Is the SEC Coming for Your Texts? SEC’s New Enforcement Director Telegraphs a Warning to Registrants About Improper Use of Personal Devices for Business-Related Communications
Enforcement staff have launched recent sweeps and investigations on the topic. On October 6, 2021, Enforcement Director Gurbir Grewal identified this as a compliance priority for the division in his first public speech in his new role. Grewal identified two concerns with registrants engaging in business-related communications outside of the firm’s channels, which he referred to as “off-channel communications.” First, he said that the practice may run afoul of registrants’ recordkeeping obligations that are essential to market integrity and enforcement. Second, he asserted that off-channel communications can impede SEC investigations. Grewal stated that SEC staff was seeing in multiple investigations instances where firms have failed to retain and produce such off-channel communications, causing delay and obstructing the investigations.
This is not an entirely new issue for Enforcement. In September 2020, the SEC brought settled charges against a broker-dealer for failing to preserve business-related text messages exchanged on the personal devices of several of its registered representatives. The firm failed to preserve such messages sent or received by several of its registered representatives on their personal devices when communicating with each other, with firm customers, and with other third parties. The messages concerned such things as the size of orders, the timing of trades, product offerings, updates on markets and certain securities prices, and the timing of certain administrative filings with the commission. Those records were called for by records requests in a separate investigation but were not retained or produced. The order found that the firm’s senior management knew that employees were communicating with one another and the firm’s customers in text messages, and they themselves did so. The firm was fined $100,000 for recordkeeping provisions of the Securities and Exchange Act of 1934 (Securities Exchange Act).
The obligation to preserve business-related communications applies to both broker-dealers and registered investment advisers, although the specific requirements differ. Rule 17a-4 under the Securities Exchange Act requires broker-dealers to maintain a broad range of records for a period of not less than six or three years, depending on the category. The rule enumerates many categories of records that are subject to the recordkeeping obligation, including communications and written agreements entered into relating to its business.
Rule 204-2 under the Investment Advisers Act of 1940 requires registered investment advisers to maintain 18 categories of records relating to its advisory business for a period of five years from the end of the fiscal year during which the last entry was made on such record, or three years after termination of the enterprise, depending on the category. With respect to written communications, the Rule generally requires the adviser to maintain the originals of specific categories such as recommendations or advice, the receipt, disbursement, or delivery of funds or securities, the placing or execution or orders, and performance or rate of return for managed accounts, among other items. To the extent records are stored electronically, the adviser must be able to provide them “promptly” to SEC staff. The SEC’s adopting release for that Rule indicated that while the “promptly” standard imposes no specific time limit, the SEC expected that an adviser would be able to provide such records in no more than 24 hours absent unusual circumstances and in many cases immediately or within a few hours of request.
It is not uncommon for the SEC to charge books and records violations in enforcement actions against registrants. Grewal’s speech should serve as reminder to registered firms to review their policies, procedures, and practices to ensure that they are complying with these requirements and updating them periodically. Some concrete steps firms can take include:
- reviewing their policies and procedures to determine whether they restrict or appropriately monitor the use of personal devices or other communications outside of the firm’s systems to conduct company business
- reviewing their record retention practices to ensure they comport with the retention periods statutorily required and internal policies and procedures
- conducting renewed employee training on the above requirements
- monitoring employee communications for indications that employees are communicating about business on personal devices
Finally, firms producing documents to the SEC in the course of an examination or investigation should take steps to inquire whether custodians have responsive communications on personal devices that should be retrieved and reviewed for production. It is clear the SEC will be looking for firms that fail to produce responsive communications that should otherwise be maintained or collected.
You might also like
This Sidley Update highlights certain key disclosure considerations for preparing your annual report on Form 10-K for fiscal year 2022, including recent amendments to U.S. Securities and Exchange Commission (SEC) disclosure rules and other developments that impact 2022 Form 10-K filings, as well as certain significant disclosure trends and current areas of SEC focus for disclosures. As always, we invite you to contact us with any questions on these topics or any other SEC reporting and compliance matters.
CybersecurityEnforcementPolicySEC
On December 5, 2022, the Division of Examinations of the Securities and Exchange Commission (SEC) released a Risk Alert discussing its observations on Regulation S-ID (Reg. S-ID) from recent examinations of SEC-registered investment advisers and broker-dealers. Reg. S-ID, the SEC’s implementation of the identity theft red flags rule, requires SEC-regulated financial institutions and creditors to develop and implement an identity theft prevention program (Program) with written policies and procedures that are updated periodically. The requirements for the Program are outlined in the text of Reg. S-ID, and there are guidelines in Appendix A to assist firms in creating and maintaining a compliant Program. As Reg. S-ID applies to both SEC and Commodity Futures Trading Commission-regulated entities, financial institutions and creditors should consider their compliance programs accordingly.
CybersecurityEnforcementFinancial PrivacyPolicySEC
Privacy never sleeps in California. In recent days and as California’s legislative session comes to a close, there have been a number of significant legislative and regulatory developments in the state, each of which will likely (again) change the privacy landscape in California and, by extension, the rest of the country. For businesses operating in California or whose websites, products or services reach California residents, these changes mean new compliance obligations, some of which could require significant investments of time and resources. The impact of these changes highlight once again how the United States lacks a consistent national policy on privacy that could be set by a comprehensive federal privacy law.