On December 17, 2021, the Securities and Exchange Commission issued an Order against J.P. Morgan Securities LLC, fining it $125 million for the unapproved use of WhatsApp, text message and personal email communications by JPMorgan employees. See SEC Order Instituting Administrative and Cease-and-Desist Proceedings, Pursuant to Sections 15(b) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Remedial Sanctions and a Cease-and-Desist Order, Release No. 93807, December 17, 2021 (the “SEC Order”). Concurrently, the Commodity Futures Trading Commission also issued an Order against JP Morgan and its affiliates, fining them an additional $75 million for their conduct. See CFTC Order Instituting Proceedings Pursuant to Section 6(c) and (d) of The Commodity Exchange Act, Making Findings, and Imposing Remedial Sanctions, CFTC Docket No. 22-07, December 17, 2021 (the “CFTC Order”). According to the SEC Order, JPMorgan “failed to implement sufficient monitoring to assure that its recordkeeping and communications policies were being followed. Even after the firm became aware of significant violations, the widespread recordkeeping failures and supervisory lapses continued with a significant number of JPMorgan employees failing to follow basic recordkeeping requirements.” The SEC and CFTC ultimately found that JPMorgan violated various recordkeeping requirements and supervision requirements set forth in the Exchange Act of 1934 (the “Exchange Act”).
JPMorgan’s headline-making $200 million fine is the result of regulators’ increasingly aggressive attitude towards the often-times lax implementation of broker-dealers’ recordkeeping and supervisory policies and procedures in the rapidly evolving landscape of electronic communications. In October 2021, the SEC’s new Director of Enforcement, Gurbir Grewal, spoke to industry participants and noted that the SEC “continue[s] to see in multiple investigations instances where one party or firm that used off-channel communications has preserved and produced them, while the other has not. Not only do these failures delay and obstruct investigations, they raise broader accountability, integrity and spoliation issues.” Mr. Grewal reminded firms that they “need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps.” Days later, Reuters broke the news that the SEC was reported to have opened a “broad inquiry into how Wall Street banks are keeping track of employees’ digital communications.” See Chris Prentice and Jody Godoy, U.S. SEC Opens Inquiry Into Wall Street Banks’ Staff Communications, Reuters, October 12, 2021, https://www.reuters.com/legal/litigation/exclusive-us-sec-opens-inquiry-into-wall-street-banks-staff-communications-2021-10-12/.
Federal securities laws have long required broker-dealers to implement recordkeeping policies and procedures relating to electronic communications, as well as supervisory policies and procedures to ensure compliance. In addition to federal securities laws, FINRA also mandates certain recordkeeping and supervision requirements relating to electronic communications. See FINRA Rules 2210(4)(A) and (B); see also FINRA Rule 3110(4). Historically, broker-dealers have implemented these policies and procedures for email, text messages and older messaging platforms such as Bloomberg and Intercontinental Exchange by providing employees with firm-issued electronic devices that facilitate viewing and monitoring of these electronic communications. Some firms have also allowed employees to use their own electronic devices but required installation of Mobile Device Management (“MDM”) software that allows the firms to view and monitor these communications.
In recent years, electronic communication technology has evolved beyond traditional communication platforms to include social media and so-called “ephemeral” messaging apps like WhatsApp and WeChat; end-to-end encrypted messaging services that prevent message retention and allow only the sender and recipient to view messages. Monitoring these newer “ephemeral” messaging apps has proven difficult given their imperviousness to MDM software and lack of message retention. Despite users’ ability to opt into message retention on certain apps, FINRA has taken the position that “[t]echnology that automatically erases or deletes the content of an electronic communication would preclude the ability of the firm to retain the communications in compliance with their obligations under SEA Rule 17a-4. Accordingly, firms and associated persons may not sponsor such sites or use such devices.” See FINRA Regulatory Notice 11-39, at A3. The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has taken a similar position. In a December 2018 Risk Alert, the OCIE identified the best practice of “[s]pecifically prohibiting business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up.” See Observations from Investment Adviser Examinations Relating to Electronic Messaging, SEC Office of Compliance Inspections and Examinations, December 14, 2018.
Covid-19 has further complicated compliance with regulatory obligations as people flock to video platforms such as Zoom, which allow for screen sharing and instant messaging. In examining the industry’s response to Covid-19, FINRA has noted that some firms “acknowledged the additional risks of remote work environments and took extra measures to reinforce that associated persons must use only firm-provided and approved communication systems and tools, such as firm email, messaging platforms and softphones with recording capabilities.” See FINRA Regulatory Notice 20-16. Other firms implemented additional policies to account for the risks associated with remote work environments, such as increased monitoring of email communications, key word surveillance, requirements that employees only use recorded lines when making phone calls and disabling of chat functions on platforms where the firms could not comply with recordkeeping obligations. Id.
As Mr. Grewal cautioned in his October 2021 speech, “if regulators are particularly focused on issues ‘X’ or ‘Y’ in a given area, that means you or your clients [should not] push the envelope on issue ‘Z’ – or the grey areas around X or Y. That approach is a surefire way to foster misconduct and, potentially, lead to an enforcement action.” Certainly, the $200 million fines levied against JP Morgan serve as a warning to all broker-dealers that their recordkeeping and supervisory policies and procedures should reflect current electronic communication technology and encourage employees not to “push the envelope” or operate in “grey areas” when it comes to such communications, but rather favor a conservative approach to what is otherwise radically evolving technology.
Winget, Spadafora & Schwartzberg, LLP is closely monitoring these developments. If you would like compliance guidance, please do not hesitate to contact Michael Schwartzberg, Chair of the WSS Securities Litigation Practice Group, or his associate, Steven Davis, who assisted in the preparation of this article.