GET THE MESSAGE - What is your firm doing to ensure employee communications on personal devices are collected and preserved?
The supervision and retention of communications on personal devices is a hot-button issue with securities regulators such as the U.S. Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”). To avoid harsh penalties from regulators, the time is now for firms to ensure that they have processes in place. What is your firm doing to retain and produce communications exchanged by personnel on personal devices, such as text messages or communications exchanged on instant messaging platforms?
We have seen specific requests for “Documents” and “Communications” that are defined to include “messages of any type,” “text messages,” and/or “instant messages.”
Over the past few years, the SEC and other regulators have increasingly become focused on the use of outside communication channels such as text messaging and other instant messaging platforms. When used for business-related purposes, the SEC has been abundantly clear that these communications are considered part of firms’ books and records, and should be retained and produced as such. Indeed, in a recent press release, SEC Chair Gary Gensler stated that “[a]s technology changes, it’s even more important that registrants ensure that their communications are appropriately recorded and are not conducted outside of official channels in order to avoid market oversight.”
For instance, in recent regulatory matters, we have seen specific requests for “Documents” and “Communications” that are defined to include “messages of any type,” “text messages,” and/or “instant messages.” We have also seen requests setting forth specific questions regarding firms’ searches for relevant text messages and the methods used to preserve such text messages. Upon receipt of such requests, firms should work to have processes in place to quickly institute a litigation hold that clearly communicates to firm personnel that business-related communications on their devices must be preserved and provided to the firm. In addition, we recommend engaging a vendor to assist with imaging physical devices and applying search terms to such communications to help streamline the process.
Failure to collect these communications may result in harsh penalties. For instance, in September 2022, after gathering communications from the personal devices of a sample of the personnel from 15 broker-dealers and an affiliated investment advisor, the SEC found that employees “routinely communicated about business matters using text messaging applications on their personal devices.” The firms under investigation did not maintain or preserve most of these off-channel communications, violating the federal securities laws, and resulting in $1.1 Billion in penalties.
Failure to collect these communications may result in harsh penalties
Similarly, in December 2021, another firm agreed to pay a $200 million fine to regulators, including the SEC, for failing to track and retain broker/dealer text messages on employees’ personal devices. The severity of these penalties is no accident; they are explicitly intended to “deliver a straightforward message to registrants…[t]he time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel…the staff will continue its efforts to enforce compliance with the Commission’s essential recordkeeping requirements.”
As the SEC continues to ramp up its focus in this space, one can expect FINRA will do the same. Notably, FINRA has also increased the number of enforcement actions against firms related to retention and supervision of messages on personal devices, and has imposed sanctions in the form of suspensions and fines for violations. Indeed, one of the areas of focus in FINRA’s 2022 Report on Examination and Risk Monitoring Program is on digital communication channels, and specifically, “how does your firm supervise and maintain books and records in accordance with SEC and FINRA Books and Records Rules for all approved digital communications.” FINRA’s Report also cautions firms to ensure that their policies address all permitted and prohibited digital communication channels, and have a process in place to review for red flags indicating representatives are communicating through unapproved communication channels. We expect that regulators in this space will remain focused on communications on personal devices in 2023 and beyond.
Firms should pay close attention to how regulators define document requests. When collecting documents and information in response to regulatory requests, firms should assume text messages are included within the scope of the request, and should have a plan in place as to how to collect and produce those messages.