Credit: fizkes/OPOLJA/Shutterstock

The COVID-19 pandemic has permanently altered the way people engage and relate to one another across both personal and professional settings. In the workplace, the changes have resulted in a more casual work environment, with people working from their home offices instead of office buildings, replacing their work attire for jeans and a golf shirt and occasionally using unsanctioned devices to conduct business. Luckily, due to advancements in technology, most industries were able to pivot to this "new normal" with relative ease, relying on email, video conferencing, instant messaging platforms and newer applications such as WhatsApp to stay in front of clients and conduct business. And while this change has been a lifeline for a lot of companies, it has created enormous problems for highly regulated industries, such as financial services, which are required to track and retain substantive written business communications, including electronic communications, to clients and among colleagues in order to protect investors and avoid market manipulation.

Under the watchful eye of Chair Gary Gensler, the U.S. Securities and Exchange Commission has taken notice of mistakes made by large financial institutions, such as Goldman Sachs, HSBC Holdings Plc and JP Morgan Securities LLC (JPMS), a broker-dealer subsidiary of JPMorgan Chase & Co., in the way they inadequately collected and retained electronic communications among their employees, which resulted in several ongoing investigations and even a historically steep fine. The agency's actions against these firms were on top of the previous probes from late last year of other well-known financial entities, such as Bank of America Corp., Citigroup Inc., Morgan Stanley and Credit Suisse Group AG, illustrating the seriousness with which Gensler intends to pursue this type of misconduct.

This does not bode well for unprepared investment advisers and broker dealers, given that Gensler noted that other investigations of this scope and magnitude are already underway, signaling that enforcement actions will likely be on the rise in 2022 and beyond. Therefore, firms of all types and sizes should be taking a hard look at their electronic record preservation systems, reporting abilities and related policies and procedures across the entire organization to ensure that they are compliant.

To help firms gain a better understanding of the current requirements, below is an overview of the books and records regulations governing electronic communications, some insight on the recent investigations and enforcement actions taken by the SEC, as well as recordkeeping best practices that can help firms stay out of the crosshairs of regulators.

Navigating the Current Recordkeeping Compliance Ecosystem

"Since the 1930s, record-keeping and books-and-records obligations have been an essential part of market integrity and a foundational component of the SEC's ability to be an effective cop on the beat," remarked Gensler in a statement from the SEC following the announcement of charges against JPMS. Here, he is of course referring to the books and records rules (Rule 17a-3 and Rule 17a-4) under Section 17(a)(1) of the Securities and Exchange Act of 1934, which "specif[ies] minimum requirements with respect to the records that broker-dealers must make, how long those records and other documents relating to a broker-dealer's business must be kept and in what format they may be kept. The SEC requires that broker-dealers create and maintain certain records so that, among other things, the SEC, self-regulatory organizations ('SROs') and state securities regulators may conduct effective examinations of broker-dealers."

He has made clear in various testimonies before Congress, and in news releases/statements from the SEC, that he intends to crackdown on Wall Street banks and firms with a "fierce urgency of now" as illustrated by the ambitious agenda he has unveiled since taking the helm under the Biden administration. Chief among Gensler's primary concerns right now is recordkeeping probes and enforcement actions. Nothing drives this point home more than the latest measures taken by the SEC.

Most recently, for instance, Goldman Sachs announced in its annual report on Feb. 25, 2022, that it was cooperating with the SEC and "producing documents in connection with an investigation of the firm's compliance with records and preservation requirements relating to business communications sent over electronic messaging channels that have not been approved by the firm." Just a few days before this news was released, HSBC Holdings Plc announced on Feb. 22, 2022, that "it was being investigated in the U.S. for its bankers' use of WhatsApp and other personal messaging services for business purposes."

Both of these investigations follow the news from December 2021 about the fines issued against JPMS by the SEC and the Commodity Futures Trading Commission, to the tune of $200 million, for "widespread and longstanding failures by the firm and its employees to maintain and preserve written communications" on mobile devices, messaging apps and personal emails. According to one report of the matter, JPMS' "unofficial communications involved the exchange of tens of thousands of messages among more than 100 employees using personal text, email and WhatsApp accounts. The communications involved the breadth of the broker's business, from trading to investment banking."

In addition to the fine, which is the largest recorded to date of this kind, JPMS agreed to hire a compliance consultant to conduct an audit of their processes and employee training mandates in order to help them implement "robust improvements to its compliance policies and procedures to settle the matter."

Commenting on this case, Gensler stated "[a]s technology changes, it's even more important that registrants ensure that their communications are appropriately recorded and are not conducted outside of official channels in order to avoid market oversight. Unfortunately, in the past we've seen violations in the financial markets that were committed using unofficial communications channels, such as the foreign exchange scandal of 2013. Books-and-records obligations help the SEC conduct its important examinations and enforcement work. They build trust in our system. Ultimately, everybody should play by the same rules, and today's charges signal that we will continue to hold market participants accountable for violating our time-tested recordkeeping requirements."

Gensler also noted that this will not be the last investigation that the SEC undertakes during its sharpened interest in the inspection of communications practices at all financial services companies. In fact, the SEC explicitly states that "as a result of the findings in this investigation, the SEC has commenced additional investigations of record preservation practices at financial firms."

These enforcement actions are a telltale sign for broker-dealers that they need to get their books and records programs in order or face the consequences from the SEC, but what does this mean for investment advisers specifically? Through the SEC's actions against bulge bracket firms such as Goldman Sachs, HSBC and JPMS, there will surely be similar scrutiny applied against smaller broker-dealers, which will inevitably have the same impact on investment advisers when undergoing regulatory examination. And per the Investment Advisers Act of 1940, which stipulates what qualifies as investment advice and who can dispense it, when investment advisers are inspected by the SEC, investment adviser firms may not only be asked to provide proof of retaining all written substantive business communications, but also how these communications support investment decisions made by the adviser. Therefore, this enforcement activity is a warning to investment advisers of what could be coming down the pike for them from regulators if they don't act now in ensuring their recordkeeping practices are tightened up.

Incomplete Recordkeeping Will Not Go Unnoticed—Tips for Staying Compliant

The global pandemic has created undue complexities when it comes to maintaining accurate communication retention practices, which happens to be occurring at the same time that proper recordkeeping practices remain a top priority for regulators, making the issue of record preservation and retention even more challenging right now. The reality is, whether it's with respect to communications with international clients or investors, or with investment and trading platforms, firms are now realizing that such third parties prefer, or even require, the use of nontraditional communication channels to conduct business rather than through email and IMs.

Given the SEC's razor-like focus on proper recordkeeping practices, it is readily apparent that any misstep could be detrimental to investment advisers and broker-dealers that do not exercise caution. Firms of all types and sizes need to take a hard look at their electronic record preservation systems, reporting abilities and related policies and procedures across the entire organization to ensure that they are compliant.

To help firms prepare and mitigate potential risks, below are some tips to consider when it comes to building an effective and successful electronic communications record and retention compliance policy:

  1. Make sure there is an inventory of all forms of electronic communications the firm is using. The firm's compliance department should be aware of any and all forms of electronic communications the firm's personnel are using; eliminate those platforms that cannot be archived or are only used by a select few.

  2. Capture all electronic communications, no matter what platform you are using. Utilize traditional electronic communications archiving solutions such as Global Relay and Smarsh to its fullest extent to capture not only the firm's email, but also WhatsApp, Telegram and other nontraditional communications channels.

  3. Consider upgrading your archiving solutions. Supplement the above traditional archiving solutions with new archiving solutions that have the ability to capture platforms they are missing, such as TeleMessage, to archive Telegram messages. For example, in the JPMS matter, the firm "installed the call-recording app Movius on their work phones, and employees also must regularly attest they will not use messaging apps for work material."

  4. Take the guesswork out of recording communications. To ensure all electronic communications are recorded appropriately, initiate the use of firm-issued devices and firm-specific accounts on the nontraditional communication apps (e.g., firm-issued cellphone with firm-issued WhatsApp account) or implement a new policy that gives you the ability to keep track of employees' personal devices. For example, in December 2021, Credit Suisse asked its employees to allow it to monitor their personal devices since it does not provide work-issued mobile phones in an effort to tighten its rules around electronic communication record preservation.

  5. Establish firmwide communication protocols and circulate to employees. Require all substantive business communication be limited to firm-issued email and IMs. Furthermore, develop protocols and conduct regular training on these protocols for employees in order to ensure that proper recordkeeping methods are being understood and exercised by everyone at the firm.

The regulatory landscape will continue to evolve and tighten under Gensler, particularly when it comes to the investigation and enforcement of books and records programs. Investment advisers and broker-dealers need to be buttoned up when it comes to compliance policies and procedures, especially with regard to electronic communications recordkeeping.

While engaging the help of an experienced compliance and risk specialist is the best means of ensuring that thorough and comprehensive communications records meet the increasingly stringent demands of regulators, implementing the above best practices will help position investment advisers and broker-dealers for success in the event of an investigation and mitigate the likelihood of an enforcement action.

Fizza Khan is CEO and Nicholas Nunez is managing director and head of regulatory compliance at Silver Regulatory Associates, a firm that provides regulatory compliance, ESG and due diligence services for the investment industry.