the SEC’s ongoing investigation of off-channel communications. Taking proactive steps stands not only to bolster the strength of a firm’s compliance program, but also to improve the firm’s standing in the eyes of the SEC if it does “come calling.”