SEC, CFTC and DOJ crack down on unapproved messaging apps – Securities

A recent wave of enforcement actions against major regulated financial institutions related to the use of unapproved messaging apps provides an important message from the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (” CFTC”). Additionally, the Department of Justice (“DOJ”) recently released a memorandum indicating that (among other things) the use of such applications by any company, not just regulated institutions, could be problematic under criminal investigations.

Collectively, SEC and CFTC enforcement actions imposed $1.8 billion in civil monetary penalties on 16 financial institutions for failing to prohibit, and in some cases knowingly authorizing, the use of messaging for commercial purposes that did not comply with the record keeping requirements applicable to these institutions. . All businesses, whether regulated or not, should therefore ensure that they are able to retain communications and records required by applicable laws and consider addressing the use of various messaging apps for professional communications in their policies and procedures.


On September 27, 2022, the SEC issued and published settlement orders against 11 leading financial institutions and their affiliates (including 15 broker-dealers and one investment adviser) for violating certain record-keeping requirements and for misconduct. surveillance, imposing civil monetary penalties that collectively exceed $1.1 billion. On the same day, the CFTC ordered 11 swap brokers and futures merchants (“FCM”) to pay a total of $710 million in fines for similar violations.

These enforcement actions relate to alleged violations of the record-keeping requirements of Rule 17a-4(b)(4) under the Securities Exchange Act of 1934 (the “Exchange Act”), Rule 204- 2(a)(7) under the Investment Advisers Act of 1940 (the “Advisors Act”) and Rules 1.35, 23.201 and 23.202 under the Commodities Exchange Act (the “ECA”) . These regulations generally require regulated entities to retain communications and other records relating to their regulated activities. However, according to the SEC and CFTC, employees of all seniority levels frequently used unapproved communication methods for work purposes, including WhatsApp, personal email and text, which were generally unmonitored. , submitted for review or archived.

Additionally, some apps used by employees of financial institutions, including Signal, WhatsApp, and Telegram, have self-deleting features, which prevent companies from producing documents to the government in response to a request for documents or information. assignment. Additionally, in one case, the CFTC found that trading desk managers explicitly instructed their subordinates to remove work communications taking place on personal devices through unapproved apps. As a result, the SEC and CFTC found that financial institutions failed to maintain thousands of business communications, including communications related to investment strategy, client meetings, and market activity. market.

The SEC and CFTC also found that the widespread use of unapproved methods of communication violated internal policies and procedures of regulated entities, which generally prohibited commercial communication by unapproved methods.

Separately, the SEC and CFTC found that financial institutions failed to adequately oversee their regulated activities due to the pervasive nature of these record-keeping violations. Indeed, in some cases, the SEC and the CFTC have found that supervisors responsible for implementing and enforcing policies and procedures related to recordkeeping requirements were themselves using unapproved communication methods and /or personal devices for work purposes.


As part of the settlements and in addition to the civil monetary penalties described above, the SEC has required each respondent to hire a compliance consultant, who must review each institution’s record-keeping compliance programs and submit a report. to SEC staff. The compliance consultant must also perform a follow-up assessment one year after the initial report is submitted to the SEC and issue a second report detailing the institution’s progress toward improving its recordkeeping compliance program. Each institution must also conduct an internal audit on the same matters and submit a report to SEC staff. Additionally, for two years, each institution must notify SEC staff of any disciplinary action imposed on employees in connection with record-keeping issues.

The CFTC required that each institution perform a similar review of its recordkeeping compliance program, but required that the respondents themselves perform this review rather than an independent consultant. In addition, like the SEC, the CFTC has required each institution to conduct a year-long review and evaluation of its recordkeeping compliance programs and notify staff of the CFTC of any disciplinary action taken against employees regarding record keeping issues.


While SEC and CFTC enforcement actions targeted registered entities subject to onerous record-keeping requirements, the DOJ said in a Corporate Criminal Law Enforcement Policy Memorandum, dated 15 September 2022, that he could hold everythinglegal persons to a similar standard. Specifically, the DOJ said that going forward, “prosecutors should consider whether the company has effective policies and procedures in place governing the use of personal devices and third-party messaging platforms to ensure the preservation business-related data and electronic communications”. In addition, enforcement of existing policies and training will be considered when considering whether to issue coop credits to a company under investigation by the DOJ.

The DOJ memorandum does not create explicit legal obligations for companies to prevent employees from using unapproved means of communication for business purposes. Instead, the DOJ said that, in assessing whether a company maintained an adequate compliance program (which could warrant a more preferential resolution), prosecutors should consider whether the company has taken steps to ensure that “She would be able to collect and provide the government with any sensitive non-privileged documents relevant to an investigation.


These enforcement actions and advisories make it clear that regulators are focusing heavily on the use of unapproved apps and messaging systems. Therefore, all companies, and participants in the securities and derivatives markets in particular, must ensure that they are able to maintain all commercial communications in accordance with their legal obligations and their policies and procedures. compliance.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

About Yvonne Lozier

Check Also

New Greenwood Parks Superintendent cites community involvement as top motivator in job search

GREENWOOD — The new parks superintendent for Sebastian County’s second-largest city said the personal interaction …