Grabbing headlines with eye-popping settlements against some of the largest financial institutions, the US Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) announced on September 27, that affiliates of 11 firms1had agreed to pay regulators $1.82 billion in penalties for not preserving employees' business-related communications sent via personal mobile messaging apps and for supervision failures.2The settlements come on the heels of a $200 million settlement announced on December 17, 2021, putting the current total penalties at more than $2 billion.3The sweep is one of many issues that have come to the forefront in today's technology-dependent environment, and underscores the need for companies to revisit their recordkeeping and communications policies and practices, particularly as they transition to hybrid or fully remote models in the wake of the COVID-19 pandemic.

The settlements describe employees' pervasive use of messaging apps on their personal electronic devices-rather than traditional, monitored channels of communication-to send and receive business-related communications. Because these "off" channels were largely unmonitored by the firms, records of the communications were not maintained and archived pursuant to SEC and CFTC regulations. Specifically, Section 17(a)(1) of the Securities Exchange Act4authorizes the SEC to issue rules requiring broker-dealers to make, keep for prescribed periods, and furnish copies of such records as necessary or appropriate in the public interest. Pursuant to this authority, the SEC has promulgated rules5requiring broker-dealers to preserve for at least three years, in an easily accessible place, originals of all communications received and copies of all communications sent relating to the firm's "business as such."6Section 204 of the Investment Advisers Act and Rule 204-2(a)(7) also require investment advisers to preserve in an easily accessible place originals of all written communications received and copies of all written communications sent relating to, among other things, recommendations and advice.7The securities laws impose obligations for broker-dealers and investment advisers to reasonably supervise their employees with a view towards preventing or detecting violations of recordkeeping rules, among other rules.8

Similarly, the Commodity Exchange Act and CFTC regulations require registrants to "keep full, complete, and systematic records" of all transactions relating to their business of dealing in commodity interests and related cash or forward transactions (e.g., orders, confirmations, statements) and all documents on which trade information is originally recorded.9 These include "[r]ecords of each transaction, including all documents on which transaction information is originally recorded," and "quotes, solicitations, bids, offers, trading, and prices that lead to the execution of a transaction" for transactions in a commodity interest or swaps.10In order to assure these recordkeeping requirements are adhered to, the Commodity Exchange Act and CFTC regulations require registrants to supervise their "partners, members, officers, employees, and agents."11

Although the settling financial institutions largely had policies in place prohibiting off-channel communications, the SEC and CFTC found that the institutions did not adequately monitor their employees' use of devices to ensure those policies were consistently followed. As a result, employees were found to have been communicating via private messaging apps-including personal text, WhatsApp, Signal, and Telegram-all means by which the financial institutions could not easily archive and produce communications in accordance with their recordkeeping obligations. This is partly because apps like WhatsApp and Signal use end-to-end encryption to relay calls, meaning that the only copies of the communications are stored locally on the user's device. Copies are not stored by the app services themselves. If these communications are subject to automated deletion protocols or employees do not give their employers access to their accounts, there is no reliable way to monitor and archive these channels.

The remedial steps agreed to by the financial institutions contain onerous undertakings. Specifically, the SEC settlement orders require each entity to retain a compliance consultant to perform a comprehensive compliance review and to have its internal audit function conduct a separate audit of remedial progress. Additionally, both the SEC and CFTC require the settling entities to report to the agencies any discipline imposed for two years on employees for violating recordkeeping policies and procedures relating to electronic communications.

There is no sign that the SEC or CFTC will stop here. Indeed, the SEC has affirmatively stated that its investigation remains ongoing, indicating that more waves of penalties are likely. In light of this, institutions subject to SEC and CFTC recordkeeping requirements need to reexamine their policies, procedures, and practices to ensure ongoing compliance and to remediate any recordkeeping shortfalls that may exist. A related and significant question is whether and the extent to which a regulated entity presently involved in an investigation needs to determine and address use of off-channel communications through employees' personal devices. This also raises the prospect of whether a regulated entity should consider self-reporting any discovered violations of the recordkeeping requirements. At a minimum, we expect that future investigations that uncover this issue will result in additional charges for recordkeeping and supervision violations, in addition to whatever substantive charge may be at the heart of the investigation.

It is fair to assume that the use of personal devices for work-related purposes has increased dramatically as a result of the pandemic and the consequent rise of fully remote and hybrid work environments. The need to monitor employees' off-channel business communications is not limited to entities within the jurisdiction of the SEC or CFTC. Indeed, this point has been brought home by the recent memorandum issued by Deputy Attorney General Lisa Monaco12which noted the "significant corporate compliance risks" to companies' ability to monitor and recover relevant data from the ubiquity of personal devices. Prosecutors investigating corporate crimes have been instructed to "consider whether a corporation seeking cooperation credit in connection with an investigation has instituted policies to ensure that it will be able to collect and provide to the government all non-privileged responsive documents relevant to the investigation, including work-related communications (e.g., texts, e-messages, or chats), and data contained on phones, tablets, or other devices that are used by its employees for business purposes."13The Department of Justice's Criminal Division has been instructed to study best corporate practices regarding use of personal devices and third-party messaging platforms and is expected to incorporate its findings and recommendations in the next edition of its Evaluation of Corporate Compliance Programs.

The pervasive use of personal devices is here to stay-so too will be government's investigations into such use. Firms will need to identify, internally and externally, those with experience handling these matters to best position themselves to address such investigations and remediate to prevent ongoing issues.

Footnotes

1The settling institutions were Bank of America, N.A. BofA Securities, Inc., and Merrill Lynch, Pierce, Fenner & Smith Incorporated; Barclays Bank, PLC, and Barclays Capital Inc.; Cantor Fitzgerald & Company; Credit Suisse International and Credit Suisse Securities (USA) LLC; Citibank, N.A., Citigroup Energy Inc., and Citigroup Global Markets Inc.; Deutsche Bank AG, Deutsche Bank Securities Inc., DWS Distributors Inc., and DWS Investment Management Americas, Inc.; Goldman Sachs & Co. LLC, f/k/a Goldman, Sachs & Co.; Jefferies LLC and Jefferies Financial Services, Inc.; Morgan Stanley & Co. LLC, Morgan Stanley Smith Barney LLC, Morgan Stanley Capital Services LLC, Morgan Stanley Capital Group Inc., and Morgan Stanley Bank, N.A.; Nomura Global Financial Products, Inc., Nomura Securities International Inc., and Nomura International PLC; UBS AG; UBS Financial Services Inc., and UBS Securities LLC.

Steptoe and Johnson LLP is working with one of these institutions in this matter.

2 SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures, SEC Release No. 2022-174 (Sept. 27, 2022, https://www.sec.gov/news/press-release/2022-174; CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods, CFTC Release No. 8599-22 (Sept. 27, 2022), https://www.cftc.gov/PressRoom/PressReleases/8599-22.

3 JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges, SEC (Dec. 17, 2021), https://www.sec.gov/news/press-release/2021-262; CFTC Orders JPMorgan to Pay $75 Million for Widespread Use by Employees of Unapproved Communication Methods and Related Recordkeeping and Supervision Failures, CFTC (Dec. 17, 2021), https://www.cftc.gov/PressRoom/PressReleases/8470-21.

4 5 U.S.C. § 78q(a).

5 See SEC Rule 17a-4(b)(4), 17 C.F.R. §240.17a-4(b)(4).

6 Id.

7 See 15 U.S.C. § 80b-4; 17 CFR § 275.204-2(a)(7).

8 15 U.S.C. § 78(o)(b)(4)(E); 15 U.S.C. § 80b-3(e)(6).

9 17 C.F.R. §§23.201(a); CFTC Rule 1.35(a)(1)(i); 23.201(a) and 23.202(a);17 C.F.R. §1.34(a)(1); Commodity Exchange Act, 7 U.S.C. §6g; 7 U.S.C. §§ 6s(f)(1)(C); 7 U.S.C. §6s(g)(1), (3) (requiring swaps dealers to keep daily trading and counterparty records).

10 Id.; see also 17 C.F.R. § 1.35(a)(5) (requiring records be "kept in a form and manner that allows for the identification of a particular transaction"); 17 C.F.R. § 1.31(b)(4) (requiring registrants keep books and records in a "readily accessible" manner for specific periods of time); 17 C.F.R. § 1.31(d); 17 C.F.R. § 23.203(b)(1).

11 7 U.S.C. §6s(h)(1)(B); 17 C.F.R. §§ 23.602(a), CFTC Rule 166.3.

12 Deputy Attorney General Lisa Monaco, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group, DOJ (Sept. 15, 2022), https://www.justice.gov/opa/speech/file/1535301/download.

13 Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.