Is the SEC Coming for Your Texts? SEC’s New Enforcement Director Telegraphs a Warning to Registrants About Improper Use of Personal Devices for Business-Related Communications
Enforcement staff have launched recent sweeps and investigations on the topic. On October 6, 2021, Enforcement Director Gurbir Grewal identified this as a compliance priority for the division in his first public speech in his new role. Grewal identified two concerns with registrants engaging in business-related communications outside of the firm’s channels, which he referred to as “off-channel communications.” First, he said that the practice may run afoul of registrants’ recordkeeping obligations that are essential to market integrity and enforcement. Second, he asserted that off-channel communications can impede SEC investigations. Grewal stated that SEC staff was seeing in multiple investigations instances where firms have failed to retain and produce such off-channel communications, causing delay and obstructing the investigations.
This is not an entirely new issue for Enforcement. In September 2020, the SEC brought settled charges against a broker-dealer for failing to preserve business-related text messages exchanged on the personal devices of several of its registered representatives. The firm failed to preserve such messages sent or received by several of its registered representatives on their personal devices when communicating with each other, with firm customers, and with other third parties. The messages concerned such things as the size of orders, the timing of trades, product offerings, updates on markets and certain securities prices, and the timing of certain administrative filings with the commission. Those records were called for by records requests in a separate investigation but were not retained or produced. The order found that the firm’s senior management knew that employees were communicating with one another and the firm’s customers in text messages, and they themselves did so. The firm was fined $100,000 for recordkeeping provisions of the Securities and Exchange Act of 1934 (Securities Exchange Act).
The obligation to preserve business-related communications applies to both broker-dealers and registered investment advisers, although the specific requirements differ. Rule 17a-4 under the Securities Exchange Act requires broker-dealers to maintain a broad range of records for a period of not less than six or three years, depending on the category. The rule enumerates many categories of records that are subject to the recordkeeping obligation, including communications and written agreements entered into relating to its business.
Rule 204-2 under the Investment Advisers Act of 1940 requires registered investment advisers to maintain 18 categories of records relating to its advisory business for a period of five years from the end of the fiscal year during which the last entry was made on such record, or three years after termination of the enterprise, depending on the category. With respect to written communications, the Rule generally requires the adviser to maintain the originals of specific categories such as recommendations or advice, the receipt, disbursement, or delivery of funds or securities, the placing or execution or orders, and performance or rate of return for managed accounts, among other items. To the extent records are stored electronically, the adviser must be able to provide them “promptly” to SEC staff. The SEC’s adopting release for that Rule indicated that while the “promptly” standard imposes no specific time limit, the SEC expected that an adviser would be able to provide such records in no more than 24 hours absent unusual circumstances and in many cases immediately or within a few hours of request.
It is not uncommon for the SEC to charge books and records violations in enforcement actions against registrants. Grewal’s speech should serve as reminder to registered firms to review their policies, procedures, and practices to ensure that they are complying with these requirements and updating them periodically. Some concrete steps firms can take include:
- reviewing their policies and procedures to determine whether they restrict or appropriately monitor the use of personal devices or other communications outside of the firm’s systems to conduct company business
- reviewing their record retention practices to ensure they comport with the retention periods statutorily required and internal policies and procedures
- conducting renewed employee training on the above requirements
- monitoring employee communications for indications that employees are communicating about business on personal devices
Finally, firms producing documents to the SEC in the course of an examination or investigation should take steps to inquire whether custodians have responsive communications on personal devices that should be retrieved and reviewed for production. It is clear the SEC will be looking for firms that fail to produce responsive communications that should otherwise be maintained or collected.
You might also like
Employers in New York City may soon be subject to a new law, Local Law 144, that regulates employers’ use of automated employment decision tools (“AED tools” or “AEDT”) – software and other programs used to make decisions about who to hire, who to promote and other employment decisions. Local Law 144, the first of its kind law regulating these AED tools, was originally supposed to go into effect on January 1, 2023; however, because needed regulatory guidance had not been issued, the effective date was repeatedly pushed back and is now set for July 5, 2023. Final rules were released on April 6, 2023, so further delays are unlikely. We summarize below the key provisions of Local Law 144 and what employers need to know to prepare.
AIEmployee PrivacyPolicyU.S. State Privacy Laws
On March 15, 2023, the U.S. Securities and Exchange Commission (SEC) proposed three rules related to cybersecurity and the protection of consumer information and reopened the comment period for a proposed cybersecurity rule for investment advisers and funds. This significant action would impose new cybersecurity requirements for several SEC-registered entities, including with respect to these entities’ policies, incident response and notification procedures, and cybersecurity risk management. This Sidley commentary and analysis discusses the key features of each proposal, including new requirements and differences among each of the proposals.
CybersecurityRegulationSEC
2023 is rapidly becoming the year of AI policy and regulation. A particular focus of regulatory concern relates to AI impacts on employees, and the U.S. Equal Employment Opportunity Commission (EEOC) is not sitting on the sidelines. On January 31, 2023, the EEOC held a public hearing to examine the use of automated systems, including artificial intelligence (AI), in employment decisions. This hearing, titled “Navigating Employment Discrimination in AI and Automated Systems: A New Civil Rights Frontier,” continues the work of the Artificial Intelligence and Algorithmic Fairness Initiative, which was launched in 2021 by the EEOC. Through this initiative, the EEOC has already published a guidance titled “The Americans with Disabilities Act and the Use of Software, Algorithms, and Artificial Intelligence to Assess Job Applicants and Employees.” Below are a few high-level takeaways from the hearing: