In recent weeks, several major U.S. financial institutions have disclosed to investors that the U.S. Securities and Exchange Commission (“SEC”) and/or the Commodities Future Trading Commission (“CFTC”) are investigating alleged use by employees of institutions of unapproved messaging methods, including text messages and personal emails, to conduct official business.
In late February, Goldman Sachs informed investors that it was cooperating with an SEC investigation into “commercial communications sent via email channels.” In its annual report a few days later, Citigroup, Inc. disclosed that Citigroup Global Markets, Inc., the bank’s securities arm, is “cooperating” as the SEC investigates “its employees’ compliance with records for brokers” in connection with “Business communications sent via unapproved email channels”. And finally, HSBC Holdings, PLC warned in its annual report that the CFTC was investigating its employees’ use of “messaging platforms not approved by HSBC for business communications.”
These three disclosures come nearly three months after the SEC and CFTC fined JP Morgan Chase & Co. nearly $200 million for record-keeping violations resulting from the “widespread” use by employees of personal text messages and emails that have not been retained, violating federal regulatory record-keeping requirements for securities dealers. In the case of JP Morgan & Chase, “widespread” meant that more than 100 employees, at all levels of the company, had sent tens of thousands of text messages and WhatsApp messages, as well as personal emails, January 2018 to November 2020. The SEC alleged that the lack of proper record keeping hampered several SEC investigations.
Federal financial institution regulators such as the SEC have long required that investment dealers not only closely monitor the business communications of their employees, but build their loyalty. Financial institutions have found monitoring and custody to be increasingly difficult with the proliferation of personal email and text messaging services. The COVID-19 pandemic and work-from-home policies have made it even more difficult for institutions to monitor the activities of their employees. Regulated entities have reacted to what is seen as an SEC crackdown on personal communications by monitoring employee messaging apps or requiring employees to access their personal devices for record-keeping purposes.
Emails and text messages are here to stay. Although the SEC and CFTC investigations relate to financial institutions having mandatory record-keeping requirements, the investigations should remind all employers of how employees use, transmit, or receive data. From a data privacy, security, and even eDiscovery perspective, employers should discourage their employees, regardless of industry, from using their personal devices, email, and messaging accounts to do their job. Where there may be uncertainty about the optimal policies and procedures required to help avoid legal risk, businesses should consult with competent counsel.