The JP Morgan Chase WhatsApp fine seemed like an isolated incident until it sparked an industry-wide enforcement campaign that reached back years to penalize conduct many firms thought was forgotten. MirrorWeb’s David Clee examines how periods of deregulation can create a false sense of security, leading to systematic compliance breakdowns that regulators can and will prosecute long after the fact.
In December 2021, JP Morgan Chase agreed to pay $200 million in fines for failing to monitor employee communications on unauthorized channels, primarily WhatsApp, SMS and iMessage. Initially seen as a high-profile, isolated incident meant to set an example, it turned out to be the opening salvo in a sweeping, industry-wide enforcement campaign.
By 2023, that $200 million spark ignited a $1.8 billion wildfire. The SEC and CFTC came down hard on 16 major financial firms for similar violations, all tied to the same issue: the use of off-channel communications that violated federal recordkeeping laws. Many firms felt blindsided. The penalties were severe, retroactive and unprecedented. Rather than signaling a new start point for compliance expectations, the regulators looked backward.
The message was clear: Regulatory priorities may shift, but accountability persists, and consequences can surface long after the fact. Despite widespread expectations of a more laissez-faire regulatory approach under the new administration, early indications suggest otherwise. When 16 financial firms appealed to reduce their fines in April 2025, hoping for a reprieve under Paul Atkins’ more lenient SEC, the agency upheld the fines, emphasizing that mobile compliance isn’t a political issue but a permanent regulatory priority.
The deregulation trap: How relaxed oversight created maximum vulnerability
Between 2017 and 2020, the broader regulatory environment softened. There was a palpable shift toward deregulation, from rollback proposals to relaxed oversight in finance and climate policies. Many firms interpreted this as a green light to ease up on compliance infrastructure. The SEC’s off-channel probe, which extended back to this period, shows that was a costly miscalculation.
Periods of deregulation create a false sense of safety. Firms assume that if rules aren’t being actively enforced, they don’t need to be followed as rigorously. But history tells a different story — from the mortgage crisis to the Wells Fargo account scandal, relaxed oversight doesn’t remove accountability. It simply delays it. When regulators return, they don’t rewind expectations; they fast-forward consequences.
For years, firms treated recordkeeping as a matter of emails and memos, dismissing chat apps and personal devices as outside the scope of “real: business communication. The SEC took a different view. This was not an indictment of technology but of behavior. What many viewed as harmless workarounds were, in reality, a systemic breakdown and a billion-dollar compliance blind spot hiding in plain sight.
The Devil You Know …
With compliance processes driven largely by regulatory requirements, the financial services sector could be forgiven for breathing a sigh of relief under the deregulatory bent of the Trump Administration. But experts and observers in the finserv sector told CCI contributing writer Carrie Pallardy that, in many ways, even the disruption of business-friendly attitudes is still disruption — and disruption can be costly.
Read moreDetailsBackdated enforcement: The regulator’s strategic weapon
Perhaps the most striking feature of the SEC’s messaging crackdown was how far back it reached. Many fines issued in 2023 targeted conduct dating back to 2018, years before the JPMorgan precedent had been set.
Backdated enforcement is not only legal; it’s strategic. It sends a powerful signal that regulators don’t need to catch you in the act. They can review logs, communications and historical behavior to enforce longstanding rules — and they will. This fundamentally changes compliance risk assessment; violations don’t expire when enforcement attention shifts elsewhere.
The SEC’s messaging sweep wasn’t just about WhatsApp. While encrypted messaging apps stole the headlines, this investigation was about the unchecked normalization of informal communication in regulated environments and the widespread failure to treat those exchanges as subject to compliance oversight. What makes this enforcement pattern particularly dangerous is that it can surface years after firms believe they’ve moved past potential violations.
What smart firms are doing right now
Forward-thinking firms didn’t wait for the $1.8 billion headline. For them, one warning was enough. They saw the 2021 JPMorgan fine and got to work. Here’s what they’re doing now:
- End-to-end capture: Deploying audit-ready systems that record all relevant communication, from emails to mobile messaging to emerging platforms like TikTok.
- Clear communication policies: Establishing and enforcing guidelines on informal messaging channels, with comprehensive training for staff.
- Internal transparency: Encouraging teams to escalate compliance risks internally before they become public scandals.
- Future-proofing technology: Using quieter enforcement periods to upgrade systems, replace outdated tools and invest in scalable solutions.
But perhaps most importantly, these firms understand that cooperation counts. The dramatic variation in penalty amounts — some firms paid more than double what others did for the same offense — wasn’t arbitrary. Regulators aren’t running a fairness contest. They’re sending a message. Just as guilty pleas lead to reduced sentences in a court of law, the SEC has rewarded firms that acknowledged their shortcomings.
Firms that engaged early, self-disclosed or took meaningful steps to fix compliance gaps saw better outcomes. That’s not favoritism; it’s the playbook. It reflects the SEC’s broader strategy: to embed a culture of proactive compliance. This approach favors the carrot over the stick, replacing fear with clarity and reinforcing the principles behind the rules.
These firms know a strong compliance strategy isn’t just about surviving current scrutiny, it’s about building long-term resilience and avoiding the high cost of short-sighted decisions. With retroactive penalties now standard practice, accountability doesn’t pause when enforcement does.
David Clee is CEO of MirrorWeb and a member of the company's board of directors. He co-founded MirrorWeb, bringing more than 20 years of technology leadership, computer software expertise and executive management experience to his role with the company. 
