By Diana Psarras and Jordan Blumenthal

When federal regulators unveiled a $200 million settlement with JPMorgan Chase in December 2021, they warned that the announcement did not mark the end of their investigation into other financial firms’ similar failures to preserve business communications exchanged via apps on employees’ personal devices.[1]  In September 2022 and May 2023, regulators kept their word, announcing additional settlements with over a dozen other entities and fines totaling almost $2 billion, and press releases noted that the investigation was still ongoing.  That threat again came to fruition last month.  On August 8, 2023, the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC”) announced another $549 million in fines as part of settlements with affiliates of 11 more financial institutions.[2]

All these actions relate to employees’ pervasive use of personal devices and unapproved methods of communication—including apps like iMessage, WhatsApp, and Signal—to conduct the business of their employers.  Often despite firms’ existing policies and procedures to prevent these “off-channel” communications, messages and records were not preserved.  In fact, top-level executives and supervisors were among those found to have committed violations.

If the multi-year investigation resulting in 48 enforcement actions and over $2.5 billion in fines has not sent a clear enough message, the CFTC’s Director of Enforcement laid it out plainly when announcing the latest settlements last month: “The Commission’s message could not be more clear—recordkeeping and supervision requirements are fundamental, and registrants that fail to comply with these core regulatory obligations do so at their own peril.”[3]  Even after these latest enforcement actions, officials at the SEC noted that their efforts to compel compliance with recordkeeping requirements will continue.[4]

The Issue Is Not Going Away

Echoing previous statements, regulators also made clear last month that any firms that have not yet heeded their message would do well to remediate any concerns on their own initiative, rather than waiting for federal regulators to “come calling.”[5]

For those firms that have already settled with regulators, remediation included the mandatory retention of independent compliance consultants to conduct comprehensive reviews of relevant policies and procedures, including frameworks for addressing employee non-compliance.

But such check-ups are an important proactive measure, too.  Financial firms that haven’t yet found themselves under the federal microscope should obviously take note.  Beyond the finance industry, though, the lessons learned here should be noted by all businesses in all industries.

Redgrave LLP Can Help

Redgrave LLP can help navigate this changing global regulatory environment.  Our team’s unique blend of legal and technical knowledge and skill can assist your organization in developing response and mitigation strategies related to mobile devices, messaging apps, and records management obligations.

Even if regulatory enforcement is not a major concern in your industry, a well-developed and appropriately tailored information governance policy is the first step in defending against and complying with discovery requests in civil litigation and regulatory proceedings.  And, importantly, having the right policies in place is not enough—actual enforcement of the policy up and down the company’s hierarchy is essential.  An unfollowed or ignored policy can simultaneously establish awareness and lack of care, and can therefore be worse than no policy at all.

We can advise organizations on implementing proactive initiatives to get ahead of the curve, including the following initiatives and more:

  • Investigating the use patterns and risk exposures to the organization from unmanaged or poorly managed mobile device data and messaging applications, including on employees’ personal devices;
  • Updating employee training to reflect current use cases and new technologies (not just email and standard messaging applications, but also collaboration tools like Slack or Teams and ephemeral messaging apps like Snapchat);
  • Conducting regular audits of high-risk departments or positions;
  • Reviewing and strengthening record retention, information security, acceptable use, and business communication policies, including “Bring Your Own Device” or “BYOD” policies;
  • Building a comprehensive overarching information governance program, including processes for periodic audit and continual oversight; and
  • Developing and implementing effective training regarding information governance, including mobile device and application usage policies.

Redgrave LLP offers an extraordinary depth of experience in all facets of information governance, including records retention, data privacy, and defensible data disposition.  We help clients develop robust governance structures and modernize existing programs to keep pace with the rapid evolution and adoption of new technologies, along with the changing legal and regulatory landscape.  Our affiliate, Redgrave Education & Training, Inc., also offers customized employee training solutions tailored to today’s mobile workforce and designed to improve effectiveness.

Download PDF


[1] U.S. Securities and Exchange Commission, JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges, Release No. 2021-262 (Dec. 17, 2021), available at https://www.sec.gov/news/press-release/2021-262; Commodity Futures Trading Commission, CFTC Orders JPMorgan to Pay $75 Million for Widespread Use by Employees of Unapproved Communication Methods and Related Recordkeeping and Supervision Failures, Release No. 8470-21 (Dec. 17, 2021), available at https://www.cftc.gov/PressRoom/PressReleases/8470-21.

[2] U.S. Securities and Exchange Commission, SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures, Release No. 2023-149 (Aug. 08, 2023), available at https://www.sec.gov/news/press-release/2023-149 (hereinafter, “August 2023 SEC Press Release”); Commodity Futures Trading Commission, CFTC Orders Four Financial Institutions to Pay Total of $260 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods, Release No. 8762-23 (Aug. 8, 2023), available at https://www.cftc.gov/PressRoom/PressReleases/8762-23 (hereinafter, “August 2023 CFTC Press Release”).

[3] August 2023 CFTC Press Release.

[4] August 2023 SEC Press Release.

[5] Id.