Is the SEC Coming for Your Texts? SEC’s New Enforcement Director Telegraphs a Warning to Registrants About Improper Use of Personal Devices for Business-Related Communications
Enforcement staff have launched recent sweeps and investigations on the topic. On October 6, 2021, Enforcement Director Gurbir Grewal identified this as a compliance priority for the division in his first public speech in his new role. Grewal identified two concerns with registrants engaging in business-related communications outside of the firm’s channels, which he referred to as “off-channel communications.” First, he said that the practice may run afoul of registrants’ recordkeeping obligations that are essential to market integrity and enforcement. Second, he asserted that off-channel communications can impede SEC investigations. Grewal stated that SEC staff was seeing in multiple investigations instances where firms have failed to retain and produce such off-channel communications, causing delay and obstructing the investigations.
This is not an entirely new issue for Enforcement. In September 2020, the SEC brought settled charges against a broker-dealer for failing to preserve business-related text messages exchanged on the personal devices of several of its registered representatives. The firm failed to preserve such messages sent or received by several of its registered representatives on their personal devices when communicating with each other, with firm customers, and with other third parties. The messages concerned such things as the size of orders, the timing of trades, product offerings, updates on markets and certain securities prices, and the timing of certain administrative filings with the commission. Those records were called for by records requests in a separate investigation but were not retained or produced. The order found that the firm’s senior management knew that employees were communicating with one another and the firm’s customers in text messages, and they themselves did so. The firm was fined $100,000 for recordkeeping provisions of the Securities and Exchange Act of 1934 (Securities Exchange Act).
The obligation to preserve business-related communications applies to both broker-dealers and registered investment advisers, although the specific requirements differ. Rule 17a-4 under the Securities Exchange Act requires broker-dealers to maintain a broad range of records for a period of not less than six or three years, depending on the category. The rule enumerates many categories of records that are subject to the recordkeeping obligation, including communications and written agreements entered into relating to its business.
Rule 204-2 under the Investment Advisers Act of 1940 requires registered investment advisers to maintain 18 categories of records relating to its advisory business for a period of five years from the end of the fiscal year during which the last entry was made on such record, or three years after termination of the enterprise, depending on the category. With respect to written communications, the Rule generally requires the adviser to maintain the originals of specific categories such as recommendations or advice, the receipt, disbursement, or delivery of funds or securities, the placing or execution or orders, and performance or rate of return for managed accounts, among other items. To the extent records are stored electronically, the adviser must be able to provide them “promptly” to SEC staff. The SEC’s adopting release for that Rule indicated that while the “promptly” standard imposes no specific time limit, the SEC expected that an adviser would be able to provide such records in no more than 24 hours absent unusual circumstances and in many cases immediately or within a few hours of request.
It is not uncommon for the SEC to charge books and records violations in enforcement actions against registrants. Grewal’s speech should serve as reminder to registered firms to review their policies, procedures, and practices to ensure that they are complying with these requirements and updating them periodically. Some concrete steps firms can take include:
- reviewing their policies and procedures to determine whether they restrict or appropriately monitor the use of personal devices or other communications outside of the firm’s systems to conduct company business
- reviewing their record retention practices to ensure they comport with the retention periods statutorily required and internal policies and procedures
- conducting renewed employee training on the above requirements
- monitoring employee communications for indications that employees are communicating about business on personal devices
Finally, firms producing documents to the SEC in the course of an examination or investigation should take steps to inquire whether custodians have responsive communications on personal devices that should be retrieved and reviewed for production. It is clear the SEC will be looking for firms that fail to produce responsive communications that should otherwise be maintained or collected.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.
You might also like
On October 30, 2023, President Joe Biden issued an executive order (EO or the Order) on Safe, Secure, and Trustworthy Artificial Intelligence (AI) to advance a coordinated, federal governmentwide approach toward the safe and responsible development of AI. It sets forth a wide range of federal regulatory principles and priorities, directs myriad federal agencies to promulgate standards and technical guidelines, and invokes statutory authority — the Defense Production Act — that has historically been the primary source of presidential authorities to commandeer or regulate private industry to support the national defense. The Order reflects the Biden administration’s desire to make AI more secure and to cement U.S. leadership in global AI policy ahead of other attempts to regulate AI — most notably in the European Union and United Kingdom and to respond to growing competition in AI development from China.
AIEmployee PrivacyFinancial PrivacyHealth PrivacyInternationalNational SecurityPolicyRegulation
On 31 August 2023, the UK Information Commissioner’s Office (ICO) published guidance on the handling of worker health data for employers (ICO Guidance). The ICO Guidance aims to provide tips and good practice advice about how to comply with applicable data protection legislation such as the UK GDPR when collecting and processing worker health data. Helpfully, the ICO Guidance also contains various checklists to help employers assess data protection considerations when processing worker health data.
Employee PrivacyGDPRHealth PrivacyInternational
On October 16, 2023, the U.S. Securities and Exchange Commission (SEC) Division of Examinations (EXAMS or Division) issued its annual examination priorities, which, for the first time, was published at the start of the SEC’s fiscal year to “better inform investors and registrants of key risks, trends, and examination topics” the Division intends to focus on in the coming year.1