“As technology changes, it’s even more important that registrants ensure that their communications are appropriately recorded and are not conducted outside of official channels in order to avoid market oversight.”
You probably thought your WhatsApp and other text messages were safe from the government’s prying eyes. If you work in the Wall Street financial sector, that would no longer be true. The U.S. Securities and Exchange Commission (SEC) has launched a wide-reaching probe into the use of ‘off-channel’ modes of communication by banking industry employees, and yes, personal devices are being targeted.
The ‘sweep’ is ostensibly all part of SEC Commission Gensler’s enforcement campaign pertaining to accurate record-keeping. But critics claim the focus on broker-dealer employees’ communications on their personal devices raises serious invasion of privacy issues.
Top Executives Targeted
This past May, the SEC began an operation targeting bankers and traders at each major bank it decided to go after, demanding that more than 100 employees and executives turn over their personal mobile devices. The purpose was so that SEC lawyers could examine the devices for WhatsApp chats, text messages, and personal email accounts. The search through Wall Street dealmakers’ personal information on over 100 phones is part of a far-reaching probe into the alleged use of ‘off-channel’ platforms by dealmakers for the exchange of business information.
The sweep of personal mobile devices comes on the heels of a $200 million fine levied against JPMorgan Chase in December 2021, in which a subsidiary broker-dealer of the bank agreed to pay $125 million to the SEC over charges that the bank failed to preserve written communications of its employees and another $75 million to the Commodities Futures Trading Commission (CFTC) in civil money penalties. The bank also consented to a cease-and-desist order regarding further record-keeping violations, and they agreed to various remedial measures.
In the wake of the JPMorgan Chase probe, the SEC decided to expand their examination of private mobile devices and sent ‘requests’ for messaging app data to Goldman Sachs Group Inc., Morgan Stanley, Credit Suisse AG, HSBC Holdings Plc, and Citigroup Inc., all of whom are reportedly cooperating with regulators. The institutions have hired outside counsel to assist in reviewing the cellphone content in an attempt to filter out private, personal messages from those considered business-related. But how well employee privacy rights can be preserved in the course of this Wall Street messaging hunt is not yet clear.
Pandemic? Or Fear of Spoliation?
When the SEC first launched the campaign last Fall, the explanation offered was that with the rise of telework arrangements due to the Covid-19 pandemic, there were concerns as to whether banks were keeping proper track of digital communications exchanged by work-at-home employees; therefore, it was necessary to ramp up the SEC’s enforcement arm to ensure that banks were adhering adequately to documenting employees’ work-related communications.
However, the fact is that as far back as 2007, regulations existed allowing fines for records violations related to IM and text messaging. That year FINRA issued Regulatory Notice 07-59, focusing on the context, content, timing, and affected audience of a message rather than the platform by which it was transmitted. All of those were factors in determining whether or not a communication was a business communication. In a speech last October, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, cited a more aggressive enforcement of recordkeeping obligations related to preserving off-channel communications on account of such records being “essential to market integrity and enforcement.” He also cited the inability of Enforcement to adequately examine financial service companies as causing delay and obstruction of investigations, which raised a broader issue of accountability and spoliation issues.
When the SEC Itself Destroyed Records
There is an ironic, historical footnote to the SEC probe. On June 15, 2011, the SEC’s Office of Inspector General (OIG) opened an investigation into allegations the SEC Division of Enforcement had improperly destroyed records relating to Matters Under Inquiry (MUIs) over a twenty-year period and that the SEC made misleading statements in an August 27, 2010 response to a July 29, 2010 letter from the National Archives and Records Administration (NARA) concerning the SEC’s potential unauthorized destruction of an MUI records.
The OIG investigation found that for at least 30 years, Enforcement had opened MUIs as “pre-investigation inquiries” and that it was the policy of Enforcement to dispose of all documents relating to a MUI that were closed without becoming investigations. However, the OIG investigation also found that the SEC’s Enforcement staff destroyed documents related to closed MUIs that should have been preserved as federal records.
Nothing’s Really Private
Given both the existing record-keeping regulations and the SEC Enforcement Division’s newest sweep of communications stored on or transmitted over personal cellphones, the fact becomes obvious that business communications in financial services are neither personal nor private. The SEC can—and is—demanding the turnover of employees’ personal devices for an inspection at will, and dealmakers throughout the financial sector must be prepared with procedures and technology in place in order to comply with communications record-keeping requirements—regardless of whether internal or external—in readiness for the inevitable regulatory or legal review.
The SEC Enforcement Division is demanding that regulated entities turn over employees’ private cell phones for ‘off-channel communications’ inspection.
There is no right of privacy as to the content of one’s personal device if it has ever been used for an employer’s business communication.
The Path Forward
Dealer-brokers must have in place compliance measures related to text messaging or risk multi-million-dollar fines for alleged record-keeping violations.
Start with the basic premise that none of your communications on your personal mobile device are private if you work for a regulated entity in the financial sector.
Processes and Technology:
For counsel to the financial sector, clients must be advised as to having in place processes and technology to maintain adequate record-keeping that includes all electronic records.
Financial sector clients must enforce supervisory systems for all business communications, whether internal or external.
As discovered by top Wall Street financial giants, when an SEC deep probe does arise, it is highly advisable to extend cooperation to the agency while maintaining the involvement of your own counsel so as to have a monitoring presence as to privacy issues.