As technology continues to evolve and new ways of electronic communication emerge, businesses face increased compliance challenges and increased regulatory risk. With more employees working remotely due to the COVID-19 pandemic, there has been a significant increase in the use of text messages, chats, and online meetings to conduct business. As a result, US regulators are scrambling to ensure companies properly monitor and store employee communications, including text messages and chat conversations on personal devices.
With the likelihood that many employees will continue to work from home for the foreseeable future, their reliance on text messaging, chat apps and video conferencing will inevitably continue. Therefore, it is critical that companies assess their policies and procedures to ensure compliance with relevant communications monitoring and retention requirements.
Technology advances as law enforcement heats up
In October 2021, Gurbir S. Grewal, Director of the Enforcement Division at the Securities and Exchange Commission (SEC), warned that companies “need to actively consider and address the many compliance issues raised by the increased use of personal devices, new communication channels and other technological developments such as ephemeral apps.”
Shortly after, news broke of the SEC’s industry sweep targeting Wall Street banks and their procedures for tracking and retaining employees’ business-related electronic communications, making it clear that the SEC is stepping up law enforcement and record keeping obligations are a priority. .
At the end of the year, the SEC announced a $125 million settlement with JP Morgan Securities LLC (JPMS), a brokerage subsidiary of JP Morgan Chase & Co., for JPMS’ alleged widespread failure to maintain electronic communications of its employees. personal devices. This includes work texts, WhatsApp messages, and emails from personal accounts.
The SEC found that JPMS violated Rules 17a-4(b)(4) and 17a-4(j) (17 CFR § 240.17a-4) applicable to broker-dealers, which specify the minimum retention period for records , the format in which the records may be kept and that the records are subject to review. JPMS admitted that at least from January 2018 to November 2020, contrary to its own policies and procedures, its employees communicated about matters on their personal devices, and the company did not retain any such electronic communications. The SEC concluded that JPMS’s failure to retain these records deprived the SEC of evidence and “compromised and delayed” investigations.
US regulators are ensuring companies properly monitor and store employee communications, including text messages and chat conversations on personal devices.
In a separate action, the Commodity Futures Trading Commission (CFTC) has fined JPMorgan Chase Bank, NA, JP Morgan Securities LLC and JP Morgan Securities plc $75 million for similar alleged violations dating back to 2015. fines demonstrates the strict stance regulators take on record-keeping violations. And last month, a number of major financial institutions publicly disclosed in their annual reports that they were cooperating with SEC and CFTC investigations regarding record-keeping compliance sent via unapproved email channels. .
The Need for Compliance Reviews
Recent investigations indicate that companies should anticipate similar U.S. regulatory investigations and should preemptively consider whether they are complying with various regulatory record-keeping obligations. As recommended by SEC Director of Enforcement Grewal, “[a] A proactive compliance approach requires that market participants do not wait for enforcement action to put in place appropriate policies and procedures to safeguard these communications.”
As COVID-19 and other factors drive the use of a greater variety of electronic communications within the workforce, it is critical that businesses strive to keep up with the changing technology and the onslaught of new messaging and video applications.
In the past, electronic communications largely consisted of email, but now other forms also trigger regulatory obligations, including chat systems, ephemeral messaging apps, video conferencing platforms with collaboration features such as such as polls, virtual whiteboards, file transfers and tools such as animated gifs and reactions. The Financial Industry Regulatory Authority (FINRA) has issued guidance on several topics related to electronic communications.
Companies should carefully review their monitoring procedures, record retention policies and technology platforms to ensure they comply with applicable rules and update them as necessary.
For example, in the Advertising Regulation FAQ section, FINRA noted that even impromptu visuals (e.g., a virtual whiteboard) presented in an online meeting will in some cases need to be retained and archived as than “communication”. Whether a communication should be retained does not depend on the device or platform used, but rather on the content (i.e., does it relate to “activity as such” of a broker-dealer under Rule 17(a-4) and context.
Many companies have banned the use of texting, messaging, social media, or collaboration apps for business communications. In particular, short-lived messaging apps (e.g., Telegram, WhatsApp, Snapchat) that automatically delete messages after a certain period of time can prevent businesses from properly retaining communication and lead to regulatory compliance issues.
Even if companies ban the use of such messaging apps, they cannot turn a blind eye to the use of banned platforms by their employees. Businesses are required to monitor compliance to mitigate the risk of record keeping violations.
Given the industry-wide sweep and efforts by regulators to crack down on proper recordkeeping, we expect to see more enforcement action by the SEC and CFTC on this issue in the future. the future. Companies should carefully review their monitoring procedures, record retention policies and technology platforms to ensure they comply with applicable rules and update them as necessary.
Companies should also conduct training for employees on approved communication platforms and restrictions on the use of personal devices outside of approved company systems. Refresher courses on internal policies and regulatory requirements are also recommended in the current tight regulatory environment. It may be beneficial to periodically obtain certifications from employees attesting to the use of only company-approved forms of electronic communication for conducting business as well.
Companies should also monitor their systems for employee use of popular messaging services, chat platforms, and ephemeral messaging apps, and ensure they adequately capture and preserve security-related communications. Company, in particular, all communications that may occur outside of Company-approved channels. . When the company identifies a record keeping problem, depending on the nature and extent of the problem, it may consider reporting the problem itself to the appropriate regulatory authorities.
As recent enforcement actions have demonstrated, even when companies restrict employees’ use of personal devices to conduct business, if they fail to enforce their policies and properly supervise their employees , they will have to face the regulatory consequences. To avoid regulatory risks, it is crucial that companies enforce their own policies and be proactive in limiting the misuse of unauthorized communication channels.
Originally posted by Reuters.
Visit us at mayerbrown.com
Mayer Brown is a global provider of legal services comprised of law firms that are separate entities (the “Mayer Brown Firms”). The Mayer Brown firms are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, two limited liability companies established in Illinois in the United States; Mayer Brown International LLP, a limited company incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales under number OC 303359); Mayer Brown, a SELAS based in France; Mayer Brown JSM, a partnership of Hong Kong and its associated entities in Asia; and Tauil & Checker Advogados, a Brazilian legal partnership with which Mayer Brown is associated. “Mayer Brown” and the Mayer Brown logo are registered trademarks of Mayer Brown law firms in their respective jurisdictions.
© Copyright 2020. Mayer Brown Practices. All rights reserved.
This article by Mayer Brown provides information and commentary on interesting legal issues and developments. The foregoing is not a complete treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action regarding the matters discussed here.