By Michael Brice
On September 27, 2022, the SEC announced more than $1.1bn in combined fines against 16 Wall Street firms for “widespread recordkeeping failures.” A second announcement followed on September 29, 2023 against different firms, leading BW Cyber to conclude that still more enforcement activities are on the way.
Despite these enormous fines, many firms fail to properly retain key business records, particularly electronic communications. Here, “properly retain” means tracking and holding onto relevant data from tools like WhatsApp, Telegram, Teams, and Zoom, which exploded in popularity during the COVID pandemic, often with the company formally allowing their use. But unlike traditional tools, these communications are not journaled, creating both a blind spot for Chief Compliance Officer, and resulting in a very big compliance risk.
Simply put, failing to journal all communications allowed in your company’s “Acceptable Use Policy” is a regulatory mess waiting to happen. And if your company’s Acceptable Use Policy doesn’t explicitly state exactly which communications platforms may be used by employees, you now have a significant problem with your SEC-required journaling. With that said, there are reasonably easy steps that you can take to help your Chief Compliance Officer feel more confident about this regulatory landmine.
As a first step, have your IT team (or outsourced IT MSP if you don’t have an internal team) restrict the ability for employees to download or use any communication apps on their computers and company-issued mobile devices that are not explicitly allowed by the firm’s Acceptable Use Policy. That’s not a difficult thing to do.
Next, contact your journaling vendor (e.g., Global Relay, Smarsh, etc.) to ensure that they are contracted to journal all communications explicitly allowed in your firm’s Acceptable Use Policy. Don’t assume they already do it. Beyond just email, you’ll want to address Instant Messaging within your video tools (e.g., Zoom, Teams, etc.), as well as communications with Facebook Messenger, LinkedIn InMail, WhatsApp, and more.
If you allow your employees to use their own phones (e.g., BYOD mobile device) you can’t prevent your employees from using these apps on their own personal devices. So, short of issuing them a dedicated phone (which many of the larger institutions are now doing), the best solution is to ensure your Acceptable Use Policy is crystal clear on the communication methods allowed (or not) by company policy.
Getting back to our friends at the SEC: they mean business and have shown a willingness to continue enforcement of punitive actions registrants that do not journal all investor communications. No surprise, then, that we expect to see more fines in the near future.