On 8 August 2023, penalties for record-keeping failures of $549 million were ordered against 10 banks, broker-dealers and investments advisers in the U.S. The Commodity Futures Trading Commission (CFTC) ordered four banks to pay $260 million for record-keeping and supervision failures arising from the use of unapproved messaging systems including personal texts and WhatsApp. On the same day, the Security Exchange Commission (SEC) also announced it had settled actions against 6 banks, broker-dealers and investment advisers it had been investigating for failures to comply with record-keeping requirements with penalties of $289 million. There have been in recent years, 30 enforcement actions by the SEC and over $2 billion in penalties ordered for record-keeping violations. These violations stemmed from employees communicating through messaging platforms on their personal devices, including WhatsApp, iMessage and Signal about the business of their employer. While these messaging platforms may not have been sanctioned for use by the organisations, the content of the communications were required to be maintained or preserved by US federal securities laws.
In the media releases accompanying the announcement, both the CFTC and the SEC stressed the importance of record-keeping compliance and ensuring employees complied with regulatory and organisational requirements. The CFTC media release provided that, ‘the orders find, as a result of each registrant’s failure to ensure that its employees – including supervisors and senior-level employees – complied with communications policies and procedures, each registrant failed to maintain hundreds if not thousands of business-related communications, including communications in connection with its commodities and swaps businesses, and thus failed diligently to supervise its business as a CFTC registrant or registrants, in violation of CFTC recordkeeping and supervision provisions.’ Director of Enforcement Ian McGinley stated, ‘the Commission’s message could not be more clear -recordkeeping and supervision requirements are fundamental, and registrants that fail to comply with these core regulatory obligations do so at their own peril.’
Similarly, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement said that, ‘today’s actions stem from our continuing sweep to ensure that regulated entities, including broker-dealers and investment advisers, comply with their recordkeeping requirements, which are essential for us to monitor and enforce compliance with the federal securities laws. Recordkeeping failures such as those here undermine our ability to exercise effective regulatory oversight, often at the expense of investors’.
How can organisations’ manage the use of WhatsAPP and other messaging systems?
The first step is to consider and assess the risk profile of your organisation and your record-keeping obligations. For some organisations, the best protection for security and regulatory compliance way will be to provide mobile phones and devices for business use only and prohibit the use of any unsanctioned social media on those devices. This should be supported by policy and education around employee responsibilities and risks associated with failure to comply with record-keeping regulations. While this approach may have initial costs to implement, for some organisations it may ultimately be the most cost-effective way to reduce risk and ultimately costs. The Global Relay’s Industry Insights Report, Compliant Communications 2023 revealed that in the financial services industry, 59% of respondents said that they have banned WhatsApp, WeChat, and similar apps. However, only 2.6% of respondents agreed that banning was an effective solution. According to the report, ‘the rest stated that they know employees may keep using WhatsApp despite channel bans, putting firms at risk of fines from regulators.’
Key ways to manage the use of personal messaging systems in the business context:
1. Policies and aligned employee educations to ensure employees understand:
- They must use the approved systems for all business work, and restrict their use of other non-sanctioned systems, such as, WhatsApp or other messaging systems for business communications. Where non-organisation systems are used, they have a mandatory obligation to transfer all data in connection with the business of the organisation into the document management and record system as soon as practicable
- They are responsible for ensuring that organisational data and information within their knowledge and access remit is kept secure and protected within the organisation’s systems; and
- All communications in the course of their employment are maintained in accordance with all relevant policies including ‘acceptable use of IT’, ‘record-keeping and disposal’ policies and procedures.
2. There is ongoing monitoring of record-keeping compliance. Employers need to be mindful that they comply with workplace surveillance and privacy regulations in relation to access employees’ personal communications. Again, clear policies for the employees as well as ensuring the employer complies with its obligations to the employee is key.
3. Disciplinary action is taken where there are breaches of IT and record-keeping policies.
4. Ongoing reminders and training in relation to:
- Information protection and cybersecurity, as referred to above.
- WhatsApp and other messaging systems are not in fact private and can be recovered in regulatory investigations, legal proceedings and data subject access requests made pursuant to privacy legislation.
Author: Susan Bennett, LLM(Hons), MBA, FGIA, CIPP/E
Founder of InfoGovANZ, Governance and Privacy Lawyer