Recent U.S. enforcement actions and statements made by regulators reveal that issues related to the preservation and retention of messaging on personal devices and third-party applications will remain top-of-mind for regulators and enforcers. A recent series of high-profile fines, adopted and finalized policy changes, probes, and regulator warnings underscore the need for companies to review their compliance programs and policies to ensure they adequately and appropriately monitor and preserve all relevant business communications, and for compliance officers to proactively act to mitigate risk that can stem from employee use of personal devices or ephemeral messaging applications. To address these points, RANE spoke to Matthew Bernstein, Founder and Information Governance Strategist at Bernstein Data, for guidance.
What to know
On September 27, U.S. regulators fined 15 broker-dealers and one investment advisor a combined $1.8 billion in total civil penalties for failing to maintain and preserve businessrelated communications on personal devices in violation of federal recordkeeping and supervision requirements. The penalties for these financial firms – including Barclays, Bank of America, Citigroup, Credit Suisse, Goldman Sachs, Morgan Stanley, and UBS – ranged between $16 million and $225 million each and represented a landmark collective resolution for the U.S. Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC).
Employees at these firms, some of whom were senior executives, conducted business-related conversations using “off-channel” (unmonitored or unapproved) messaging applications, such as WhatsApp and Signal, on their personal devices and the firms did not, according to the settlements, “maintain or preserve the substantial majority of these off-channel communications.”
The SEC alleged that the firms’ failures “likely deprived” the SEC of communications in various investigations, and the CFTC also alleged that, in some circumstances, the failure to capture required records resulted in records relevant to investigations not being produced to the government.
While the settlements acknowledge that the firms had policies and procedures in place designed to ostensibly prevent employees from using unmonitored or unapproved messaging apps, the SEC and CFTC found that the firms failed to implement an effective system of review to ascertain that personnel were not using personal devices or prohibited communications channels. SEC Rule 17a-4(b)(4) requires that broker-dealers retain originals of all communications received and copies of all communications sent by the broker-dealer relating to its business for at least three years, specifically in an easily accessible place for the first two years. Meanwhile, CFTC-regulated entities must abide by the CFTC’s various recordkeeping and reporting requirements, which are narrower than the SEC rules, but impose a broad duty of supervision.
Significantly, one of the firms that settled is an SEC-registered investment advisor. This is notable because, while SEC rules require less expansive recordkeeping rules for money managers than brokerages, investment firms are still required to monitor business communications in order to avert improper conduct. More actions against investment advisors may be forthcoming, as the SEC’s enforcement unit has reportedly sent Recent U.S. enforcement actions and statements made by regulators reveal that issues related to the preservation and retention of messaging on personal devices and third-party applications will remain top-of-mind for regulators and enforcers. A recent series of high-profile fines, adopted
and finalized policy changes, probes, and regulator warnings underscore the need for companies to review their compliance programs and policies to ensure they adequately and appropriately monitor and preserve all relevant business communications, and for compliance officers to proactively act to mitigate risk that can stem from employee use of personal devices or ephemeral messaging applications. To address these points, RANE spoke to Matthew Bernstein, Founder and Information Governance Strategist at Bernstein Data, for guidance. www.ranenetwork.com | firstname.lastname@example.org inquiries to major funds and advisers asking for information about their protocols for offchannel business communications. The request asked these money managers for details on who at their firms oversees retention of electronic communications and information on policies and key staff whose texts and emails are supposed to be archived.
Securities filings on November 8th and 9th by major US private equity firms KKR & Co, Apollo Global Management, and Carlyle Group revealed that the SEC probe into how financial firms track employees’ digital communications has also expanded into private equity. The prominence of these asset managers signals that the SEC is escalating its push to investigate Wall Street’s electronic communication methods.
Relatedly, albeit on a smaller scale, on September 23, the U.S. Financial Industry Regulatory Authority (FINRA) brought a similar case against a broker-dealer, its president/head of investment banking, and its director of research. The brokerdealer agreed to a $1.5 million fine to resolve allegations that it had failed to preserve and reasonably supervise business-related text messages, which prevented FINRA from fully investigating two matters.
The SEC, CFTC, and FINRA are not the only enforcement agencies scrutinizing the risks associated with personal and ephemeral messaging. In a September 15 speech, Deputy U.S. Attorney General Lisa Monaco announced significant policy changes to the U.S. Department of Justice (DOJ) corporate enforcement strategy. Among other things, the new guidance, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group, addresses the importance of having policies and controls on the use of personal devices to engage in business communications and emphasizes that in order to receive cooperation credit, corporations must have proper document preservation policies and procedures in place to timely preserve, collect, and disclose relevant documents located in the United States and overseas.
In her speech, DAG Monaco made clear that DOJ expects companies to do more to police themselves through investments in corporate compliance. In its evaluation of compliance programs, the DOJ will consider a corporation’s policies and procedures, training to employees, and enforcement regarding the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved — and subsequently collected during an investigation.
For companies being investigated by the DOJ, assisting the DOJ is typically necessary to gain cooperation credit and thereby avoid criminal prosecution or reduce the amount of a fine. Companies hoping to obtain cooperation credit are already required to report all relevant, nonprivileged facts about individual misconduct to the DOJ. DAG Monaco announced in her speech that the DOJ is going to “do more and move faster” in these cases, and that companies can maximize cooperation credit by self-disclosing individual misconduct in a thorough, transparent, and — importantly — timely manner. To this end, the aforementioned revised guidance requires companies to produce this material “swiftly and without delay,”— although it is not yet explicit what a “timely” production of facts and evidence means in practice — DOJ prosecutors will now consider the timeliness of the production of information, not just the production of materials alone, when determining whether and how much cooperation credit to allocate at the time of resolution.