From Inquiry to Response: What to Do When Regulators Come Knocking for Text Messages

Since 2021, U.S. regulators have fined Wall Street firms to the tune of $2.5 billion for inadequate retention of business text messages, stressing that record-keeping requirements extend to communications that take place outside of official business channels.

Announcing last month’s latest enforcement order in response to the failure of financial institutions to stop employees from using off-channel communications, including text messages and WhatsApp, CFTC’s Director of Enforcement Ian McGinley said, “The Commission’s message could not be more clear — recordkeeping and supervision requirements are fundamental, and registrants that fail to comply with these core regulatory obligations do so at their own peril.”

Maintaining detailed records of business-related communications is a strict requirement for financial firms, including broker-dealers, investment advisers and swap dealers under SEC, FINRA and CFTC regulations. When regulators come knocking in search of text messages, having a solid electronic communications policy in place is only the beginning. Regulators will thoroughly examine various aspects of an organization’s compliance efforts, and merely banning text messaging on personal devices will not suffice; similarly, regulators will not accept claims that relevant text messages do not exist without substantial supporting evidence.

It is crucial to be prepared to showcase a comprehensive approach to text message compliance, and the following are key areas of regulatory focus that financial firms should address when faced with an inquiry.

Crafting comprehensive policies

Regulators will closely review the scope of relevant policies, including coverage of sanctioned and unsanctioned communication channels. A comprehensive policy should establish clear retention guidelines and a roadmap for employees to follow, ensuring consistent adherence to regulatory mandates. By implementing consistent standards across diverse messaging platforms and anticipating emerging tools, an organization can showcase a forward-looking approach to managing changing communication landscapes.

Policies should also detail strategies for capturing and securely storing business-related text messages on approved channels. These procedures should offer clear guidance on how and when to capture data on unmonitored channels used for business, involving key decision-makers from regulatory, privacy, information governance and other teams. This holistic approach reflects a systematic dedication to compliance, positioning a firm to confidently address regulatory inquiries.

Financial Services

When Posting an Emoji Is a Securities Violation

by Susannah Hammond

July 18, 2023

Emojis are a common and valid form of modern expression, but like any other form of speech, companies need strict policies and procedures around their use. Don’t believe that? Ask the SEC about rocket ship and money bags emojis.

Read moreDetails

Demonstrating a culture of compliance

Ensuring robust compliance involves more than just having a policy: It requires clear employee understanding and adherence. Regulators will scrutinize firms’ commitment to this culture, looking for evidence of a training program. They may inquire about the frequency and depth of training, as well as methods to ensure employees’ comprehension of policies, especially those related to text messages.

Regular reminders and training, tailored to address text message-related scenarios, underline the importance of adhering to retention policies. Practical strategies for overcoming challenges should be included, and real-word examples of regulatory investigations and penalties can highlight the tangible consequences of noncompliance. Organizations can meet regulatory expectations and empower employees to help safeguard information integrity by embedding compliance into their core functions.

Exhibiting rigorous monitoring and enforcement

Regulators are acutely interested in how well a financial firm supervises and enforces its data retention policy for text messages. They will examine documentation of active oversight, monitoring for policy violations (including evidence of channel-switching across other e-communication platforms), regular audits and investigations into deviations. Demonstrating swift incident resolution and self-reporting, when appropriate, is necessary to reassure regulators of a firm’s commitment to enforcing message retention policies.

The consequences of inadequate compliance are steep, encompassing possible license suspensions or criminal charges in addition to hefty fines. To reinforce adherence, enhance awareness of regulatory requirements and ensure accountability, some organizations are holding employees personally liable for violations through fines, suspension and even termination. According to the Financial Times, Morgan Stanley recently imposed financial penalties, ranging from thousands to over $1 million per individual, by clawing back bonuses or reducing future pay for the use of messaging platforms like WhatsApp for official business.

Implementing effective preservation mechanisms

When regulators turn their focus to a financial institution’s preservation mechanisms, they seek concrete evidence of a commitment to compliance with data retention obligations. Preservation strategies must extend beyond a mere confirmation of text message retention. Regulators will assess various facets of a firm’s preservation framework, including detailed documentation outlining the capture and secure storage of text messages, implementation of legal holds that prevent data deletion and retention of the metadata providing context to communications. Effective preservation mechanisms not only bolster an organization’s compliance standing but also make it possible to swiftly retrieve relevant text messages and potentially earn cooperation credits in regulatory investigations.

Firms must also be diligent in addressing potential gaps in their records of active investigations. A wide-ranging assessment of communications should be conducted to identify instances where text messages are referenced but not adequately preserved. Regulators will closely scrutinize the consistency between preserved text message data and references made within other communications, meaning cross-platform record reconciliation is a key element of a well-crafted preservation strategy.

Tailoring responses for text messages

Firms should have a written, playbook-level response plan that prepares stakeholders for tight deadlines, outlining steps and specific personnel for identifying, preserving, collecting, reviewing and producing relevant information promptly. This should encompass how to handle routinely anticipated questions from regulators and include detailed tactical steps to be taken before, during and after mobile phone records retrieval, as well as protocols for enforcement and remedial action for policy violations identified during the course of the inquiry.

Regulators are closely examining how organizations manage their discovery processes, focusing on the intricacies of handling text messages. They expect tailored strategies for capturing, retaining and producing text messages that reflect an understanding of their unique nature. While perfection is not the standard in any regulatory inquiry, regulators will expect relevant information existing in unmonitored channels to be produced in the same manner as any other requested information.

Firms are expected to produce complete records of text messages, including metadata and any attachments, accurately reflecting their content and context. Reliance on self-collection or screenshots is likely to be insufficient. Regulators will require a more comprehensive strategy that guarantees the accuracy, authenticity and completeness of the text message data provided.

Balancing privacy considerations

Financial institutions face a delicate challenge in striking the right balance between regulatory compliance and privacy protection when it comes to managing text message data. To achieve this balance, firms should prioritize data minimization, focusing only on relevant text messages, while implementing robust redaction techniques to shield sensitive or personal information. This proactive approach not only ensures compliance but also safeguards individual privacy rights, instilling confidence in both regulators and employees. Employee concerns can also be addressed by offering employees the opportunity to consult individual legal counsel to address any privacy concerns they may have.

Civil litigation implications

The regulatory spotlight on unmonitored communication channels can also impact civil litigation by creating a presumption that business-related text messages are being preserved, and as a result, courts could expect financial institutions to produce relevant text messages during discovery. Failure to do so could lead to spoliation findings, adverse inferences or sanctions, making it essential for firms to ensure that their record retention policies include the preservation of these communications.

Conclusion

In this regulatory climate, demonstrating programmatic compliance with text message records requirements is a pressing concern for financial institutions of all sizes and types. With increasing regulatory scrutiny and a rise in text message requests, organizations are under greater pressure to produce comprehensive records. Therefore, holistic measures prioritizing compliance are imperative to effectively capture and produce text messages and other emerging forms of data in alignment with regulatory expectations.