On September 27, 2022, regulators from the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) handed out over $1.8 billion in fines to financial institutions in connection with violations of electronic communications storage rules. The SEC targeted 16 institutions for a total of $1.1 billion,1 while the CFTC also targeted many of the same institutions for a total of $710 million in penalties.2

The firms, many of which are top-tier global investment banking and financial institutions, were charged with violating record-keeping and books-and-records laws under the Securities and Exchange Act of 1934 (Exchange Act) and the Investment Advisers Act of 1940 (Advisers Act).  

The regulators uncovered “pervasive off-channel communications” on the part of junior and senior employees alike. Investigators discovered that employees regularly used text-messaging applications on their phones to communicate about business matters. Investigators also found that the firms failed to preserve a vast majority of these communications, as required by law. The SEC noted that the failure to preserve the communications likely deprived the SEC of information it would have used in various investigations. 

SEC Chairman Gary Gensler said in the press release announcing the charges that as “technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.” Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said that broker-dealers and asset managers “would be well-served to self-report and self-remediate any deficiencies.”

The hefty price tag on the fines underscores a shift in the SEC’s approach under the Biden administration. Under agreements with the SEC and CFTC, some institutions, including Bank of America, Barclays, and Goldman Sachs, will pay $200 million or more–an amount that was previously seen as warranted only in cases of fraud or where investors were harmed. Under the Biden administration’s changing approach, the SEC has levied higher fines to punish wrongdoing and deter future misconduct. The SEC is now expected to turn its attention to targeting record-keeping violations by hedge-fund managers. 

This recent slate of fines is in line with the fines the SEC and the CFTC levied on JPMorgan Chase in December 2021. The SEC fined JPMorgan $125 million for allowing its employees to use WhatsApp and other unauthorized apps on their personal devices to discuss business matters. JPMorgan also agreed in a settlement to implement robust procedures to ensure compliance with record-keeping laws. The CFTC fined JPMorgan $75 million in a parallel investigation.3

The announcement of the fines also comes after the SEC’s Office of Compliance Inspections and Examinations (OCIE), now the Division of Examinations, released extended guidance on the issue of record-keeping and electronic messaging in a 2018 Risk Alert.4 The Alert, which addressed the increasing use of electronic messaging applications for business communication by investment advisers, reminded advisers of their obligations under the Advisers Act. Advisers should be keenly aware of and ensure compliance with the Advisers Act, including:

  • Rule 204-2 (Books and Records Rule), which mandates that advisers make and keep records of all written communications on a wide array of enumerated topics, and specifically includes Rule 204-2(a)(7), which requires advisers to keep records of advice given as well as other communications involving securities.
  • Rule 206(4)-7 (Compliance Rule), which requires advisers to implement written policies and procedures to ensure compliance with the Advisers Act.

The OCIE Risk Alert lists several ways for investment advisers to avoid the communication retention issues that led to the $1.8 billion fines recently announced. Among other things, the Alert recommends: 

  • Only permitting electronic communications for business purposes that can comply with books and records requirements. 
  • Prohibiting technologies that allow users to send messages anonymously or to automatically destroy messages.
  • Implementing procedures to move any messages that an employee receives on a prohibited channel to a system that complies with the Advisers Act.
  • Notifying employees that violations of communication retention policies can result in discipline or dismissal.
  • Providing regular reminders to employees about what is permitted in terms of electronic messaging.

Similarly, broker-dealers have extensive record-keeping requirements under Section 17 of the Exchange Act and several related rules thereunder, including Rule 17a-4, which requires broker-dealers to retain originals of all communications received and copies of all communications sent by the broker-dealer relating to its business.

It would be prudent for broker-dealers and asset managers to evaluate their record-keeping practices to ensure compliance with the Exchange Act, Advisers Act, and any other laws that apply to them. Firms should continuously train their employees on the current record-keeping requirements and acceptable means of communication for business purposes and consider adding the topic to existing end-of-year training sessions. In addition, broker-dealers and advisers may also consider having their chief compliance officers circulate memoranda outlining acceptable means of communication as memorialized in applicable compliance policies and procedures. With this release, regulators have sent a strong message that violations of books-and-records laws will be met with significant penalties. 

For more information on how firms can protect themselves and comply with record-keeping requirements, please reach out to the authors–Scott Moss, partner in Lowenstein Sandler’s Investment Management Group and Chair of the firm’s Fund Regulatory & Compliance Group; Robert Johnston, partner in the firm’s White Collar Defense Group; and Arik Hirschfeld, counsel in the firm’s Investment Management Group and Fund Regulatory & Compliance Group–or directly to your regular Lowenstein Sandler contact. 

1 The full SEC press release can be found here
2 The full CFTC press release can be found here
3 Further information about the JPMorgan matter can be found here
4 The full text of the SEC OCIE Alert can be found here. Further discussion of the SEC OCIE Alert can be found here.