How the SEC Keeps Raising the Stakes on Ephemeral Messaging

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise tech. In this feature, MirrorWeb‘s COO Harriet Christie offers commentary on how the SEC keeps raising the stakes on ephemeral messaging.

When JP Morgan Chase was fined $200 million for recordkeeping failures in 2021, it felt monumental. While ‘ephemeral messaging’ penalties were admittedly a new proposition, the size of the levy should have drawn a line in the sand and led to a tectonic shift in compliance procedures for financial services organizations. What has unfolded since has been cautionary, captivating, and indeed costly for many firms caught off guard by the regulator’s strict enforcement.

This article provides a timeline of the SEC’s investigation so far, including the measures taken, who is affected, how the stakes continue to escalate, and how firms can keep themselves out of the firing line. But before that, it’s important to establish why the probe is happening in the first place, and how such a fundamental oversight caught the entire sector cold.

Why is Text Messaging in the Firing Line?

The SEC mandates that financial firms maintain records of all communication between clients and brokers and routinely conduct investigations to ensure compliance.

Exchanges like those occurring through WhatsApp and other ‘off channel’ mobile platforms are far more difficult to monitor and capture than email, for example, and so have not traditionally featured in organizations’ record-keeping strategies. Interacting with clients on these platforms is non-compliant in such cases, leading to most firms deeming it best practice to ban their use entirely.

This was jeopardized by the disruption of the COVID-19 pandemic, which led to far greater reliance on messaging apps, and more workers using personal phones or tablets for business. Since the shift to hybrid working, organizations have struggled to impose restrictions on staff that rely on the prevalence and convenience of these platforms. As a result, the scope for regulatory infraction has grown.

Establishing a Culture of Compliance

Since July 26^th 2021, Gurbir Grewal has been acting as the SEC’s enforcement director. He recently revealed that his ambition in the role was to enhance public trust in institutions and that he wished to ‘impose penalties that would have a lasting impact across the industry.’ Grewal inherited a role in which the issue of keeping tabs on staff communications ‘had dogged Wall Street compliance departments for years.’

The SEC began to take action in December 2021, when JPMorgan Chase failed to provide documents from 2018 pertaining to an unrelated probe. This eventually led to the bank admitting the charges over record-keeping lapses and accepting a settlement with the SEC for $125 million – an unprecedented punishment for a crime that had thus far evaded the regulator’s attention.

Continued Escalation

While some firms did take heed of JP Morgan’s public sanction and revise their compliance policies and procedures, it wasn’t enough to convince regulators that things had moved sufficiently in the right direction.

By September 2022, the SEC had fined another 16 leading financial firms (including Barclays, Goldman Sachs and Morgan Stanley) a combined $1.1 billion, as the situation escalated dramatically in ‘a landscape case for the agency’.

“Since the 1930s, such recordkeeping has been vital to preserve market integrity. As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only approved channels, and they must maintain and preserve those communications,” said SEC Chairman Gary Gensler.

The SEC subsequently expanded its probe, with investment funds/advisors finding themselves in the spotlight that October, while major hedge funds (including Point72 and Citadel) were requested to review employee handsets in February 2023.

A few months passed before another round of large penalties landed in August, as the probe continued to haunt financial services firms. Nine Wall Street broker-dealers, including Wells Fargo and BNP Paribas, agreed to pay penalties totaling $549 million to the SEC and CTFC.

As SEC deputy enforcement director Sanjay Wadha, explained in the aftermath, ‘“We know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues.” This statement, and the consistency it justifies are not surprising. The aforementioned Gurbir Grewal occupies the role senior to Mr Wadha, and views books and records obligations as vital to market integrity. It’s clear that this mindset is ingrained throughout the division.

Raising the Bar

The escalation of this probe doesn’t just constitute additional companies being examined; the investigation process has also become more severe, with numerous sources reporting that the agency has now confiscated thousands of phones. Previously, businesses were asked to review employee handsets themselves. The new approach leaves them more open, with nowhere to hide and no control over how their findings are reported back.

The next round of fines landed in September as broker-dealers and investment advisers, including Interactive Brokers and William Blair & Co, received multi-million dollar levies for similar record-keeping violations.

The SEC’s Gurbir Grewal shared an interesting revelation in the aftermath, spelling out the perks of cooperation to firms that may feel vulnerable. “One of the orders included in today’s announced actions is not like the others. There are real benefits to self-reporting, remediating and cooperating.” This refers to Perella Weinberg Partners, who self-reported their failures, and whose penalty of $2.5 million was the smallest by quite a distance. The next smallest was Fifth Third Securities Inc with an $8 million penalty.

What’s Next?

Almost two years have passed since the SEC fired its first shot in the ‘WhatsApp fines’ probe, making an example of JP Morgan just in time for Christmas. After a subsequent pause, the investigation exploded back into life in September 2022, and has since shown no sign of slowing down. There have been several significant moments in the investigation where the agency may have relented, but they continue to double down, exacting their standards across the board.

It’s natural to wonder what the endgame might look like in this saga. The SEC posted record enforcement penalty figures last year, and so their approach has clearly been lucrative. As Gurbir Grewal has repeatedly asserted, for the sake of integrity, these laws must be applied across the entire industry, regardless of a company’s size or the potential scale of wrongdoing.

Firms can’t escape this scenario by retrospectively gathering messages that have already been overlooked. By prolonging their investigation and regularly drip-feeding details of new firms (of all shapes and sizes) that are being held to account, the SEC has made it abundantly clear that mobile communications capture is now an inescapable requirement. With the incentivization of self-reporting and remediation, they have also shown that proactivity will be rewarded and that no good will come from firm’s sitting on their hands or, even worse, pleading ignorance.