One of the key risks that financial institutions both sides of the pond are currently grappling with relates to the use by employees of “off-channel” communications. These are typically communications not monitored by the institution and not retained under various regulators’ business records requirements. Despite most companies having a policy that prohibits the use of “off-channel” communications for business, including the use of text messaging, mobile messaging platforms, such as WhatsApp and WeChat, or any ephemeral messaging services, employees continue to use them. This puts companies at risk that they are violating various business record requirements and are not meeting their obligations to monitor business communications, and it may also inhibit a company’s ability to fully cooperate in an government investigation.
While most financial institutions have been concerned about this issue for months, in the last couple of weeks there have been significant developments in the United States with the U.S. Securities and Exchange Commission (SEC) appearing to start a sweep of financial institutions to check whether they have been adequately retaining employees’ work-related communications, such as text messages. The SEC inquiry began shortly after a recent SEC speech on the issue. Here are additional details concerning those developments.
- On October 6, 2021, Gurbir Grewal, Director, Division of SEC Enforcement, spoke about the importance of recordkeeping requirements, and the need for market participants to put in place appropriate policies and procedures to preserve “off-channel” communications.
- Gurbir referenced the settlement and cease and desist order against JonesTrading from September 2020, and acknowledged that the matter was not an isolated incident. The SEC continues to see instances in investigations where one party produces off-channel communications, and the other side of the conversation does not produce them.
- Gurbir urged market participants to take a proactive compliance approach and put in place appropriate policies and procedures to preserve communications, rather than waiting for an enforcement action. He specified that everyone needs to be actively thinking about and addressing the many compliance issues raised by the increase use of personal devices, new communications channels and other technological developments like ephemeral applications.
- Following Gurbir’s speech, the SEC opened a broad inquiry into how financial institutions are keeping track of employees’ digital communications. Thus far, it appears that a number of financial institutions have been contacted to check whether they have been adequately retaining employees’ work-related communications, such as text messages and emails, with a focus on personal devices.
In addition, at a recent conference, Lorinda Laryea, Co-Principal Deputy Chief of Department of Justice’s criminal fraud section, stated that a failure to produce business communications from text, WhatsApp or other messaging platforms may impact a company’s ability to cooperate in a criminal investigation.
In the UK, the Financial Conduct Authority (FCA) has also recently reminded firms of expectations with regards to remote and hybrid working including:
- Considering any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement.
- Having appropriate record keeping procedures in place.
- Meeting (and continuing to meet) any specific regulatory requirements, such as call recordings, order and trade surveillance, and consumers being able to access services.
In relation to supervision and enforcement visits, the FCA also emphasises that it should be able to access firms’ sites, records and employees and firms have a responsibility to ensure employees understand that the FCA has powers to visit any location where work is performed, business is carried out and employees are based (including residential addresses) for any regulatory purposes.