In the last few weeks, several major U.S. financial institutions have disclosed to investors that the United States Securities and Exchange Commission (“SEC”) and/or the Commodities Future Trading Commission (“CFTC”) are investigating the institutions’ employees’ alleged use of unapproved messaging methods, including personal texts and emails, to conduct official business.
In late February, Goldman Sachs advised investors that it was cooperating with an SEC probe over “business communications sent over electronic messaging channels.” In its annual report several days later, Citigroup, Inc. disclosed that Citigroup Global Markets, Inc., the bank’s securities arm, is “cooperating” while the SEC investigates its employees’ “compliance with record-keeping obligations for broker-dealers” in connection with “business-related communications sent over unapproved messaging channels.” And finally, HSBC Holdings, PLC warned in its annual report that the CFTC is investigating its employees’ use of “non-HSBC approved messaging platforms for business communications.”
These three disclosures come nearly three months after the SEC and CFTC fined JP Morgan Chase & Co. nearly $200 million for recordkeeping violations that stemmed from “widespread” employee use of personal text messages and email that were not preserved- violating federal regulatory recordkeeping requirements for securities broker-dealers. In the case of JP Morgan & Chase, “widespread” meant that over 100 employees, at all levels of the company, sent tens of thousands of text and WhatsApp messages, and personal email, from January 2018 through November 2020. The SEC alleged that the lack of adequate recordkeeping hampered several SEC investigations.
Federal financial institutions regulators such as the SEC have long required securities broker-dealers to not only closely monitor their employees’ business communications, but to retain them. Financial institutions have found monitoring and preservation to be increasingly more difficult with the proliferation of personal email and text messaging services. The COVID-19 pandemic and Work from Home policies further complicated institutions’ oversight of their employees’ activities. Regulated entitles have responded to what is perceived to be an SEC crackdown on personal communications by monitoring employees’ messaging apps, or asking employees for access to their personal devices for the sake of recordkeeping.
Email and text messaging are here to stay. While the SEC’s and CFTC’s probes pertain to financial institutions with mandatory recordkeeping requirements, the investigations should serve as a reminder to all employers to be aware of how employees are using, transmitting or receiving data. From a data privacy, security, and even e-discovery perspective, employers should discourage their employees—in any industry—from using their personal devices, email, and messaging accounts to conduct work. When there may be uncertainty as to the optimal policies and procedures required to help avert legal exposure, companies should consult competent counsel.