United States: SEC, CFTC, And DOJ Crack Down On Unapproved Messaging Apps

A recent wave of enforcement actions against leading regulated financial institutions related to the use of unapproved messaging applications provides an important message from the Securities and Exchange Commission ("SEC") and the Commodity Futures Trading Commission ("CFTC"). Moreover, the Department of Justice ("DOJ") recently issued a memorandum indicating that (among other things) the use of such applications by any companies—not just regulated institutions—could be problematic in the context of criminal investigations.

Collectively, the SEC and CFTC's enforcement actions levied $1.8 billion of civil monetary penalties against 16 financial institutions for not prohibiting, and in some cases knowingly allowing, the use of messaging applications for business purposes that did not comply with the recordkeeping obligations applicable to those institutions. All companies—whether regulated or not—should therefore ensure that they are able to preserve communications and records that are required by applicable laws and consider addressing the use of various messaging applications for business-related communications in their policies and procedures.

SEC AND CFTC SETTLEMENTS

On September 27, 2022, the SEC issued and published settlement orders against 11 leading financial institutions and their affiliates (including 15 broker-dealers and one investment adviser) for violating certain recordkeeping requirements and for failures to supervise, imposing civil monetary penalties that collectively exceed $1.1 billion. On the same day, the CFTC ordered 11 swap dealers and futures commission merchants ("FCMs") to pay a total of $710 million dollars in fines for similar violations.

These enforcement actions relate to alleged violations of recordkeeping requirements of Rule 17a-4(b)(4) under the Securities Exchange Act of 1934 (the "Exchange Act"), Rule 204-2(a)(7) under the Investment Advisers Act of 1940 (the "Advisers Act"), and Rules 1.35, 23.201, and 23.202 under the Commodity Exchange Act (the "CEA"). These regulations generally require the regulated entities to preserve communications and other documents related to their regulated businesses. However, according to the SEC and CFTC, employees across all levels of seniority frequently used unapproved methods of communication for business purposes, including WhatsApp, personal email, and text messages, which were generally not monitored, subject to review, or archived.

Additionally, certain applications used by employees at the financial institutions, including Signal, WhatsApp, and Telegram, possess self-deleting functionalities, making it impossible for the companies to produce records to the government in response to a request for documents or subpoena. Furthermore, in one instance, the CFTC found that heads of trading desks explicitly requested that their subordinates delete business communications taking place on personal devices through unapproved applications. As a result, the SEC and CFTC found that the financial institutions failed to maintain thousands of business-related communications, including communications related to investment strategy, client meetings, and market activity.

The SEC and CFTC also found that the widespread use of unapproved communication methods violated the regulated entities' internal policies and procedures, which generally prohibited business-related communication taking place via unapproved methods.

Separately, the SEC and CFTC found that the financial institutions failed to adequately supervise their regulated businesses due to the widespread nature of these recordkeeping violations. Indeed, in certain instances, the SEC and CFTC found that the supervisors responsible for implementing and enforcing policies and procedures related to recordkeeping requirements were themselves using unapproved methods of communication and/or personal devices for business purposes.

UNDERTAKINGS REQUIRED UNDER SETTLEMENTS

As part of the settlements and in addition to the civil monetary penalties described above, the SEC required each respondent to hire a compliance consultant, who must review each institution's recordkeeping-related compliance programs and submit a report to SEC staff. The compliance consultant must also conduct a follow-up evaluation one year after the initial report is submitted to the SEC and issue a second report detailing the institution's progress toward improving its recordkeeping compliance program. Each institution must also conduct an internal audit into the same issues and submit a report to SEC staff. Additionally, for two years, each institution must notify SEC staff of any disciplinary measures imposed on employees related to recordkeeping issues.

The CFTC required each institution to conduct a similar review of its recordkeeping compliance program, but required the respondents themselves to conduct this review rather than an independent consultant. Additionally, similar to the SEC, the CFTC required each institution to conduct a one-year evaluation and assessment of its recordkeeping compliance programs, and to notify CFTC staff of any disciplinary measures taken against employees related to recordkeeping issues.

DOJ INDICATES AN EVEN MORE EXPANSIVE STANCE ON UNAPPROVED MESSAGING APPS

While the SEC and CFTC enforcement actions targeted registered entities subject to onerous recordkeeping obligations, the DOJ indicated in a memorandum on Corporate Criminal Enforcement Policies, dated September 15, 2022, that it may hold all corporate entities to a similar standard. Specifically, the DOJ stated that, moving forward, "prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved." Furthermore, the enforcement of existing policies and training will be taken into account when considering whether to grant cooperation credits to a corporation being investigated by the DOJ.

The DOJ's memorandum does not create explicit legal obligations for companies to prevent employees from using unapproved means of communications for business purposes. Rather, the DOJ indicated that, in evaluating whether a company maintained an adequate compliance program (which could warrant a more preferential resolution), prosecutors should consider whether the company took measures to ensure that it would be able to collect and provide to the government all non-privileged responsive documents relevant to an investigation.

CONCLUSION

These enforcement actions and advisories make clear that regulators are focusing heavily on the use of unapproved apps and messaging systems. As a result, all companies—and securities and derivatives market participants in particular—should ensure that they are able to maintain all business communications consistent with their legal obligations and compliance policies and procedures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.