Is the SEC Coming for Your Texts? SEC’s New Enforcement Director Telegraphs a Warning to Registrants About Improper Use of Personal Devices for Business-Related Communications

Enforcement staff have launched recent sweeps and investigations on the topic. On October 6, 2021, Enforcement Director Gurbir Grewal identified this as a compliance priority for the division in his first public speech in his new role. Grewal identified two concerns with registrants engaging in business-related communications outside of the firm’s channels, which he referred to as “off-channel communications.” First, he said that the practice may run afoul of registrants’ recordkeeping obligations that are essential to market integrity and enforcement. Second, he asserted that off-channel communications can impede SEC investigations. Grewal stated that SEC staff was seeing in multiple investigations instances where firms have failed to retain and produce such off-channel communications, causing delay and obstructing the investigations.

This is not an entirely new issue for Enforcement. In September 2020, the SEC brought settled charges against a broker-dealer for failing to preserve business-related text messages exchanged on the personal devices of several of its registered representatives. The firm failed to preserve such messages sent or received by several of its registered representatives on their personal devices when communicating with each other, with firm customers, and with other third parties. The messages concerned such things as the size of orders, the timing of trades, product offerings, updates on markets and certain securities prices, and the timing of certain administrative filings with the commission. Those records were called for by records requests in a separate investigation but were not retained or produced. The order found that the firm’s senior management knew that employees were communicating with one another and the firm’s customers in text messages, and they themselves did so. The firm was fined $100,000 for recordkeeping provisions of the Securities and Exchange Act of 1934 (Securities Exchange Act).

The obligation to preserve business-related communications applies to both broker-dealers and registered investment advisers, although the specific requirements differ. Rule 17a-4 under the Securities Exchange Act requires broker-dealers to maintain a broad range of records for a period of not less than six or three years, depending on the category. The rule enumerates many categories of records that are subject to the recordkeeping obligation, including communications and written agreements entered into relating to its business.

Rule 204-2 under the Investment Advisers Act of 1940 requires registered investment advisers to maintain 18 categories of records relating to its advisory business for a period of five years from the end of the fiscal year during which the last entry was made on such record, or three years after termination of the enterprise, depending on the category. With respect to written communications, the Rule generally requires the adviser to maintain the originals of specific categories such as recommendations or advice, the receipt, disbursement, or delivery of funds or securities, the placing or execution or orders, and performance or rate of return for managed accounts, among other items. To the extent records are stored electronically, the adviser must be able to provide them “promptly” to SEC staff. The SEC’s adopting release for that Rule indicated that while the “promptly” standard imposes no specific time limit, the SEC expected that an adviser would be able to provide such records in no more than 24 hours absent unusual circumstances and in many cases immediately or within a few hours of request.

It is not uncommon for the SEC to charge books and records violations in enforcement actions against registrants. Grewal’s speech should serve as reminder to registered firms to review their policies, procedures, and practices to ensure that they are complying with these requirements and updating them periodically. Some concrete steps firms can take include:

• reviewing their policies and procedures to determine whether they restrict or appropriately monitor the use of personal devices or other communications outside of the firm’s systems to conduct company business
• reviewing their record retention practices to ensure they comport with the retention periods statutorily required and internal policies and procedures
• conducting renewed employee training on the above requirements
• monitoring employee communications for indications that employees are communicating about business on personal devices

Finally, firms producing documents to the SEC in the course of an examination or investigation should take steps to inquire whether custodians have responsive communications on personal devices that should be retrieved and reviewed for production. It is clear the SEC will be looking for firms that fail to produce responsive communications that should otherwise be maintained or collected.