On September 29, the US Securities and Exchange Commission ("SEC") brought its latest wave of enforcement actions related to "off-channel communications," charging 10 additional firms with failing to maintain employee communications on personal devices that related to the firms' business. Over the past few years, the SEC has charged over 40 registrants in a sweep of off-channel communications actions and has levied over $1.5 billion in penalties.1
Broker-dealers and investment advisers are subject to record retention requirements outlined in the securities laws. Securities Exchange Act of 1934 ("Exchange Act") Rule 17a-4 ("Rule 17a-4") requires broker-dealers to preserve for at least three years originals of all communications received and copies of all communications sent relating to its business as such. Investment Advisers Act of 1940 ("Advisers Act") Rule 204-2(a)(7) ("Rule 204-2(a)(7)") requires that investment advisers preserve communications received and sent relating to, among other things, recommendations made or proposed to be made and advice given or proposed to be given.2
While registrants have been preserving and maintaining email communications as standard practice since the early 2000s, electronic communications have now proliferated across a variety of platforms other than email, especially since the Covid-19 pandemic and the advent of remote work. As a result, the SEC has taken action to put broker-dealers and investment advisers on notice that the same recordkeeping requirements apply to off-channel communications occurring on non-traditional communications platforms — even if a registrant has not specifically authorized employees to use those channels for business communications. In these enforcement actions, the SEC has emphasized that supervisor awareness and own use of off-channel communications could be viewed as tacit approval by the registrant of the practice.
The SEC's enforcement actions have focused on the recordkeeping provisions, Rule 17a-4 and Rule 204-2(a)(7), and supervisory requirements under Section 15(b)(4)(E) of the Exchange Act and Section 203(e) of the Advisers Act. In the settled orders, the SEC emphasizes widespread and pervasive use of unauthorized messaging apps on personal devices, including iMessage, WhatsApp, and Signal. Most of the enforcement actions contain allegations that individuals in supervisory roles, such as senior management, partners, or managing directors, exchanged off-channel communications with multiple colleagues, including junior employees under their supervision. The enforcement actions stress that these firms also failed to reasonably supervise employees with a view to preventing or detecting violation of the recordkeeping requirements and any record retention policies or procedures were not followed or enforced. The SEC highlights that by failing to maintain and preserve these records, the firms likely "deprived the Commission of these off-channel communications in various SEC investigations."3
Critically, the SEC required all firms to admit these violations — the firms were not permitted to settle on a "no admit no deny" basis. Firms faced monetary penalties ranging from a couple of million to over one hundred million dollars, and were required to retain consultants to review and report on policies and to undertake other remedial measures. In particular, firms were required to enable the consultant to conduct a "comprehensive review" of: firm policies concerning electronic communications, trainings conducted in connection with preservation of electronic communications, surveillance program measures in place to ensure compliance with record retention, technological solutions employed by firms to meet recordkeeping requirements, measures used to prevent use of unauthorized communications, and electronic surveillance concerning approved communications on personal devices.
Self-Reporting Still Results in Stiff Penalties
The announcement accompanying the August 8, 2023 wave of enforcement actions stated that regulators "know that other SEC-regulated entities have committed similar violations, and so [the] work to enforce industry-wide compliance continues." In an effort to encourage voluntary disclosure, the SEC's Director of the Division of Enforcement ("Enforcement Director") said there are "three takeaways for those firms who haven't yet done so: self-report, cooperate, and remediate. If you adopt that playbook, you'll have a better outcome than if you wait for us to come calling."4
In a press release announcing the September 2023 group of enforcement actions, the Enforcement Director again stressed the importance of self-reporting, remediating, and cooperating, noting that "[o]ne of the orders included in today's announced actions is not like the others" — a reference to the lowest off-channel communications civil penalty, for $2.5 million, against related firms that self-reported violations of broker-dealer and investment adviser recordkeeping requirements.5
While the SEC has encouraged voluntary disclosure of recordkeeping requirements violations, to date, even those entities that have voluntarily self-reported violations were still required to pay multi-million-dollar penalties.6 Further, the related firms that self-reported violations in the most recent September 29, 2023 announcement did not settle on a "no admit no deny" basis — they were also required to admit to the same liability as the other firms, including violations of recordkeeping provisions of the Exchange Act and Advisers Act and failing to reasonably supervise employees as required under the same statutes. They also were required to agree to the same significant undertakings regarding compliance consultants detailed above.
These penalties and obligations, imposed even on firms who self-disclosed violations of Rule 17a-4 or Rule 204-2(a)(7) and related provisions, demonstrate that while there are benefits to self-reporting (mainly in the form of decreased financial penalties) there remain serious consequences for recordkeeping failures regardless of self-disclosure.7
Recommended Next Steps
Considering the SEC's sustained focus on recordkeeping requirements, as well as the stiff consequences for such recordkeeping violations, registrants should contemplate taking the following steps to evaluate any potential off-channel communications issues they face and ensure employees understand their obligations.
First, registrants should examine internal policies regarding electronic communications and record retention, with an eye toward potential gaps in the capture and collection of responsive records. For example, if a firm has recently updated its policies regarding the authorized use of personal devices for firm business, or the use of collaborative team platforms to assist in remote work, then it should evaluate whether its record retention policies cover communications taking place on those devices or applications. In addition, such policies could include a process or penalties for addressing violations of the off-channel communications policies.
Second, registrants should consider providing employee training on off-channel communications. This could include attestations at the commencement of employment and regularly thereafter that employees understand the registrants' policies. The SEC's focus on "widespread failure in implementing" recordkeeping policies means that registrants should take care to ensure "individuals charged with supervising employees to prevent this misconduct" are themselves aware of and adhering to recordkeeping policies and requirements.8
Third, if registrants allow employees to utilize personal devices for firm business, registrants should consider their control over and ability to preserve communications on such devices. For example, registrants can consider loading security software or only allowing employees to use personal devices or applications by virtual private networks. Further, registrants should consider requiring employees to obtain prior firm approval before using personal devices or apps for business communications.
Fourth, registrants should examine their surveillance of electronic communications to ensure compliance with recordkeeping requirements. It is important that surveillance of electronic communications captures the entire universe of relevant records, and firms should ensure platforms that are used for certain capabilities — like videoconferencing or collaborative work — do not also contain other chat capabilities that evade surveillance and retention. Such surveillance can also include a reporting program to encourage employees to alert the registrant to other employees' noncompliance with the registrant's policies.
Finally, it is important that registrants determine whether senior employees are abiding by recordkeeping policies or engaging in off-channel communications. The SEC's focus on senior employees and their off-channel communications strongly suggests that where both management and lower-level employees engage in off-channel communications, the SEC may take the position that a firm has a pervasive recordkeeping issue which warrants further scrutiny or even penalization.
1 See, e.g., Press Release, US Sec. & Exch. Comm’n, SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures (Aug. 8, 2023) available here (stating that to date, the SEC has “brought 30 enforcement actions and ordered over $1.5 billion in penalties” related to recordkeeping violations); Press Release, US Sec. & Exch. Comm’n, SEC Charges 10 Firms with Widespread Recordkeeping Failures (Sept. 29, 2023), available here (announcing an additional $80 million in penalties related to recordkeeping violations); see also Gurbir S. Grewal, Director of Enforcement, Sec. Exch. Comm’n, Remarks at N.Y. Bar Ass’n Compliance Institute (Oct. 24, 2023) (discussing, among other topics, the SEC’s ongoing off-channel communications sweep).
2 Notably, prominent organizations in the investment management industry have taken the position that the requirements of Rule 204-2(a)(7) are narrower than Rule 17a-4. Every major US investment advisory trade association signed this letter advocating that the statutory and regulatory framework for investment advisers is narrower than the framework for broker-dealers with respect to electronic communications retention requirements. See, Han, et al., Letter to US Sec. & Exch. Comm’n Chairman Gary Gensler re: Investment Adviser Recordkeeping Requirements, (Jan. 31, 2023), available here.
3 Press Release, US Sec. & Exch. Comm’n, SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures, (Aug. 8, 2023) available here.
4 Press Release, US Sec. & Exch. Comm’n, SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures, (Aug. 8, 2023) available here (announcing penalties of $289 million against 11 firms for failing to maintain and preserve electronic records).
5 Press Release, US Sec. & Exch. Comm’n, SEC Charges 10 Firms with Widespread Recordkeeping Failures, (Sept. 29, 2023), available here.
6 Press Release, US Sec. & Exch. Comm’n, SEC Charges [Firms] with Widespread Recordkeeping Failures, (May 11, 2023), available here (announcing penalties of $15 million and $7.5 million against two firms for failing to maintain and preserve electronic communications).
7 In determining whether to conduct an internal investigation, firms should be aware that FINRA Rule 4530, which applies to broker-dealers who are FINRA members, may require that the firm report findings to FINRA.
8 Gurbir S. Grewal, Director of Enforcement, US Sec. Exch. Comm’n, Remarks at N.Y. Bar Ass’n Compliance Institute (Oct. 24, 2023), available here.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP