As featured in The Lawyer
In the past decade, we have witnessed exponential growth in use of messaging apps such as WhatsApp, Signal and WeChat. As we have seen with text messaging, the ease of use and familiarity slowly translates into increased adoption within business over time. The pandemic and work-from-home era accelerated this proliferation, as virtual communications became the norm and lines between personal and business time further blurred. Employee use of these so-called off-channel communications—through work or personal devices—contains encryption and ephemeral (self-deleting) features making corporate tracking of these messages prohibitive and complex. Both the uptick in use and the restricted access to these business communications has stymied government investigations over the past five years, leading to a new wave of enforcement inquires and actions in the US and in the UK.
What started as a US regulatory imperative for the financial services industry is a cautionary tale for all other sectors. Regulators – and more recently stockholders too – are making it clear to management that the financial and reputational penalties for failing to comply with record retention requirements will become too heavy to write off as a mere cost of doing business. Corporations of all sizes are now expected to evaluate employees' use of off-channel communications and take action—tailoring their policies and technology to account for this risk.
Intensifying regulatory and legal pressure
The US Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) have long required financial institutions to retain documentation of all business communications as part federal securities recordkeeping requirements. The admission of wrongdoing by some of the world’s largest banking institutions is indicative of the extent to which broker-dealers and registered investment advisers have been failing in this responsibility, resulting in penalties of $2.7 billion imposed by the SEC and CFTC between December 2021 and September 2023. The latest announcement on September 29 included settlements with ten broker-dealers and investment advisors, of which the SEC highlighted one that benefited from self-reporting, and two credit agencies.
As a pre-emptive strike to influence future behaviour, the US Department of Justice (DOJ) has formally incorporated off-channel communications policies into the Department’s Evaluation of Corporate Compliance Programs. This inclusion, reinforced by recent DOJ speeches, clearly extends the compliance expectations beyond US financial institutions to the wider US corporate community.
Repercussions are also entering the legal sphere. A year after Bank of America’s $225 million fine was announced, the bank faces further consequences in the form of a lawsuit filed by stockholders seeking unspecified damages and a court order for the bank to “take all necessary action” to improve its compliance and corporate governance. Robert Weiss v. Bank of America Corp. asserts that although the bank had received multiple prior warnings regarding their compliance issues from regulators, the bank maintained an established “longstanding practice” of off-channel communications.
In parallel, encrypted messaging-related enforcement is gaining traction in the UK. In August 2023, the Office of Gas and Electricity Markets (Ofgem), the UK energy regulator, reached a £5.4 million settlement with Morgan Stanley & Co. International for its traders’ use of WhatsApp to discuss energy trades, in breach of the recordkeeping requirements. This follows the UK Prudential Regulation Authority (PRA) censure of a bank in April 2023 regarding the use of messaging on both firm-issued and personal devices, and an October 2022 inquiry by the Financial Conduct Authority (FCA) into banks’ use of WhatsApp on personal devices for trading. While the settlements and fines for recordkeeping failures have yet to match the US, the activity thus far clearly suggests this is an area of focus and more will follow in the UK.
No technological silver bullet
Technology plays a crucial role in recordkeeping, preservation and data management. However, for that technology to be effective, companies must first establish the extent to which off-channel communications are in use and then design and implement a policy to avoid reactively assembling the puzzle pieces later.
There are solutions that make it easier for firms to retrieve and review data when necessary, by automatically capturing, archiving, and indexing communications from multiple channels. This archiving is crucial, but simply storing it is insufficient. Companies need to actively harness this data to mitigate risks. This should be done with tools that monitor communications based on user-defined rules and/or leverage machine learning algorithms that flag potential compliance risks in real-time.
Currently, the market has yet to produce a technologic silver bullet to satisfy all data archive, index and monitoring needs but this space is quickly evolving. In practice, a handful of technology solutions are leveraged for different purposes. Companies must diligently track developments in both the new forms of ephemeral communication apps and the data management technology solutions to stay ahead of the curve.
Technology alone cannot cover all risk exposure. Certain communication apps are expressly built to evade data retention. Chat programs such as Signal market themselves on privacy and strong ephemeral features; although there are some solutions that can capture these ephemeral messages. Additionally, the use of personal devices or unapproved business applications by employees further exacerbates data retention and collection challenges, and raises data privacy and security issues.
Companies must employ a holistic and dynamic approach to compliance to mitigate this complex risk, including clear policies and training. With this foundation, firms can seek the best suite of technological solutions and apply them with purpose.
Five focus areas for off-channel communications compliance
The recent SEC civil enforcement recordkeeping settlements are highly informative on how to structure and sustain a compliance program which will stand up to external scrutiny. The guidance is generally organized into five key elements.
- Review communications policies and procedures: Setting clear policies is of the utmost importance and foundation of any compliance program. This includes establishing ownership of the program (and policies) along with establishing a cross functional governance group to include IT/Information security and legal. Before deciding, consider polling your employees on the apps used for business purposes before unilaterally setting a defined list and policy. Policy must also address whether to prohibit bring your own device (BYOD), noting technology and privacy complexities herein are most difficult to overcome. Lastly, due to the pace of technological change, specifically new apps hitting the market and technology solutions to mitigate risk, firms must perform regular and frequent reviews on the program and adopt the latest market developments.
- Enhance training and awareness efforts: Regulators assess a company’s effectiveness at building employees’ understanding of the importance of using approved communication channels and the consequences of non-compliance. Regular updates and refresher courses are critical to maintain awareness of changes in regulations or company policies. Firms should consider reinforcing the training and program requirements periodically, checking that employees have not used unapproved apps or personal devices for business use.
- Monitor and audit preservation and archiving: To ensure archived data continues to align with regulatory requirements, firms should audit regularly to check for completeness, accuracy, and retrievability. Firms should also implement robust security measures to protect the archived data from unauthorized access, tampering, or loss. This may include encrypting the data, implementing access controls, and regularly backing up the data. If a firm is considering a third-party vendor for communication data retention, it is essential to conduct thorough due diligence to ensure the vendor meets all regulatory requirements and has strong security measures in place.
- Surveillance and monitoring of communications: The fundamental premise of the recordkeeping requirement is that companies are capable of actively monitoring all business communications, including those occurring through approved electronic methods and off-channel means such as personal devices. Leveraging technology such as machine learning tools for monitoring can be invaluable and incredibly cost beneficial, flagging potential risks in real-time for additional review and potentially saving firms from considerable risk. Any adoption of technology-enabled monitoring will require continuous updating of any models or algorithms to capture the latest intelligence and advancements.
- Strengthen prevention and detection measures: To demonstrate to regulators and stakeholders that a company is fulfilling its responsibilities, firms must document the discrepancies and non-compliance identified through surveillance and monitoring – whether in the systems, technology, or employee behaviour – and show they are addressed promptly.
Financial institutions without question have increased risks in using off-channel communications with the federal securities recordkeeping requirements. Regardless of industry, it is now abundantly clear that all companies need to deploy a thoughtful and risk-based approach to keep up with US regulatory and enforcement expectations. Expect more to come from the UK in terms of off-channel communication settlements and guidance in the short term. In the longer term, it would be unsurprising if other countries followed a similar enforcement path. Compliance officers would be wise to take notice and action to keep out of the regulatory cross hairs.
A shorter version of this article was also featured in The Banker.