According to a recent press release from the Securities Exchange Commission (SEC), sixteen Wall Street firms were fined for widespread and longstanding failures by the organizations and their employees to maintain and preserve electronic communications.
In the years spanning 2018 to 2021, the firms’ employees routinely communicated about business matters using text messaging applications on their personal devices. The firms did not maintain or preserve the majority of these off-channel communications, violating federal securities laws.
Furthermore, the Commodity Futures Trading Commission (CFTC) found that traders were regularly using encrypted messaging apps like WhatsApp or ephemeral messaging apps like Signal, and then deleted communications “to avoid creating records and evade regulatory and bank oversight.”
Both agencies simultaneously brought cases against the firms, to send “a strong message to all that we regulate that we will not tolerate efforts to evade our regulatory oversight.” To drive that point home, $1.8 billion in fines were levied against companies out of compliance with the preservation of communications channels.
Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said, “Today’s actions – both in terms of the firms involved and the size of the penalties ordered – underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened.”
Compliance Takeaways
This ruling brings up three interesting points from a compliance perspective.
- New data sources are continually arriving on the scene. Which means they are often adopted before regulators may even be aware of them. This holds true not only for messaging apps but also for other SaaS applications where communications are used for business purposes. However, just because these new data sources may not be on the radar of regulatory agencies doesn’t mean they won’t eventually become aware of them, and as is evidenced by these recent fines, there will be a price for preservation noncompliance.
- In this case, the executives were aware of, and even encouraged, the use of these off-channel apps. However, with the workforce becoming more mobile and dispersed, the chances that employees are using unauthorized applications and devices without their company’s knowledge – also known as Shadow IT – are high. So it’s important for organizations to continually conduct data inventories and update their data maps, so nothing falls through the cracks regarding compliance archiving.
- These rulings, along with other recent court rulings regarding the preservation of electronic evidence for litigation, show that the use of encrypted and ephemeral messaging apps is seen as a bad-faith action when used for business purposes because the whole purpose of these applications is to avoid data preservation. However, this doesn’t mean that convenient communications between team members have to be forgone and enterprise messaging has to return to email. There are many accepted communication and collaboration applications – such as Slack and MS Teams – that are easily preserved for compliance and litigation. There are also technology solutions that can properly archive a vast array of collaboration and SaaS applications that may be in use by your employees.
As the SEC said, recordkeeping requirements are sacrosanct. And the fines levied here make one thing clear to businesses operating in regulated industries: all communications (and other digital content depending on the regulating body) must be preserved in a manner that is compliant with the law. This is why making sure your enterprise data is archived in an immutable, searchable, and secure way is of the utmost importance so your company doesn’t face steep fines.
[View source.]