In early May 2023, The Securities and Exchange Commission (SEC) announced a large enforcement action against broker dealers HSBC Securities Inc. and Scotia Capital Inc., which ultimately totaled $37.5 million in fines. This was a joint action with the Commodity Futures Trading Commission (CFTC) for violations arising from employees’ use of personal devices and messaging applications (Off Channel Communications) and the firms’ failure to preserve such business-related electronic communications. See attached link to SEC press release, May 11, 2023. https://www.sec.gov/news/press-release/2023-91
The SEC noted that these were “widespread and longstanding failures by both firms” and the firms agreed to pay penalties of $22.5 million dollars to the SEC and another $15 million dollars to the CFTC. Importantly, both firms admitted that employees often used Off Channel Communications on their personal devices and third-party apps, including WhatsApp. WhatsApp is a messaging application, with more than two-billion users and now a part of Facebook, which promotes end-to-end encryption so that personal messages remain private between sender and recipient.
This focus is not something new. In late 2021, the SEC and CFTC fined JPMorgan $200 Million for the loss of business-related messages that were sent via Off Channel Communication and in late 2022, the SEC and the CFTC settled with 11 major financial firms for $1.81 billion in fines for the same failure to preserve Off Channel Communications. Although the SEC promoted the enforcement action at a recordkeeping violation, as evidenced by the large fines and our technology driven world (and multiple messaging platforms), the primary focus for a firm is whether it has adequate security procedures to monitor Off Channel Communications in the first place.
The consequences don’t end with the SEC. For instance, federal prosecutors – namely Deputy Attorney General Lisa Monaco, United States Department of Justice, noted the same focus late last year in stating that encrypted messaging platforms are “significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation.”
In sum, it is essential that firms maintain, monitor, and update policies and compliance procedures, including those regarding record retention and the use of third-party applications and personal devices as the SEC (and other federal entities) continue to focus on Off Channel Communications. Further, executives should be on notice as the SEC notes that the “failings involved employees at multiple levels of authority, including supervisors and senior executives.”
On a final note, please be aware that the above-referenced $37.5 million dollars in fines were reduced given that the firms smartly took advantage of self-reporting procedures. In other words, the firms would have been subject to much larger fines or other onerous remedies if they did not self-report. In short, if a firm conducts an audit and recognizes the same issue (or others), self-reporting is a way to mitigate the damage.
Written by John J. Cooney, Esq
With over a combined 25 years of business, legal, and technical experience, The Law Office of John J. Cooney, P.C. offers comprehensive legal strategies and solutions for businesses working seamlessly with management and any existing counsel in an efficient manner. John’s firm concentrates on General Counsel services, Pre-Litigation Investigation, Defense, and Compliance services, as well as the Cybersecurity arena.