SEC Encourages Self-Reporting of Recordkeeping Violations Resulting From Employees’ Use of Personal Devices for Business Communications

On December 17, 2021, the U.S. Securities and Exchange Commission (SEC) announced settled charges against a broker-dealer firm for recordkeeping violations arising from its employees’ use of personal devices for business communications. The firm agreed to pay a $125 million penalty and to retain a compliance consultant to conduct a comprehensive review of its policies and procedures relating to the retention of electronic communications found on personal devices. In announcing this enforcement action, the SEC encouraged registrants to self-report similar failures to the SEC.

The SEC’s Concerns With Off-Channel Communications

This enforcement action marks the latest step by the SEC Division of Enforcement (Division) to scrutinize registrants’ communication retention practices. Since October 2021, SEC officials have been speaking publicly about concerns with SEC registrants maintaining and preserving employees’ business-related communications outside of the firm’s channels, which they have been referring to as “off-channel communications.” Those communications can occur on employees’ personal devices, using text messages, messaging applications or personal email accounts. The Division also recently launched an enforcement sweep to investigate registered broker-dealers’ off-channel communication retention practices.

The SEC’s stated concerns include the following:

  • Recordkeeping obligations: Registrants may not be maintaining and preserving off-channel communications as required by the federal securities laws, which is essential to investor protection, market integrity and market oversight.
  • Impede investigations: Failure to maintain, preserve and produce employee off-channel communications responsive to document requests can impede SEC investigations by causing delay and obstructing the investigations.

For a further discussion of prior public statements and enforcement actions on the topic, please see Sidley Update Is the SEC Coming for Your Texts? SEC’s New Enforcement Director Telegraphs a Warning to Registrants About Improper Use of Personal Devices for Business-Related Communications (October 13, 2021).

FINRA’s Focus on Off-Channel Communications

The Financial Industry Regulatory Authority (FINRA) has also brought enforcement actions involving the supervision and retention of off-channel digital communications. FINRA has prioritized the issue for more than 10 years, and the 2021 Report on FINRA’s Examination and Risk Monitoring Program highlighted the importance of firm procedures for review for red flags that may indicate that a registered representative is communicating through unapproved communication channels.

While the FINRA Enforcement Department has generally focused on bringing settled actions against registered representatives for off-channel digital communications, FINRA has brought cases of more limited scope under the same theory as the SEC’s December 17 enforcement action. Retention failures that FINRA views as hindering investigations have resulted in aggravated sanctions — although they have remained low in comparison to the SEC sanctions assessed last month.

The SEC action may embolden FINRA Enforcement in two ways. First, firms may see increased inquiries for off-channel communications in investigations to test retention practices. Second, the size of the fine in the SEC’s recent enforcement action — where there was no readily identifiable customer or market harm — may cause FINRA to consider taking a more aggressive approach in its own sanctions analyses.

Recordkeeping Requirements

Although the recordkeeping obligations for registrants vary depending on the entity and record type, in general those obligations generally include the following:

  • Rule 17a-4 under the Securities Exchange Act of 1934 requires broker-dealers to maintain a broad range of records for a period of not less than six or three years, depending on the category. The rule enumerates many categories of records that are subject to the recordkeeping obligation. For business communications, Rule 17a-4(b)(4) requires that “[o]riginals of all communications received and copies of all communications sent (and any approvals thereof) by the member, broker or dealer (including inter-office memoranda and communications) relating to its business” must be “preserved for a period of not less than three years, the first two years in an easily accessible place.”
  • Rule 204-2 under the Investment Advisers Act of 1940 requires registered investment advisers to maintain over a dozen categories of records relating to its advisory business for a period of five years from the end of the fiscal year during which the last entry was made on such record, or three years after termination of the enterprise, depending on the category. With respect to written communications, the Rule generally requires the adviser to maintain the originals of specific categories, such as recommendations or advice, the receipt, disbursement or delivery of funds or securities, the placing or execution or orders, and performance or rate of return for managed accounts, among other items.

SEC Encourages Self-Reporting of Recordkeeping Violations

In connection with the recent December 17 enforcement action, the SEC announced it has commenced additional investigations concerning record preservation practices at financial firms and encouraged firms to self-report to the Division if they believe their practices do not comply with the securities laws. The SEC doesn’t require self-reporting as a general matter, and it has not indicated whether it will offer any form of amnesty or cooperation credit — such as forbearance of or reduced fines — for self-reporting, as it has done in prior self-report initiatives.

Unlike the SEC, FINRA does require self-reporting where a member has concluded there has been a violation of securities regulations that is widespread, or has potential widespread impact to the member, its customers or the markets, or involves conduct that arises from a material failure of the member’s systems, policies or practices involving numerous customers, multiple errors or significant dollar amounts.

Registrants can consider taking the following proactive steps to address this priority issue for the Division:

  • conduct a review of the firm’s policies and procedures related to recordkeeping obligations — specifically focused on allowable and prohibited modes of business-related communications — to determine whether they are reasonably designed to prevent violations of the federal securities laws
  • conduct a review of how the firm implements such policies and procedures, assesses compliance and reviews red flags
  • conduct a review of employees’ communications to determine whether there are indications that employees are engaged in business communications using unapproved or unpreserved channels and whether those communications are permissible under the firm’s policies and procedures and consistent with statutory requirements
  • consider appropriate disciplinary steps for employee infractions related to off-channel communications policies
  • provide updated training and a compliance alert reminding employees about the firm’s communications and retention policies
  • evaluate the various options for employee devices, including issuing firm devices or allowing employees to use personal devices, based on facts and circumstances specific to the firm; firms with a “bring your own device” practice can consider adopting and implementing a mobile device management solution policy
  • discuss with legal counsel whether any identified concerns rise to the level of a securities law violation and whether self-reporting is recommended

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.