by Margaret W. Meyers, Rachel S. Mechanic, Daniel C. Zinman, David B. Massey, and Shari A. Brandt
With increasing frequency, securities and commodities regulators are focusing on employees’ use of personal mobile devices for business-related communications via applications that are not approved by employers or captured by employers’ archival systems. For good reason, regulators believe that many employees are less guarded when texting outside of their surveilled work platforms, particularly among workplace friends and colleagues at other firms, and that some employees may even be doing so to further questionable conduct and evade detection. Regulators and prosecutors brought waves of cases against financial firms based on messages gathered from persistent multiparty Bloomberg chat rooms, so much so that some big banks shut them down in late 2013. Text messages on unapproved mobile platforms may well serve as the next goldmine for enforcement staff and prosecutors.
Just two months ago, the Commodity Futures Trading Commission (CFTC) sued a swaps trader for, among other things, alleged false statements relating to his use and retention of unapproved messaging applications. See CFTC v. Gorman, No. 21-cv-870 (S.D.N.Y. Feb. 2, 2021). The CFTC claims that the trader used unapproved messaging applications on his personal device to further his alleged manipulative scheme and avoid detection. The CFTC further alleges that after it sent the trader a demand letter seeking preservation of the communications on his personal device, he deleted some of them, encouraged others to do the same, and then lied to the CFTC about his compliance with its preservation demand.
For its part, the Securities and Exchange Commission (SEC) recently censured and fined a financial institution for failing to preserve and produce to the staff business-related text messages that the firm’s registered representatives—including senior managers and compliance personnel—sent on unapproved devices that were not saved on the firm’s system. See In re JonesTrading Institutional Services, SEC Release No. 89975 (Sept. 23, 2020).
Text message conversations among workplace friends concerning personal matters can veer easily into business-related communications, and the employees engaging in them may believe in good faith that these communications are inconsequential or primarily personal. While the vast majority of financial institutions have clear policies prohibiting the use of unapproved messaging applications for business communications, these policies are often honored in the breach, as many employees—and even supervisors—routinely violate them. Most of these employees presumably find texting more convenient. Trading floor bans on the use of cellphones have had no application to traders working from home during the pandemic. Making matters worse, some firms’ clients or counterparties insist on communicating over unapproved messaging applications, sometimes even to complete large trades. Some employees of financial firms have been pushed to use their personal devices to communicate with their clients as a result of their firms’ disabling of standard text messaging on work-issued mobile devices.
As we discuss in this two-part post, employers should take heed of their employees’ conduct and the recent uptick in regulatory focus, and make sure their written policies concerning the use of unapproved messaging applications for business purposes are up-to-date, consistent with industry standards, and communicated clearly and often to their employees, including through live training. The policies should have teeth—when they are violated, employers should respond quickly and firmly. In addition, firms should take affirmative and proactive measures to identify this conduct, including by searching for key terms in communications on their systems that may suggest employees are using unapproved messaging applications to discuss firm business, broadly defined. Given the rapid growth of mobile text messaging and regulators’ increasing focus on it, failure to take these steps could put the companies and their employees at risk for books and records violations, supervision failures, and much more.
The Regulatory Risks of Unapproved Messaging Applications
Employees’ use of personal devices and unapproved messaging applications for business-related communications poses significant risks and challenges to employees and their employers alike. Registered financial services firms have books and records obligations, and all employers have record preservation obligations when faced with an investigation or litigation. Employers do not have any ability to audit or surveil employees’ personal devices, yet they are expected to take steps to collect responsive and relevant materials in response to investigations and litigations, and they will be held to a higher standard if they are on notice that employees are likely using their personal devices for business. At the same time, employees might proceed under a false sense of security if they believe that their personal devices are safe from regulator and employer scrutiny. Moreover, as regulators appear to be focused on the conduct at issue–and we expect that more will follow suit–financial firms and businesses of all stripes would be well-advised to take note of the recent focus in this area and ensure that they have proper policies and practices in place to mitigate their risk.
Books and Records Violations
Financial institutions are subject to strict recordkeeping rules and regulations requiring that they maintain a vast array of business-related communications for varying degrees of length. See, e.g., 17 C.F.R. § 240.17a-4; FINRA Rule 4511; 7 U.S.C. § 6s(f)(1)(C) (2018); 17 C.F.R. § 275.204-2. A registered firm may find itself the subject of an enforcement action for failing to retain—and/or promptly produce to regulators—business-related communications conducted on its employees’ personal devices, even though the firm prohibits such communications.
For example, in 2020, the SEC charged JonesTrading Institutional Services, LLC (“JonesTrading”) with failing to maintain copies of business-related text communications that were sent and received in violation of company policy on its employees’ personal devices. See In re JonesTrading Institutional Services, SEC Release No. 89975 (Sept. 23, 2020). Although JonesTrading prohibited this conduct and required its employees both to attend trainings and to submit annual attestations confirming their compliance with the relevant policies, the SEC nevertheless found that the company violated its recordkeeping obligations by failing to preserve the text messages. Significantly, and perhaps integral to its decision to charge the firm, the SEC also found that senior management, including compliance personnel, were aware of the conduct and, in fact, engaged in it themselves (PDF: 144 KB).
For their part, the individual employees who communicate about business-related matters on unapproved devices may also be subject to liability and employment risk for causing their firm to fail to preserve required books and records, including electronic communications. Late last year, headlines were made when one large bank fired two commodities trading supervisors for using unauthorized messaging applications even though the bank’s internal investigation did not find any other wrongdoing by the traders. In a separate case, another large bank fired a trader and reduced bonuses for a trading team for similar unauthorized messaging conduct.
And in yet another case, the Financial Industry Regulatory Authority (FINRA) imposed liability on a broker who exchanged hundreds of text messages with three firm customers “to conduct securities-related business.” See Letter of Acceptance, Waiver and Consent, In re Paul A. Falcon, FINRA No. 2018059746001 (Feb. 24, 2020) (PDF: 253 KB). As a result of the broker’s conduct, his firm was “not able to capture the communications [he] sent and received” and thus could not maintain and preserve them pursuant to its recordkeeping obligations. Moreover, the broker’s conduct was in violation of the firm’s policies providing that electronic business communications may only be accessed and transmitted through firm-sponsored systems, as well as those providing that employees may only use firm-issued mobile devices for business-related communications. FINRA found that the broker violated FINRA Rule 4511 by causing his member firm to fail to “preserve books and records,” as well as FINRA Rule 2010, which requires that members “observe high standards of commercial honor and just and equitable principles of trade.” These violations led to a 30-day suspension and a $5,000 fine for the broker.
Failure to Supervise
FINRA member firms are also required to establish and maintain systems and procedures to supervise their employees that are reasonably designed to ensure compliance with applicable securities laws, regulations, and rules, including supervisory procedures for the “review of incoming and outgoing written (including electronic) correspondence and internal communications relating to the member’s investment banking or securities business.” FINRA Rule 3110(b)(4). Further, FINRA Rule 2110 governs financial institutions’ communications with the public and requires, among other things, that all communications be based on principles of fair dealing and good faith, be fair and balanced, provide a sound basis for evaluating the facts “in regard to any particular security or type of security, industry, or service,” and include all “material fact[s] or qualification[s]” necessary to ensure that such communications are not misleading.
Whether a given communication is business-related may not always be clear-cut. The findings by the SEC against JonesTrading suggest that regulators will define “business-related” broadly. In that order, in addition to text messages that were clearly trading related (e.g., relating to size of orders and timing of trades), the SEC found that the following types of messages should also have been preserved: discussions about product offerings; updates on markets and certain securities prices; and the timing of certain administrative filings with the SEC. Guidance issued by FINRA states that “[w]hether a communication is related to the business of the firm depends upon the facts and circumstances.” FINRA Reg. Notice 11-39 (Guidance on Social Networking Websites and Business Communications). Whereas discussions concerning the firm’s products or services would clearly be business-related, discussions about sponsorship of a charitable event or a human-interest article may not be. FINRA Reg. Notice 17-18 (Guidance on Social Networking Websites and Business Communications).
Although all U.S.-registered financial services firms have written supervisory procedures to regularly monitor and review their employees’ electronic communications conducted on the firm’s systems and platforms, some firms may not have systems in place that are designed to identify business-related communications that are conducted on unapproved devices or applications. A firm’s failure to monitor for such communications and ensure that they comply with the relevant rules and regulations governing outgoing and internal communications may subject the firm to potential enforcement actions for, among other things, failure to supervise and violation of FINRA’s communications content standards. Indeed, in FINRA’s February 1, 2021 Report on FINRA’s Examination and Risk Monitoring Program, it found that numerous member firms had failed to maintain policies and procedures aimed at “reasonably identify[ing] and respond[ing] to red flags—such as customer complaints, representatives’ email, OBA [outside business activity] reviews or advertising reviews—that registered representatives used impermissible business-related digital communications methods.”
Margaret W. Meyers, Daniel C. Zinman, David B. Massey, and Shari A. Brandt are partners, and Rachel S. Mechanic is counsel, at Perkins Coie LLP.
Disclaimer
The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.