WhatsApp-ening? The SEC’s “Off-Channel” Communications Sweep

Public companies in every industry bristle at the burden of complying with the Securities and Exchange Commission’s (SEC) ever-expanding rulebook. If you think running a public company is onerous, count your lucky stars that you are not an asset manager, fund, or broker-dealer required to register with the SEC and the Financial Industry Regulatory Authority (FINRA). However, public companies still need to pay attention to the downstream impact of recent enforcement actions in this space.

In the last year alone, the SEC has imposed game-changing rules on private funds, proposed broad new “predictive data analytics” rules to limit advisers’ and brokers’ use of AI and other emerging technologies, and doubled down on aggressive exam and enforcement activities.

One recent enforcement trend has been especially impactful to the bottom line, resulting in the SEC and the Commodity Futures Trading Commission (CFTC) penalizing registered entities more than $2 billion in less than two years for a common practice. What is this deeply troubling behavior? Securities or commodities fraud? Try again. Deceptive practices that harm customers or their investments? Nope. Still stumped? Individual employees of registered broker-dealers and investment advisers had been using WhatsApp, text messages and iMessages, and personal email such as Gmail to send business-related messages.

Levity aside, regulators are as serious as a heart attack about rules requiring brokers and advisers to preserve business-related messages. In this post, I’ll take stock of the recent enforcement actions in this space, offer some thoughts for industry participants, and note where insurance can be helpful. I’ll also discuss broader implications that these cases may have for public companies outside of the financial services industry. If you are reading this on your phone, please finish the article before sending your next self-destructing message.

Record Recordkeeping Penalties

Registered broker-dealers are required by SEC rules to keep copies of all communications “relating to [their] business as such” for three years; registered investment advisers must keep copies of communications about certain business topics for five years. This was relatively easy to do when these rules were first promulgated in the 20th century. As corporate communications transitioned from paper to digital, registered entities were careful to preserve company instances of email, Teams, Slack, and other platforms according to the rules.

However, since the turn of the 21st century, personal email and text messaging have also been ubiquitous. And in the 2010s, encrypted and “ephemeral” (i.e., with an auto-delete feature) messaging apps like WhatsApp, Signal, and Telegram exploded in popularity. Despite this, for more than two decades, little regulatory attention was paid to the possible existence of business-related communications on personal messaging apps.

The “aha!” moment came in December 2021, when the SEC and CFTC sued JPMorgan's broker-dealer (JPMS) for alleged recordkeeping violations and extracted $200 million in penalties. According to the SEC, for years many JPMS employees—including supervisors tasked with ensuring compliance—talked about brokerage business in personal texts, personal emails, and WhatsApp messages.

Why was this such a big deal to the government? Because these messages were not systematically preserved or collected by the company, JPMS “frequently did not search for relevant records contained on the personal devices of its employees” when it received subpoenas and document requests from the government.

In a rare and ominous move, after suing JPMS, the SEC Division of Enforcement (SEC Enforcement) publicly announced that it had opened similar investigations and invited firms to self-report potential violations. SEC Enforcement has since rampaged across the industry, suing more than 30 firms—mostly brokers, but also some investment advisers—and imposing more than $1.6 billion in penalties in less than two years. (The CFTC has also extracted hundreds of millions in penalties.)

More recordkeeping actions based on historical practices are likely. With easy-to-prove violations and eye-popping penalties, these actions are a home run for enforcement officials.

Advice for Registered Broker-Dealers and Investment Advisers

Someday (hopefully soon), the supply of cases focused on past conduct will peter out. But registrants must remain vigilant.

If they have not already, brokers will want to implement robust training and rigorously enforce policies and procedures requiring employees to communicate about the business only via approved platforms. It would also be wise to re-assess bring-your-own-device and device management policies and how they fit—or don’t fit—into the puzzle.

For investment advisers, the picture is murkier but still quite threatening. In the sweep, the SEC has filed a few cases against advisers, targeting only those affiliated with brokers who also broke the rules. Industry groups have questioned the scope of the SEC’s recordkeeping authority for advisers, and it remains to be seen how many cases the SEC will bring in this space. Regardless, a renewed focus on well-crafted and meaningfully enforced policies and training would be warranted.

More broadly, the government’s “success” in this area has implications for future enforcement activities. In 2015, the SEC levied $4.2 billion in disgorgement and penalties, a record at the time. From 2016 to 2021, this number remained in an annual range of roughly $3 to $4 billion. In 2022, buoyed by the recordkeeping cases, the SEC recovered a whopping $6.4 billion.

The high-water mark of 2022 signals aggressive enforcement activity ahead. Government lawyers want to bring big, impactful cases. While trends may shift in different administrations, few lawyers in the enforcement business want to be seen as weak. When case statistics have trended downward in the past, SEC Enforcement has been accused of “look[ing] less muscular.” Of course, no one at the SEC is trying to hit specific aggregate annual dollar amounts. Still, high-level optics matter, particularly for leadership. Investment advisers and brokers will continue to make easy targets. 

Insurance for Registered Entities

If you are an asset manager or work for another registered entity, make sure you understand the scope of regulatory coverage under your insurance policy, what triggers your obligation to provide notice to your carrier, and what is—and is not—insurable in the context of government investigations. Routine exam costs are typically excluded. Do you understand what types of investigative costs are covered under your policy and what costs are excluded? And, if you are faced with a wide-reaching SEC investigation, will your coverage limits be adequate? These are all discussion points you will want to address with your trusted insurance advisor.

Lessons for Public Companies in Other Industries

Of course, public companies outside the financial services industry are not subject to the same recordkeeping requirements. If you work at such a company, you are probably sighing with relief. Not so fast. There are also potential implications here for you and yours.

The lessons for public companies are similar to the hard lessons already learned by brokers and advisers. Employees should only discuss company business on approved messaging platforms. Consider whether there is a legitimate business need to chat about work over ephemeral messaging platforms.

In the JPMS settlement and other cases, the SEC was understandably miffed that its investigations may have been harmed because it didn’t get to look at theoretically important messages from employees’ personal devices. But this gap is not unique to investigations into advisers or brokers.

In any investigation, some line-drawing is required. When the SEC sends a subpoena calling for all company communications that have existed since protozoan life formed deep in ancient oceans, an iterative negotiated process typically follows. This process involves the government and your lawyers agreeing on custodians (i.e., company personnel who may have relevant documents), sources of documents to be collected, and search terms to be applied to the documents that are collected.

Sometimes, the SEC requires the company to collect and search employees’ personal devices. Often, though, document productions focus only on corporate-controlled messaging platforms (email, Slack, Teams, etc.) and there is no discussion of personal devices or other sources of messages.

Unfortunately, personal devices are now top of mind for regulators. Expect SEC Enforcement to demand that you collect and review documents from employees’ devices. Collecting phones is invasive and costly, so companies like to avoid this step if possible. Increasingly, it may not be possible.

Another risk area: ephemeral apps like Signal and Wickr that include an automatic deletion feature. I have written about how SEC lawyers love documents like a 12-year-old loves Minecraft. When the government learns that potentially relevant documents may have been deleted, watch out. This is a bad look for your company and your employees, even if no one deleted anything on purpose. Underscoring the risk, the Department of Justice recently warned that when deciding how to resolve corporate criminal cases, prosecutors will consider companies’ use of ephemeral applications, including policies governing these apps and whether relevant messages were preserved or deleted.

Finally, the more sources of messages collected, the more chances for the government to find messages that may be unhelpful to you. Regardless of the platform, employees often write extraneous, exaggerated, or inaccurate things. Poorly conceived messages are routinely misconstrued and leveraged by the government to bring cases. It makes sense to train your employees on best risk management practices for written communications. You never know when the government might be reading their texts.