When JP Morgan Chase was fined $200 million for recordkeeping failures in 2021, it felt monumental. Ephemeral messaging penalties were admittedly a new proposition at the time, but the size of the levy should have drawn a line in the sand and led to a tectonic shift in compliance procedures for financial services organizations. Harriet Christie of MirrorWeb explores what’s unfolded since then, a cautionary, captivating and, indeed, costly tale of how firms were caught off-guard by the regulator’s strict enforcement — and what might come next.
The SEC mandates that financial firms maintain records of all communication between clients and brokers and routinely conducts investigations to ensure compliance. Exchanges like those occurring through WhatsApp and other “off-channel” mobile platforms are far more difficult to monitor and capture than email, for example, and so have not traditionally featured in organizations’ record-keeping strategies. Interacting with clients on these platforms is non-compliant in such cases, leading to most firms deeming it best practice to ban their use entirely.
This was jeopardized by the disruption of the Covid-19 pandemic, which led to far greater reliance on messaging apps and more workers using personal phones or tablets for business. Since the shift to hybrid working, organizations have struggled to impose restrictions on staff that rely on the prevalence and convenience of these platforms. As a result, the scope for regulatory infraction has grown.
Establishing a culture of compliance
Since July 26 2021, Gurbir Grewal has been acting as the SEC’s enforcement director. He recently revealed that his ambition in the role was to enhance public trust in institutions and that he wished to “impose penalties that would have a lasting impact across the industry.” Grewal inherited a role in which the issue of keeping tabs on staff communications had dogged Wall Street compliance departments for years.
The SEC began to take action in December 2021, when JPMorgan Chase failed to provide documents from 2018 pertaining to an unrelated probe. This eventually led to the bank admitting the charges over record-keeping lapses and accepting a settlement with the SEC for $125 million, an unprecedented punishment for an infraction that had thus far evaded regulator’s attention.
Continued escalation
While some firms did take heed of JP Morgan’s public sanction and revise their compliance policies and procedures, it wasn’t enough to convince regulators that things had moved sufficiently in the right direction.
By September 2022, the SEC had fined another 16 leading financial firms (including Barclays, Goldman Sachs and Morgan Stanley) a combined $1.1 billion, as the situation escalated dramatically in a landmark case for the agency.
“Since the 1930s, such recordkeeping has been vital to preserve market integrity. As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only approved channels, and they must maintain and preserve those communications,” SEC Chairman Gary Gensler said.
The SEC subsequently expanded its probe, with investment funds/advisers finding themselves in the spotlight that October, while major hedge funds (including Point72 and Citadel) were requested to review employee handsets in February 2023.
A few months passed before another round of large penalties landed in August 2023, as the probe continued to haunt financial services firms. Nine Wall Street broker-dealers, including Wells Fargo and BNP Paribas, agreed to pay penalties totaling $549 million to the SEC and CFTC.
As SEC Deputy Enforcement Director Sanjay Wadha explained in the aftermath, “We know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues.” This statement, and the consistency it justifies, are not surprising. Grewal occupies the role senior to Wadha and views books and records obligations as vital to market integrity. It’s clear that this mindset is ingrained throughout the division.
From Inquiry to Response: What to Do When Regulators Come Knocking for Text Messages
Financial institutions have been hit with billions of dollars’ worth of fines in the past couple of years for failing to preserve business text messages, and Reuters recently reported that the SEC had expanded its probe into Wall Street's use of tools like WhatsApp and Signal. Whether they’re from the SEC, FINRA or CFTC, federal investigators will dig deep when determining if official communications have taken place off normal business channels. Lauren Tringali and Brian Corbin of QuisLex say be prepared to show your work.
Read moreDetailsRaising the bar
The escalation of this probe doesn’t just constitute additional companies being examined; the investigation process has also become more severe, with numerous sources reporting that the agency has confiscated thousands of phones. Previously, businesses were asked to review employee handsets themselves. The new approach leaves them more open, with nowhere to hide and no control over how their findings are reported back.
The next round of fines landed in September 2022 as broker-dealers and investment advisers, including Interactive Brokers and William Blair & Co, received multimillion-dollar levies for similar record-keeping violations.
Grewal shared an interesting revelation in the aftermath, spelling out the perks of cooperation to firms that may feel vulnerable: “One of the orders included in today’s announced actions is not like the others. There are real benefits to self-reporting, remediating and cooperating.” This refers to Perella Weinberg Partners, which self-reported its failures, and whose penalty of $2.5 million was the smallest by quite a distance. The next smallest was Fifth Third Securities Inc with an $8 million penalty.
What’s next?
Almost two years have passed since the SEC fired its first shot in the WhatsApp fines probe, making an example of JP Morgan just in time for Christmas. After a subsequent pause, the investigation exploded back into life in September 2022 and has since shown no sign of slowing. There have been several significant moments in the investigation where the agency may have relented, but it continues to double down, exacting standards across the board.
It’s natural to wonder what the endgame might look like in this saga. The SEC posted record enforcement penalty figures last year, and so the approach has clearly been lucrative. As Grewal has repeatedly asserted, for the sake of integrity, these laws must be applied across the entire industry, regardless of a company’s size or the potential scale of wrongdoing.
Firms can’t escape this scenario by retrospectively gathering messages that have already been overlooked. By prolonging their investigation and regularly drip-feeding details of new firms (of all shapes and sizes) that are being held to account, the SEC has made it abundantly clear that mobile communications capture is now an inescapable requirement. With the incentivization of self-reporting and remediation, regulators have also shown that proactivity will be rewarded, and that no good will come from firm’s sitting on their hands or, even worse, pleading ignorance.
Harriet Christie is chief operating officer at MirrorWeb. She graduated from the University of Sheffield in 2010, with a B.A. in management accounting, entrepreneurship, business law, BSR, HR. She entered the tourism space, starting as an accounts executive at LateRooms.com, and earning the title of global accounts manager within three years. She occupied this role for a further five years as the business continued to evolve and flourish, before taking up her role as a key account manager with MirrorWeb, a data-archiving solution based in Manchester. Harriet was appointed operations director in 2020. Since then, she has helped oversee the evolution of the MirrorWeb product and service offering, as well as the business' impressive growth since her taking on the role. 
