Instant messaging apps—WhatsApp, Facebook Messenger, Snapchat, Telegram, Signal, and iMessage, to name just a few—have become ubiquitous in the 15 years since Apple released the first iPhone. Chances are that you have one or more of those apps on your phone right now. If you are in the financial services industry, beware. In October it was reported that the U.S. Securities and Exchange Commission’s recent investigation of broker-dealers for violation of regulations relating to use of personal messaging devices, such as WhatsApp—which resulted in over $1.8 billion in fines to 16 financial institutions—has broadened to include investment funds and advisers.
According to individuals familiar with the inquiry, the SEC has issued document requests and preservation notices to a number of investment funds and advisers relating to their policies regarding employee use of personal devices and messaging platforms. Under SEC Rule 204-2, every investment advisor registered or required to register with the SEC needs to follow certain record retention rules, including preserving originals of written communications.
In an effort to comply with SEC and FINRA recordkeeping requirements, financial institutions frequently require employees to communicate with each other and with clients exclusively through email and company-provided messaging programs, where messages can be monitored and preserved. The rise of remote work during the pandemic made enforcing personal device bans challenging, though the SEC’s investigation of broker-dealers did uncover pre-2020 violations.
Even as major banks and other financial institutions are leading a push to bring workers back to the office full time, employees at many financial institutions are still working from home at least a few days a week. Communication habits built while working from home may follow employees as they return to the office.
So too has the challenge of speaking to customers who may prefer to use apps like WhatsApp that for many are an easier and more immediate way to communicate. When employees receive work-related messages on their personal phones, some companies now require them to take a picture of the message and forward it to compliance for preservation.
The SEC’s focus on personal device usage underscores the importance of effective internal controls on the technology employees use to communicate about work. It is becoming rare for government investigations and civil litigation not to involve text messages and other messaging apps.
Preserving and collecting data on employee personal devices presents unique challenges. Unlike email data, which typically can be preserved and collected by an organization’s IT department without an employee’s knowledge or involvement, changing the retention settings on an employee’s mobile device or exporting messaging data typically requires the employee’s cooperation. An organization that does not have robust policies related to the use of personal devices may have a difficult time compelling employees to allow collection of data from their personal devices, especially if the employees see the potential for collection of their personal messaging data as an invasion of privacy.
In addition, mobile device software and instant messaging platforms are rapidly changing. For instance, Apple’s new iOS16 mobile operating system, which powers new iPhones, allows users to edit and unsend messages. Organizations and their counsel must stay abreast of these changes to effectively preserve and collect message data.
Collecting instant messaging data from applications like Slack and WhatsApp often requires use of third-party programs in addition to traditional e-discovery platforms. Counsel well-versed in the use of these programs can guide an organization to the solutions best suited for their particular scenario and can help ensure that document review costs are not needlessly inflated by reviewing thousands of messages in which employees talk about where to go to lunch.
Moreover, mobile device and instant messaging data have unique metadata, such as fields indicating that a message has been deleted. Engaging counsel who understand how to identify that metadata can give your litigation team an edge, while failing to adequately understand the unique aspects of mobile and instant messaging data can leave your team unprepared and see your witnesses taken by surprise in depositions.
Finally, failure to preserve and produce mobile and instant messaging data can, in extreme cases, lead to sanctions up to and including default.
A well-thought-out—and well-enforced—policy regarding personal device usage is a crucial first step in preventing expensive headaches for organizations and potentially intrusive searches for individual employees, especially in an industry as heavily-regulated as the financial services industry. But at the end of the day, there is no compliance measure that can stop an employee who wants to use a prohibited messaging device. In the event that employee messages do end up as the subject of a document request, engaging experienced counsel with expertise in the preservation, collection, and review of mobile device and instant messaging data can help your organization respond to the request effectively and efficiently.