Compliance Issues Abound from Employees’ Use of Unauthorized Messaging Apps

New York Law Journal

It has never been easier to communicate. The origin of human speech has been tentatively traced to around 100,000 BCE. The use of technology for communication dates back to 30,000 BCE and the first use of symbols. Humans have consistently sought means of communicating outside one’s immediate tribe and have fought to render distance a challenge, rather than an impediment, to communication. From smoke signals to Snapchat, as a species we have developed myriad means by which to send a message. The vast majority of us can do so with a few taps on our phones. However, with increased ease comes the heightened risk that our tools for communication can be used inappropriately.

A majority of employees use their cellphones for both business and pleasure—75% of U.S. employees use their personal cellphones for work. (This statistic pre-dates the COVID-19 pandemic, which means that it is likely much higher now as more workers work either entirely or partially from home.) And while 51% of employees use company-mandated apps to do work on their cellphones, many employees use additional apps to do their jobs that their companies do not know about and cannot track. This has caused a huge compliance problem, particularly for regulated financial firms that are obligated to keep records of their business activities.

This issue first made headlines back in December 2021 when the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) fined a large investment bank $200 million for recordkeeping violations related to its employees’ use of WhatsApp messages to conduct business. Following a sweep targeting large broker dealers, the SEC fined an additional 16 financial firms in September 2022. The fines totaled a combined $1.8 billion after subpoena responses revealed their employees discussing deals and trades on their personal devices and apps. Then in January 2023, late to the party but not to be outdone, the Financial Industry Regulatory Authority (FINRA) fined another licensed broker dealer $200,000 for its failure to retain business-related text messages, despite the firm having identified the issue on its own and self-reported.

More recently, on Jan. 26, one of the large financial firms that had been fined by the SEC back in September made headlines again after announcing it had fined its own employees sums ranging between a few thousand dollars to over $1 million for continuing to use unauthorized messaging platforms for business communications. The penalties will be clawed back from bonuses, making the employees, rather than the firm’s shareholders, pay for their indiscretions. Our understanding is that other firms have imposed similar disciplinary measures against their employees in a continued effort to stay out of the crosshairs of overeager regulators. It is clear that the compliance issues caused by society’s increased use of social media and instant messaging apps are not going away. The SEC and other regulators have tried to update their rules and regulations to cope with the advance of technology.

Updated Regulations and Guidance

There are a patchwork of laws, rules, and regulations governing the recordkeeping and supervisory obligations of entities registered with financial regulators. For example, Securities Exchange Act Rule 17a-4(b)(4) requires registered broker-dealers to, among other things, keep communications relating to its business for at least three years. FINRA also has similar recordkeeping rules including rules governing supervision. FINRA Rule 3310 requires a firm to establish and maintain a system supervising its employees’ activities in order to ensure compliance with applicable securities laws and FINRA rules. On the commodities side, NFA Compliance Rule 2-10 and CFTC Regulation 1.31 require each NFA member to maintain and have available for inspection at its main business certain records that support and explain its activities.

Following the SEC’s crackdown on broker-dealers last fall, the SEC adopted amendments to its electronic recordkeeping requirements for broker-dealers that permit the retention of electronic records using audit-trail methodology as opposed to a “nonrewriteable, nonerasable format” (sometimes referred to as “write once, read many,” or WORM) required under the old rule. The amendments are designed to “modernize recordkeeping requirements given technological changes” and allow for adaptability to “new technologies in electronic recordkeeping.” In a statement, SEC Chair Gary Gensler opined that the new requirements may also reduce some firms’ compliance costs.

Relatedly, the SEC also amended Rule 18a-6 under the Exchange Act, applicable to nonbank security-based swap dealers and major security-based swap participants that are not also registered as a broker-dealer (collectively, SBS Entities), to similarly require that their electronic recordkeeping systems preserve electronic records consistent with Rule 17a-4 as amended. The amendments became effective on Jan. 3 with a compliance date of May 3 for broker-dealers.

Department of Justice (DOJ) Guidance for Nonregulated Entities

It is not only broker-dealers and regulated entities who need to be mindful of what and how their employees are communicating. Any company that finds itself under investigation by federal law enforcement will want to show it has a robust corporate compliance program.

On Sept. 15, 2022, Deputy Attorney General Lisa Monaco issued a memorandum revising the DOJ’s corporate criminal enforcement policies (the Monaco Memo). The Monaco Memo outlines the factors that the DOJ considers in assessing corporate accountability for misconduct. One of those factors is the strength of a company’s compliance program. In other words, a stronger program will likely lead to a more favorable settlement agreement. One of the elements that the DOJ will review in assessing a company’s compliance program is how the company regulates its employees’ use of third-party messaging apps. The Monaco Memo discussed the DOJ’s expectation that a “robust compliance program” can collect work-related data and communications from an employee’s personal device or from third-party messaging applications (even if ephemeral or encrypted) that are used for work.

What Steps Should Firms Be Taking Now?

Many companies operating in the financial industry, whether or not they are registered entities, already have compliance programs that include policies and procedures addressing their employees’ use of messaging apps for work. The much thornier issues always seem to be whether and how to make sure employees are following policy, and what to do if there are violations.

We believe there is a benefit to firms taking an aggressive independent approach to determine whether they have the correct policies and procedures in place, and whether their personnel are compliant. A comprehensive risk assessment can evaluate the end-to-end processes, controls, and technology that are currently in place at the firm. We have assisted clients with assessments that include, for example, an analysis of employees’ use of approved and unapproved electronic communications; the geographic location of employees; how business counterparties communicate; and what employees are covered by the regulations. Each circumstance requires a different approach to compliance that may necessitate additional HR policies, privacy considerations, and specialized legal advice. For example, some firms have employees in jurisdictions with privacy laws that are paramount and could expose employers to civil suits or sanctions for collecting employees’ communications. Other firms may have traders with counterparties who insist on using ephemeral messaging apps to conduct business.

A risk assessment should also include whether a firm has an effective monitoring system. Key focus areas for better monitoring may include implementing controls for previously unapproved channels; developing appropriate systems and methodologies to retain and surveil communications for in-scope employees; deploying technology that allows employees to effectively perform their business-as-usual functions on channels with capture capabilities; establishing training, employee attestations, and other methods to enhance employee awareness of their obligations; and developing frameworks and guidelines to effectively deter employees from violating policies. Findings and observations identified during an assessment can be supplemented with a lookback review to perform remediation of identified gaps, such as onboarding unapproved channels currently in use or capturing previous communications on unapproved channels into retention systems. While conducting a lookback is arguably not required to comply with regulations, our experience has shown that proactively identifying and addressing potential issues related to unapproved channel use is a hugely beneficial exercise and is looked upon favorably by regulators.

Finally, firms often need advice regarding what to do when they discover that employees are violating existing policy. Next steps often include strategizing how best to capture communications from unapproved channels into the firm’s retention systems. Other considerations include how to discipline employees. Some firms may be comfortable imposing fines or taking other disciplinary actions against employees for non-compliance, and some may not. Holding managers accountable for the actions of their employees is usually a crucial component of instilling a top-down culture of compliance; however, in order to do so, it is imperative that managers be provided with tools and metrics to give them an appropriate level of insight into potential unapproved channel use by their employees.

While the specific tools and metrics may vary, areas that may warrant manager supervision include employee usage of deployed technology solutions, communications flagged by surveillance protocols, completion and results of employee training and attestations, and confirmed violations of electronic communication policies. Significantly, if a firm discovers employees who are continuing to violate policy, it is often wise to dig deeper to make sure there is no underlying reason for the desire to keep communications secret.

One thing is certain: the use of unauthorized messaging apps has been front and center for financial regulators for over a year and is not going away anytime soon. Although there is no “one-size-fits-all” approach to compliance in this area, firms that take a proactive approach in conducting assessments and remediating any issues will be best served when the regulators come knocking.

"Compliance Issues Abound from Employees’ Use of Unauthorized Messaging Apps," by Jennifer L. Achilles, Amelia Clegg, and Christopher Sicuranza* was published in the New York Law Journal on February 17, 2023.

Reprinted with permission from the February 17, 2023, edition of the New York Law Journal © 2023 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited.

* Christopher Sicuranza is a partner and head of the banking, insurance and capital markets practice at Guidehouse, a leading global provider of consulting services to the public sector and commercial markets, with broad capabilities in management, technology and risk consulting.