The SEC and CFTC recently charged 11 large financial institutions and their affiliates for failing to collect, monitor, and preserve communications over WhatsApp and other messaging services. These settlements follow a late-2021 SEC settlement with another large firm based on similar issues in which that firm was fined $125 million.
Most of the firms were also required to admit wrongdoing, which is quite rare compared to the typical “no-admit/no-deny” settlements used by the SEC and CFTC. These settlements come in the wake of renewed criticism from certain SEC and CFTC officials surrounding lax enforcement penalties and the use of no-admit/no-deny settlements.
Since the dawn of email and chat and then personal mobile devices, the financial services industry has struggled to determine how best to monitor and retain employee communications in accordance with applicable rules. Firms must balance regulatory expectations against the practical reality that a compliance in this area is largely dependent on personnel adhering to firm polices. The regulators sent a powerful message with these settlements: the method, means, and media of written communication do not matter—you must comply with communications recordkeeping rules.
The settlements acknowledge that the firms had varying policies and procedures in place designed to prevent employees and supervisors from using unmonitored/unapproved messaging apps, requiring the use of only monitored communication methods, requiring regular employee training, and mandating annual employee compliance attestation. Nevertheless, the SEC and CFTC found that the institutions failed to implement an effective system of follow-up and review to determine that personnel were not using personal devices and prohibited communication methods.
In addition to the fines the firms must pay, each SEC settlement requires the respondent to retain an independent compliance consultant and conduct an internal audit, the costs of which will likely be significant.
The SEC stated in its press release that its investigations remain ongoing and the Director of the SEC’s Division of Enforcement stated that other financial institutions would be “well-served to self-report and self-remediate any [similar] deficiencies.” One of firms that settled is an SEC-registered investment adviser. This is significant, because most stand-alone SEC enforcement actions targeting personnel messages have focused on SEC-registered broker-dealers without a finding of similar violative conduct at affiliated investment advisers. This trend may be shifting with more actions against advisers on the horizon.
We will continue to monitor for enforcement trends coming out of the SEC, CFTC, and other US regulators.