In Law360, Litigation & Enforcement Team Discuss the SEC’s Crackdown on Employee Use of Messaging Apps

In The News
October 6, 2022

In a Law360 article, litigation and enforcement partner Ryan Rohlfsen and associate Genieva DePass examined the recent enforcement actions of the SEC related to electronic communications, including text-based messages and platforms, at financial institutions.

The authors noted the U.S. Securities and Exchange Commission (SEC), Department of Justice (DOJ) and other regulators are focused on corporate and employee use of mobile device messaging platforms, and firms should expect that regulators will continue to scrutinize policies and procedures that govern electronic communications during routine examinations, voluntary requests, and potential future enforcement actions.

The DOJ has also focused its attention on issues related to the preservation of message-based communications and platforms. Failure to preserve relevant text messages, including by failing to put in place or enforce adequate policies addressing such matters, can result in sanctions and adverse jury instructions.

Firms should have appropriate frameworks to address any noncompliant behavior, including exploration of additional technological safeguards, said the authors.

# # # # #

On Sept. 27, the U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission announced a combined $1.8 billion settlement with 15 broker-dealers and one affiliated investment adviser for their failure to preserve employees' communications on unauthorized messaging apps, in violation of federal securities laws.[1]

This landmark settlement follows the SEC's multiyear risk-based initiative to investigate the use of personal mobile devices and other unmonitored, off-channel communication platforms at financial firms, including WhatsApp, WeChat and Signal.[2]

The SEC determined that, from January 2018 through September 2021, the subject firms failed to maintain the routine communications of its employees, including senior executives and management, regarding business matters using unauthorized text messaging applications on their personal devices.[3]

The SEC found that these firms violated the record-keeping requirements under Section 17(a)(1) of the Exchange Act, and Rule 17a-4(b)(4) thereunder, and failed to reasonably supervise its employees as required under Section 15(b)(4)(E) of the Exchange Act.[4]

The SEC suggested that off-channel communications were not hidden from the firm, as managing directors and supervisors — "the very people responsible for implementing and ensuring compliance" with policies and procedures — used personal devices to communicate about firm business.[5]

These recent enforcement actions further demonstrate that the SEC and other government regulators are cracking down on the books and records requirements, regardless of the method and form of communication.

Recordkeeping requirements are core to the Commission's enforcement and examination programs and when firms fail to comply with them, ... they directly undermine our ability to protect investors and preserve market integrity.[6]

Firms should expect that the SEC and other regulators will continue to scrutinize policies and procedures that govern electronic communications, including text-based messages and platforms, during routine examinations, voluntary requests, and potential future enforcement actions.

Businesses outside these SEC regulations should also take notice. There has been a rapid expansion of the use of electronic communications as a primary method of communicating in businesses, especially in the wake of the remote-work environments and travel restrictions during the COVID-19 pandemic.[7]

Parties to federal litigation may serve requests for any documents or electronically stored information in the responding party's possession, custody or control, and some courts have found that companies have possession, custody or control over employees' business-related text messages sent or received over personal devices in certain circumstances.[8]

Failure to preserve relevant text messages, including by failing to put in place or enforce adequate policies addressing such matters, can result in sanctions and adverse jury instructions.[9]

The U.S. Department of Justice has also focused its attention on issues related to the preservation of message-based communications and platforms.

In 2019, the DOJ revised provisions of the Foreign Corrupt Practices Act corporate enforcement policy relating to the criteria for cooperation credit to now require retention of business records and implementation of "appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms" for companies to obtain full cooperation credit.

On Sept. 15, Deputy Attorney General Lisa Monaco announced important changes to the DOJ's approach to corporate criminal enforcement, including by implementing a combination of incentives and deterrents to "make the business case for responsible corporate behavior" and shifting the burden of corporate financial penalties away from shareholders.

A memorandum accompanying Monaco's announcement indicated that, as part of these efforts, the Criminal Division is studying best corporate practices regarding the use of personal devices and third-party messaging platforms.[10]

The SEC, DOJ and other regulators are clearly focused on corporate and employee use of mobile device messaging platforms.

Here are some key items for companies to consider in addressing this issue.

Policies and Procedures

Companies should closely examine their policies and procedures addressing message retention, bringing your own device, and the use of personal devices and third-party messaging platforms.

Companies should examine limiting employee business communications to platforms with archival systems and confirm that they can collect and provide to the government all nonprivileged responsive documents relevant to an investigation, including work-related communications — e.g., texts, e-messages or chats — and data contained on phones, tablets or other devices that are used by its employees for business purposes.

Companies under SEC regulation should ensure that employee communications are preserved and maintained in compliance with the record-keeping requirements under the Exchange Act.

Training

Policies without adequate training will likely be viewed as insufficient by the enforcers. Companies should focus on training to evaluate whether employees fully understand relevant corporate policies, including around message retention and corporate access, as well as the risks facing the company for failing to comply.

Companies should consider requiring quarterly certifications whereby employees demonstrate that they are in compliance with preservation requirements in addition to annual compliance attestations.

Testing

The government is increasingly expecting companies to monitor and audit effectiveness of training on device and data policies, as well as the ability to collect such data as required.

Enforcement

Company employees will continue to communicate with colleagues and clients via text-based platforms. However, how and where they communicate are the focus of government inquiries. Violations of company policies and procedures on these issues should be investigated and come with tangible consequences.

Firms should have appropriate frameworks to address any noncompliant behavior, including exploration of additional technological safeguards.