Forthcoming settlements with Morgan Stanley and Bank of America and reported settlement discussions with Citigroup and Goldman Sachs are the latest developments in U.S. financial regulators’ industry-wide investigation into the use of text messages, chat applications, and personal mobile devices to conduct business.  The settlements appear likely to find each firm paying the same $200 million to the Securities Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC”) that JPMorgan paid in December 2021 in connection with the same probe.[1]  When the JPMorgan settlement was announced, the U.S. regulatory agencies noted their ongoing investigation and warned of additional enforcement actions in the future; it appears the time has come. 

Notably, though, financial institutions are not only facing scrutiny from U.S. regulators—the concern is global.  According to media reports, both Germany’s BaFin and the U.K.’s Financial Conduct Authority (“FCA”) are monitoring the use of personal devices and private messaging apps by bank employees to conduct business.[2]  In particular, BaFin has requested information from Deutsche Bank about the use of WhatsApp and personal email accounts following indications of improper use by senior executives.[3]  And, the FCA has warned since at least early last year that the use of WhatsApp and similar platforms presented “significant compliance risks” (particularly with employees working remotely) and cautioned that the use of such apps would “remain an area of focus.”[4]

Retention Policies Are Not Enough

Many companies—including the financial institutions targeted by the U.S. regulators’ probe—have policies prohibiting the use of unapproved communication methods and devices that are not subject to retention policies, but merely having such policies in place is insufficient.  Whether and how those policies are enforced is a crucial factor in determining whether an organization will face fines or other punishment.  Both the SEC and CFTC emphasized that JPMorgan had policies in place that expressly prohibited the use of personal email accounts and messaging applications for business purposes.[5]  Yet, according to the government, JPMorgan failed to monitor, review, and archive communications via such channels.  The government’s enforcement actions underscore the importance of not only having comprehensive policies that cover all communications channels, but also knowing what your employees are actually doing and implementing a follow-up and review system to ensure employees follow recordkeeping and communications policies.  These circumstances also reflect the need for effective training for employees in the first instance.

Time To Get Prepared

As evidenced by the hefty fines already levied and the further fines anticipated, regulators mean business here.  And regulators’ concern is not just pro forma accountability and compliance; they have explicitly stated that firms’ failures in this area have delayed and compromised federal investigations.[6]

The regulatory enforcement landscape has evolved, and the status quo will likely not suffice for many organizations.  Regulated financial institutions are in the cross-hairs for the moment, but other industries and entities may soon find themselves subject to similar scrutiny by other regulators, state attorneys general, or private plaintiffs.  And courts in various jurisdictions have been sympathetic to the notion that companies must preserve and collect business communications and data located on employees’ personal mobile devices.[7]  

The need for well-developed and appropriately tailored information governance policies—and enforcement of those policies—is more important than ever for all businesses in all industries.  Even recently enacted policies may need to be updated following the shift away from traditional office settings to remote work during the pandemic.  All companies should take active measures to reduce the risk of noncompliance, including revisiting their training and oversight processes.

Redgrave LLP Is Here To Help

Redgrave LLP can help navigate this changing global regulatory environment.  Our team’s unique blend of legal and technical knowledge and skill can assist your organization with developing response and mitigation strategies related to mobile devices, messaging apps, and records management obligations.  We can also advise organizations on implementing proactive initiatives to get ahead of the curve, including the  following initiatives and more:

  • Investigating the use patterns and risk exposures to the organization from unmanaged or poorly managed mobile device data and messaging applications;
  • Updating employee training to reflect current use cases and new technologies (not just email and standard messaging applications, but also collaboration tools like Slack or Teams and ephemeral messaging apps like Snapchat);
  • Conducting regular audits of high-risk departments or positions[8];
  • Reviewing and strengthening record retention, information security, acceptable use, and business communication policies;
  • Building a comprehensive overarching information governance program, including processes for periodic audit and continual oversight; and
  • Developing and implementing effective training regarding information governance, including mobile device and application usage policies.

The Firm offers an extraordinary depth of experience in all facets of information governance, including records retention, data privacy, and defensible data disposition.  We help clients develop robust governance structures and modernize existing programs to keep pace with the rapid evolution and adoption of new technologies, along with the changing legal and regulatory landscape.  Our affiliate, Redgrave Education & Training, Inc., also offers customized employee training solutions tailored to today’s mobile workforce and designed to improve effectiveness.

Please contact your Redgrave LLP point of contact or any of our leads for Information Governance (Chris King or Jonathan Redgrave) to discuss how our team of skilled professionals can assist your organization with information governance strategies related to mobile devices and chat applications.  


[1] See In the Matter of J.P. Morgan Sec. LLC Respondent., Release No. 93807 (Dec. 17, 2021), available at https://www.sec.gov/litigation/admin/2021/34-93807.pdf; [hereinafter “SEC Order”]; In the Matter of JPMorgan Chase Bank , N.A., J.P. Morgan Securities LLC, and J.P. Morgan Securities Plc, Respondents, CFTC Docket No. 22-07 (Dec. 17, 2021), available at https://www.cftc.gov/media/6836/enfjpmorganchasebankorder121721/download [hereinafter “CFTC Order”].

[2] See Owen Walker, Arash Massoudi, and Stephen Morris, Deutsche Bank Installs App on Bankers’ Phones to Track Private Messages, The Financial Times Limited (June 17, 2022, https://www.ft.com/content/79475094-11da-43ca-ab1e-6951b241594a); Owen Walker, HSBC Dismisses Trader Over Personal Messages to Client: Banker is Latest to Lose Job in Crackdown on Private Messaging, The Financial Times Limited (June 15, 2022, https://www.ft.com/content/4da0da94-3be5-40a0-abad-113396d443f9)

[3] See Steven Arons, Deutsche Bank Gets WhatsApp Information Request From Regulator, Bloomberg (May 15, 2022, https://www.bloomberg.com/news/articles/2022-05-16/deutsche-bank-gets-whatsapp-information-request-from-regulator)

[4] See Recording Telephone Conversations and Electronic Communications, Market Watch 66 (January 2021 Newsletter,https://www.fca.org.uk/publications/newsletters/market-watch-66)

[5] SEC Order, supra, at ¶¶13–18; CFTC Order at *4.

[6] See Speech from Gurbir S. Grewal, Director, Division of Enforcement, PLI Broker/Dealer Regulation and Enforcement 2021, SEC (Oct. 6, 2021, https://www.sec.gov/news/speech/grewal-pli-broker-dealer-regulation-and-enforcement-100621); SEC Order, supra, at ¶¶ 32–34.

[7] See, e.g., La Belle v. Barclays Cap. Inc., 2022 WL 121065 (S.D.N.Y. Jan. 13, 2022) (finding defendant had a duty to search for relevant text messages on employees’ personal cell phones; Klipsch Grp., Inc. v. ePRO E-Com. Ltd., 880 F.3d 620 (2d Cir. 2018) (affirming lower court’s finding that defendant was required to permit discovery into employee’s personal email and messaging accounts where accounts included work email signatures and were used for business purposes).

[8] In recent months, regulators have reportedly sent lists of dozens of key positions, including heads of investment banking teams and trading desks, whose devices should be reviewed for use of unauthorized messaging apps. See Matt Robinson, Hannah Levitt, and Jennifer Surane, US Pries Into Over 100 Trader and Banker Phones in Texting Probe, Businessweek (May 18, 2022, https://www.bloomberg.com/news/articles/2022-05-18/us-pries-into-over-100-trader-and-banker-phones-in-texting-probe)