Do Not Delete: SEC and DOJ Send Serious Messages on Preserving Ephemeral Communications
Ages ago, hieroglyphics were painstakingly etched into stone. They communicated various types of messages, from fables to business transactions, and lasted thousands of years. Today, we still communicate the same type of messages – with a modern twist – but now these communications can be exchanged nearly instantaneously via video, text messaging and apps. More importantly for purposes of this post: many messages of the modern era are not nearly as enduring as their stone counterparts.
It is this last point that the U.S. Securities and Exchange Commission (SEC) and U.S. Department of Justice (DOJ) are concerned with, and both have taken measures to address what they consider to be the problematic impermanence of electronic communications. Several recently settled SEC orders against numerous regulated entities for failures to retain employee communications on ephemeral messaging applications – communication apps that can and often do automatically erase the conversation between the users after a short amount of time – demonstrate the SEC's zero-tolerance approach to these types of recordkeeping failures. And DOJ's recent guidance on ephemeral messaging applications has a broader swath of companies revisiting how to deal with this evolving technology.
In this post, we explore the rules of recordkeeping by which broker-dealers and registered investment advisers must abide and the consequences for violating these provisions relating to ephemeral messaging, as well as some practical tips for avoiding SEC and DOJ scrutiny.
SEC Rules of Recordkeeping
Although messages transmitted across ephemeral platforms may be fleeting, their use in the modern era is pervasive. In the face of this evolving technology, Gurbir S. Grewal, the director of the SEC's Division of Enforcement, called the recordkeeping requirements under the federal securities laws "sacrosanct," now taking on heightened importance given the rise of ephemeral messaging applications. A company's books and records serve many purposes, not only for the SEC but also for investors and other key stakeholders when it comes to, among other things, transactions, disputes or wrongdoing.
At first glance, the SEC's rules for recordkeeping appear fairly straightforward. SEC Rule 17a-4 of the Securities Exchange Act of 1934 (Exchange Act) governs broker-dealer requirements for data retention.1 With respect to communications, broker-dealers must preserve originals of all communications received and sent by the broker-dealer that relate to its business for at least three years.2 Electronic records must either be maintained and preserved in a non-rewritable, non-erasable format (also known as "write once, read many" or WORM) or, as of May 3, 2023, broker-dealers may use an audit-trail alternative method of preservation that permits the recreation of an original record if it is deleted or modified.3
Investment advisers are subject to similar, albeit less expansive, requirements. Specifically, Rule 204-2(a)(7) of the Investment Advisers Act of 1940 (Advisers Act) requires registered investment advisers to preserve for at least five years in an easily accessible place originals of all communications received and copies of all written communications sent relating to, among other things, any recommendations or advice to clients that have been made or proposed to be made and certain client-specific transactional communications.4 Additionally, both broker-dealers and registered investment advisers are required to supervise employees to ensure compliance with recordkeeping obligations.5
The SEC keyed into some compliance issues with these requirements, and in September 2022, announced settled enforcement actions against 15 broker-dealers and one affiliated investment adviser for failing to maintain ephemeral messages that, based on their content, the SEC considered to fall under the umbrella of Rule 17a-4 and Rule 204-2, respectively. Without admitting or denying the allegations, the firms agreed to pay combined penalties of more than $1.8 billion to retain compliance consultants to conduct comprehensive reviews of their policies and procedures relating to the retention of electronic communications, including those found on personal devices, and to implement improvements to their compliance policies and procedures. These settlements followed a December 2021 SEC settlement with a broker-dealer in which it admitted wrongdoing, a most unusual feature in an SEC settlement, and agreed to pay a $125 million penalty, which was nearly 10 times the highest penalty the SEC imposed previously in similar matters. Additional enforcement actions have followed in recent months. The SEC took these measures apparently because, as SEC Chair Gary Gensler noted, "Some market participants did not act as if they got the message."
But what about public company issuers? Currently, under the federal securities laws, issuers are not subject to direct regulations on preservation of business communications. However, much like investment advisers, these types of communications may need to be retained by public companies if they satisfy another statutory recordkeeping obligation. For example, under Exchange Act Section 13(b)(2)(A), issuers are required to make and keep certain books and records that accurately and fairly reflect the transactions and dispositions of the assets of the issuer. But the scope of messages that issuers need to consider retaining may have increased exponentially. As detailed further below, recent DOJ guidance has brought these issues to their compliance doorstep as well.
Earlier this year, DOJ issued guidance for how it will assess a company's practices on the use of personal devices, messaging applications (including ephemeral messaging) and communications platforms in the workplace. 6 As previously detailed, going forward, DOJ will scrutinize, among other things, a company's policy environment and risk management framework around device use and message retention when it is subject to a DOJ inquiry. (See Holland & Knight's previous alert, "DOJ Announces Significant Policy Changes Affecting Corporate Criminal Enforcement," March 7, 2023.) Assistant Attorney General Kenneth Polite was clear that DOJ will press the issue of messages sent across ephemeral messaging platforms: "During the investigation, if a company has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value."
Public companies take note: In terms of scope, the DOJ's guidance applies to all companies, not just regulated entities subject to the SEC's rules. Further, DOJ's guidance extends broadly to cover all communications related to a company's business, meaning its scope is far more akin to broker-dealer regulations under Exchange Act Rule 17a-4 than the more narrow adviser obligations under Advisers Act Rule 204-2(a)(7).
Importantly, neither the SEC regulations or DOJ guidance discriminate when it comes to the type of application used. As a result, messages transmitted across communication apps that automatically erase the conversation between the users are covered under both the rules and guidance. This means that communications over applications such as WhatsApp, Signal and Telegram – each of which automatically delete messages unless default settings are disabled – could be subject to retention.
Although the use of such platforms can provide benefits such as privacy, security and convenience, they also pose significant corporate compliance risks, particularly with respect to companies' ability to abide by their recordkeeping obligations. And the SEC's aggressive enforcement of the recordkeeping provisions against some of the world's largest financial institutions and DOJ's broad guidance has put everyone on notice of the importance and challenges of retaining these types of communications in the face of evolving technology.
A Lasting Message
By bringing these settled actions with outsize penalties for recordkeeping violations, the SEC has sent a "straightforward" message to registrants: "You are expected to abide by the [SEC's] recordkeeping rules," including as to ephemeral messaging.7 The SEC does not appear to be finished in this arena. To Chair Gensler, "[b]ooks and records matter," and the SEC, during his tenure, "will strive to ensure that penalties are not seen as [just] the cost of doing business."8 Indeed, several other financial institutions have disclosed that they currently are under investigation by the SEC and the U.S. Commodity Futures Trading Commission (CFTC) over similar activity.
If there is a silver lining to the SEC's increased focus on ephemeral messaging and the DOJ's recent pronouncements, it is the additional insight into what activity may draw the ire of the SEC and DOJ and how companies can tailor their policies and procedures to avert a government investigation. To mitigate risk in the recordkeeping enforcement arena, companies of all types should consider:
- reviewing relevant document retention and other policies to ensure electronic communications are preserved, particularly when there is a threat of litigation or a government investigation
- assessing compliance policies concerning supervisory responsibilities of managers to subordinates
- the implications of a bring your own device (BYOD) policy – whereby employees are allowed to utilize their own devices for company purposes – as such policies are increasingly becoming an early discussion point between defense counsel and government attorneys on the scope of documents under company control
- written personnel certifications that they are complying with preservation and record retention requirements
- implementing, as appropriate, technological restrictions and surveillance programs – and regularly audit them – to ensure compliance with ongoing preservation obligations
- corrective action and employee discipline matrices to address instances of non-compliance
The Holland & Knight SECond Opinions Blog will continue to monitor this space and provide updates as to future developments. If you need any additional information on this topic – or anything related to SEC enforcement or internal investigations – please contact the authors or another member of Holland & Knight's Securities Enforcement Defense or White Collar Defense and Investigations Teams.
1 17 CFR § 240.17a-4.
2 17 CFR § 240.17a-4(b)(4).
3 U.S. Sec. & Exch. Comm'n, "Frequently Asked Questions Regarding Rule Amendments to Broker-Dealer, Security-Based Swap Dealer, and Major Security-Based Swap Participant Electronic Recordkeeping Requirements," Jan. 18, 2023.
4 17 CFR §§ 275.204-2(a)(7) and (e)(1).
5 Release No. 2022-174, U.S. Sec. & Exch. Comm'n, "SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures," Sept. 27, 2022.
6 Deputy Attorney General Lisa Monaco, "Further Revisions to Corporate Criminal Enforcement Policies
Following Discussions with Corporate Crime Advisory Group," Sept. 15, 2022; see also Holland & Knight's previous alert, "DOJ Announces Significant Policy Changes Affecting Corporate Criminal Enforcement," March 7, 2023.
7 See note 5, supra.
8 SEC Chair Gary Gensler, U.S. Sec. and Exch. Comm'n, "This Law and Its Effective Administration: Remarks Before the Practising Law Institute's 54th Annual Institute on Securities Regulation," Nov 2, 2022.