By: Matthew Cowherd
U.S. regulators continue to focus on enforcing record retention requirements for non-email electronic communications. These “off-channel communications” include internal and external messages sent via text on personal and company devices, as well as platforms such as WhatsApp and WeChat.
On September 24, 2024, The Securities and Exchange Commission (SEC) announced charges against 12 firms, including broker-dealers, investment advisers, and one dual-registered firm, for failing to maintain and preserve electronic communications in violation of federal securities recordkeeping laws. The firms admitted to these violations and agreed to pay a combined $88.2 million in civil penalties, while also committing to improve compliance practices. Notably, Qatalyst, which self-reported its violations and made substantial compliance efforts, received no penalties. Two other firms, Canaccord and Regions, also self-reported and faced reduced penalties. The SEC found widespread use of unapproved communication methods by firm personnel, including senior management, which hindered the SEC’s ability to investigate. All firms were ordered to cease future violations, with 10 required to hire compliance consultants to review their communication retention policies. The Commodity Futures Trading Commission (CFTC) also settled a related case with the Canadian Imperial Bank of Commerce.
Earlier in the month, on September 3, 2024, the SEC charged six nationally recognized statistical rating organizations (NRSROs) for not maintaining and preserving electronic communications, which violated federal securities recordkeeping laws. The firms admitted to these violations and agreed to pay over $49 million in combined civil penalties. Moody’s and S&P Global Ratings each paid $20 million, Fitch paid $8 million, while HR Ratings, A.M. Best, and Demotech paid smaller penalties. Most of these firms must now hire a compliance consultant.
BACKGROUND:
The SEC’s most recent charges against the broker-dealers and investment advisers alleged that the use of these off-channel communications were a "widespread and longstanding failure” among the firms’ employees, even those at senior levels. The firms were each charged with failure to maintain and preserve electronic communications in violation of recordkeeping provisions of either the Securities Exchange Act, or the Investment Advisers Act, or both (Section 17(a) of the Exchange Act and Rule 17a-4(b)(4) thereunder, and Section 204 of the Advisers Act and Rule 204-2(a)(7) thereunder).
The SEC’s charges earlier in September against the NRSROs alleged that employees at various seniority levels discussed credit rating activities via text message and on non-work messaging apps, like WhatsApp, without saving those electronic messages in violation of Section 17(a)(1) of the Exchange Act and Rule 17g-2(b)(7) thereunder. The NRSROs admitted the facts set forth in their respective SEC orders, including that their conduct violated recordkeeping provisions of the federal securities laws. The orders further required the NRSROs to implement improvements to their compliance policies and procedures to address these violations. Four of the six NRSROs charged were required to retain an outside compliance consultant. (A.M. Best and Demotech were excepted from this requirement as they “engaged in significant efforts to comply with the recordkeeping requirements relatively early as registered credit rating agencies and otherwise cooperated with the SEC’s investigations.”)
KEY IMPLICATIONS:
These recent actions are a continuation of U.S. financial regulators’ investigations and enforcement actions over the last three years related to the use of text messages, chat applications, and personal mobile devices for “off-channel communications” to conduct business. Since 2021, the SEC has investigated regulated financial institutions for business-related communications subject to books and records retention requirements through platforms that are not monitored or firm-approved, resulting in fines totaling over $2 billion for failure to maintain and preserve electronic communications.
CONSIDERATIONS FOR THE FUTURE:
Recent actions have been initiated by the SEC and the CFTC, but companies in other regulated industries should be wary. While regulated financial institutions are in the hot seat presently, companies in other industries may be subject to similar scrutiny by regulators, state attorneys general, or private plaintiffs. Given the proliferation of these “off-channel communications” and their potential probative value in lawsuits, it is highly recommended that companies in all industries have robust mobile data policies that address the use, retention, and ability to preserve, collect, and produce such communications. It is also important to ensure that employees understand the risks of communicating regarding business-related matters on a personal device and the preservation and discovery obligations related to those communications.
The bottom line is that all companies in all industries would be wise to proactively manage and be able to preserve—where there is a duty preserve arising from regulatory requirements or reasonably anticipated litigation or governmental investigation—relevant business-related employee communications via text or any other messaging application on personal and company-owned mobile devices. Even if regulatory enforcement is not a significant concern in your industry, a well-developed and appropriately tailored information governance policy is the first step in defending against and complying with discovery requests in civil litigation and regulatory proceedings. Having the right policies in place alone is not enough—actual enforcement of the policy up and down the company’s hierarchy is important for compliance and defensibility.
For more information on implementing proactive initiatives to get ahead of the curve and developing robust governance structures to keep pace with the rapid evolution and adoption of new technologies, along with the changing legal and regulatory landscape, please contact the author, Matthew Cowherd. You can also reach our Information Governance team by contacting Christopher King and Diana Fasching.