Ubiquitous Use of WhatsApp and Different Unrecorded Inner Communications End in Substantial Penalties in Current SEC, CFTC Actions | Faegre Drinker Biddle & Reath LLP
The SEC has, for many years, used broker-dealer and associated persons’ failure to create and maintain books and records as a basis for the imposition of serious penalties. In recent actions, it appears to be continuing—and upping the ante on—its enforcement in this area.
Simply stated, it is increasingly imperative for broker-dealers and investment advisory businesses, among other entities, to develop and maintain policies and procedures to ensure that their records are properly created, maintained, and produced to the appropriate agency upon request—including that employees’ communications related to their business should be made only through approved channels, and approved and monitored devices, such that those communications can be maintained and preserved for production as required by federal securities laws and regulatory authorities, and in any pending or threatened litigation.
Historical Enforcement Based on and Changes to Record-Making and Record-Keeping Requirements
In one of the earlier high-penalty record-making and record-keeping actions, in 2006, the SEC alleged Morgan Stanley and Co. Incorporated (“Morgan Stanley”) failed to back up tapes containing responsive e-mails such that they could be produced during a SEC investigation, and for making numerous misstatements regarding the status and completeness of its productions, the unavailability of certain documents, and its efforts to preserve requested emails. Based on these failures, the SEC charged Morgan Stanley with violations of Section 17(b) of the Securities Exchange Act of 1934 (“Exchange Act”), and Rule 17a-4 thereunder, and ordered it to pay a $15 million civil penalty, to adopt and implement policies, procedures, and training focused on the preservation and production of email communications, and to hire an independent consultant to review the reforms.
Several years later, on June 5, 2019, the SEC adopted Regulation Best Interest, which established a new standard of conduct under the Exchange Act for broker-dealers and persons associated with broker-dealers (“Reg BI”). At the same time, it imposed new record-making and record-keeping requirements with respect to certain information collected from or provided to retail customers in connection with Reg BI. These requirements built upon the existing record-making and record-keeping requirements imposed by Rules 17a-3 and 17a-4 of the Exchange Act, such that:
- For each retail customer to whom a recommendation of any securities transaction or investment strategy involving securities is or will be provided, the broker-dealer and any associated persons must keep a record of all information collected from and provided to the retail customer pursuant to Reg BI, as well as the identity of each natural person who is an associated person, if any, responsible for the account.
- The broker-dealer and any associated persons must retain all records of the information collected from or provided to each retail customer for at least six years after the earlier of the date the account was closed or the date on which the information was replaced or updated.
The SEC has since made clear that it intends to interpret and enforce the requirements of Reg BI as it deems to be in the best interest of investors. By way of example, it has commented that “Reg BI’s chief weakness – that key terms like ‘best interest’ and mitigation of conflicts are undefined – could now be its chief strength, if new leaders at the agency interpret and enforce these requirements to the best interest of investors, as we expect they will,”sup> and it has stated that it intends to ensure that brokers and investment managers understand their duties under Reg BI and to “ensure that best interest means best interest.” Otherwise stated, it intends to continue, and expand, enforcement in this area. See id.
And, it has done so. Namely, it has continually used the record-making and record-keeping requirements imposed by Rules 17a-3 and 17a-4 as both a stand-alone basis to impose significant penalties on broker-dealers, and as a supplement to other charges. By way of just a few examples, In the Matter of Navian Capital Securities, LLC and Robert P. Jenkins, the SEC alleged that, in violation of Section 17(a)(1) of the Exchange Act and Rules 17a-3 and 17a-5 thereunder, Navian failed to “make and keep certain books and records, including an accurate calculation of net capital,” and, consequently failed to file accurate FOCUS reports that included net capital computations. In the resulting settled action, it imposed on Navian and Jenkins a combined civil penalty of $50,000. Subsequently, in In the Matter of JonesTrading Institutional Services, LLC, the SEC charged JonesTrading solely based on its failure to preserve business-related text messages sent or received by its registered representatives, including senior management, in violation of Section 17(a) of the Exchange Act and Rule 17a-4 thereunder. It alleged that, though JonesTrading maintained policies and procedures to ensure it was retaining business-related records, and used employee attestations and trainings to monitor its employees’ adherence to these policies, several JonesTrading registered representatives exchanged business-related text messages with each other, with JonesTrading customers, and with third parties. JonesTrading did not preserve copies of these text messages in its books and records and, consequently, failed to produce certain text messages to SEC Staff in connection with its enforcement investigation of a third party. In the resulting settled action, JonesTrading agreed to pay a $100,000 civil penalty for these violations, among other sanctions. Thereafter, in In the Matter of Robinhood Financial, LLC, the SEC alleged that—among other violations— “Robinhood failed to maintain required records of its modifications to its website FAQ pages related to its order routing practices and receipt of payment for order flow, and the approval of those modifications,” in violation of Rule 17(a) of the Exchange Act and Rule 17a-4 thereunder. As Robinhood was subject to multiple, significant charges, it is not possible to ascertain what portion of the $65 million civil penalty it was ultimately required to pay to settle the charges against what was attributable to its recordkeeping failures. Nonetheless, the SEC surely used those failures as a basis to increase that penalty. And, in In the Matter of Integral Financial, LLC and Weiming “Frank” Ho, the SEC alleged that, among other violations, Integral failed to “make and keep current a record” indicating that it furnished to each customer information concerning the customer’s annual income and net worth, and the account’s investment objectives, among other information required by Rule 17a-3.
Recently, JP Morgan Agreed to Pay a Combined $200 Million Penalty to SEC and CFTC Based on Record-Making and Record-Keeping Violations
In the most recent action—with by far the highest penalties we’ve seen to date—JP Morgan agreed to pay a combined $200 million penalty to the SEC and CFTC based on record-making and record-keeping violations.
Specifically, on December 17, 2021, the SEC issued a settled cease-and-desist order against J.P. Morgan Securities LLC (“JP Morgan”)—a broker-dealer subsidiary of JP Morgan Chase & Co.—finding that, from at least January 2018 through November 2020, JP Morgan employees frequently communicated about securities business matters on their personal devices, using text messaging, WhatsApp, and personal email accounts, and that none of these records were preserved by the firm.  It found these failures were firm-wide, involved employees at all levels of authority, and “were not hidden within the firm.” Rather, JP Morgan’s managing directors and senior supervisors—including those responsible for implementing and overseeing compliance with JP Morgan’s policies and procedures that prohibited the use of personal devices or personal email, chats, or text applications for business communications—themselves communicated via non-firm approved methods concerning the firm’s securities business.
The SEC further noted that, during the same period, JP Morgan received and responded to SEC subpoenas and records requests in numerous investigations and, in doing so, often failed to search for records contained on its employees’ personal devices relevant to the SEC’s inquiries. Consequently, JP Morgan’s recordkeeping failures hindered the SEC’s investigations. As a result of the foregoing failures, the SEC found that JP Morgan violated Section 17(a) of the Exchange Act and certain sections of Rule 17a-4 thereunder.
JP Morgan admitted the SEC’s allegations and consented to the entry of a cease-and-desist order requiring it to pay a $125 million penalty to the SEC and implement robust improvements to its compliance policies and procedures.
Separately, and also on December 17, 2021, JP Morgan entered into a settlement with the Commodities Futures Trading Commission (“CFTC”) for related conduct, and agreed to pay a $75 million civil penalty, to cease and desist from further violations of recordkeeping and supervision requirements, and to engage in specific undertakings.
Broader Implications and Take-Aways
As exemplified by the foregoing, the SEC will only continue to bring actions against broker-dealers and associated persons for failures to create, properly maintain, and produce, required books and records. Indeed, the SEC has signaled that its action against JP Morgan is only one of many of its kind to come—noting that “as a result of the findings in [that] investigation, the SEC has commenced additional investigations of record preservation practices at financial firms,” and encouraging firms that believe their record-preservation practices do not comply with securities laws to self-report to the SEC.
And, the SEC is not alone in bringing such actions. Like the SEC and the CFTC the Financial Conduct Authority (“FCA”)—the financial regulatory body in the United Kingdom—also regulates the use of unauthorized means of communication and personal devices, as well as other failures to create, maintain, and produce upon request proper records of business communications. As a general proposition—and as the FCA has advised—firms should be able to demonstrate that their policies, procedures and management oversight meet the recording rules. In order to meet these rules, best practices would require that firms:
- Implement policies regarding the recording of business conversations;
- Identify which conversations are subject to the recording requirements;
- Determine the proper communication channels to be used by employees;
- Provide training for employees;
- Create follow-up procedures for breaches; and
- Clearly identify amendments to their recording policies and obtain the appropriate governmental approvals.
Moreover, firms need to continually review their policies and procedures with their compliance teams throughout the year in order to manage new technological advances, especially in the work at home environment.
 See Press Release: Morgan Stanley Sued for Repeated E-Mail Production Failures; 2006-69; May 10, 2006 (sec.gov)
 See Press Release: Morgan Stanley Sued for Repeated E-Mail Production Failures; 2006-69; May 10, 2006 (sec.gov); Morgan Stanley & Co. Incorporated: Lit. Rel. No. 19693 / May 10, 2006 (sec.gov).
 See https://www.sec.gov/rules/final/2019/34-86031.pdf, at 361-371; 17 CFR 240.17a-3, 17 CFR 240.17a-4; see also https://www.sec.gov/info/smallbus/secg/regulation-best-interest. The effective date for Regulation Best Interest was September 10, 2019; the compliance date was June 30, 2020.
 See id.
 See id.
 See In the Matter of Navian Capital Securities, LLC and Robert P. Jenkins, File No. 3-20013 (Sept. 17, 2020).
 See id.
 See In the Matter of JonesTrading Institutional Services, LLC, File No. 3-20050 (Sept. 23, 2020).
 See In the Matter of Robinhood Financial, LLC, File No. 3-20171 (Dec. 17, 2020). Robinhood was also charged with violating Sections 17(a)(2) and 17(a)(3) of the Securities Act, which prohibit obtaining “money or property by means of any untrue statement of a material fact or any omission to state a material fact necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading,” and prohibit engaging “in any transaction, practice, or course of business which operates or would operate as a fraud or deceit upon the purchaser.” Robinhood settled this action by agreeing to pay $65 million – the majority of which was likely attributable to the non-recordkeeping-based charges against it.
 See In the Matter of Robinhood Financial, LLC, File No. 3-20171 (Dec. 17, 2020). Robinhood was also charged with violating Sections 17(a)(2) and 17(a)(3) of the Securities Act, which prohibit obtaining “money or property by means of any untrue statement of a material fact or any omission to state a material fact necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading,” and prohibit engaging “in any transaction, practice, or course of business which operates or would operate as a fraud or deceit upon the purchaser.” Robinhood settled this action by agreeing to pay $65 million – the majority of which was likely attributable to the non-record-keeping based charges against it.
 See id.
 In the Matter of Integral Financial, LLC and Weiming “Frank” Ho, File No. 20445 (July 30, 2021); see also In the Matter of SG Americas Securities, LLC, File No. 3-19833 (June 24, 2020) (Alleging SGAS failed to keep and submit accurate data to the SEC in response to its electronic blue sheets (“EBS”) requests, in violation of Rule 17a-4).
 See https://www.sec.gov/litigation/admin/2021/34-93807.pdf.
 See id.
 See https://www.cftc.gov/PressRoom/PressReleases/8470-21.
 See https://www.sec.gov/news/press-release/2021-262.
 See, e.g., FCA warns advisers on using WhatsApp and social media – FTAdviser.com. Specifically, the FCA is also regulating the use of encrypted communication channels like WhatsApp for business communications within firms. The FCA currently prohibits the “BYOB” or bring your own device workplace policies unless firms have the ability to archive and maintain business communications. If employees are using apps to communicate, all business communications must be recorded. Business communications are defined as any “conversations and communications made with, sent from, received on, equipment provided or permitted to be used for business purposes.” In order to comply with the business communication regulations, firms must create up-to-date polices that record business conversations and must also be able to demonstrate that their policies, procedures and management oversight are effective to the FCA. The FCA has not prohibited the use of WhatsApp specifically; however, users must be able to archive all business communications conducted through the app. Firms can also be held liable when they fail to take reasonable steps to prevent an employee from making, sending or receiving business communications on privately owned equipment if the firm cannot record or copy.