SEC Wall Street Probe Slides into Direct Messages

The US Securities and Exchange Commission (SEC) has collected “thousands” of staff messages from more than a dozen major Wall Street investment firms as part of a long-term investigation, sources told Reuters this week.

The SEC had previously asked the companies to internally review use of WhatsApp, Signal and other instant messaging services to discuss work. The firms included in the latest probe include Apollo, Blackstone, Carlyle, KKR, TPG, and more.

With the popularity of encrypted messaging services like WhatsApp, WeChat, Telegram, and other SMS apps, organizations’ compliance departments are faced with the daunting challenge of how to handle “off-channel” business communications without running afoul of federal regulations.

Ji Kim, director of operations at SEC Compliance Consultants, said the SEC’s interest in internal encrypted communications has been increasing in the last few years -- particularly in the financial advisor industry. Messages that break data privacy laws can lead to massive fines. Just last month, the SEC announced $549 million in fines associated with WhatsApp and Signal use at 11 large firms, including Wells Fargo.

Last year, JPMorgan Chase, Goldman Sachs, Morgan Stanley, and Citigroup were hit with fines as well. So far, the SEC has netted more than $2 billion in fines for non-compliance with record-keeping rules. JPMorgan Chase’s issues with off-channel communications violations goes back to 2018.

Related:Data Sovereignty, Compliance Shape IT Leadership

“These off-channel communications have become a bigger issue,” Kim told InformationWeek in an interview. “I think we’ll continue to see a lot more cases.”

Training Will be Key to Avoiding Fines

Kim said the line between business and personal can get blurred when using messaging services, so companies should have a clear policy in place that separates business communications from personal communications. “Some companies have a strict rule where they just forbid any sort of text communication or SMS messaging platforms, and they have employees attest to that on a quarterly basis as part of their code of ethics requirements.”

While Kim’s firm works exclusively with financial advisor firms, he said it’s important for companies to have the right policies and procedures in place when it comes to messaging apps. “It’s important to have the appropriate policies and to make sure the compliance team is understanding what apps are being used.”

Several companies offer enterprise information archiving services for direct messaging services for reporting, with the most widely used being Smarsh and Global Relay.

Related:US Data Privacy Relationship Status: It’s Complicated

Brian Fricke, CISO of City National Bank of Florida, agreed. Beyond establishing clear guidelines, companies should also use alternative messaging platforms, and conduct regular audits and training sessions, he said. "Companies should consider implementing enterprise-grade messaging platforms with end-to-end encryption that also comply with record-keeping regulations," he said.

Probes Could Go Beyond Financial Industry

While the most recent SEC probes have been focused on Wall Street firms, the laws regarding messaging apps and records keeping apply to all publicly traded companies.

After the Enron and WorldCom accounting scandals of the early 2000s, the Sarbanes-Oxley Act (SOX) of 2002 sought to establish clear guidelines for business-related communications and records for publicly traded companies.

SOX laid out important rules relating to electronic records archiving and management. Companies are required to retain records -- including electronic messages -- for a period of seven years. All incoming and outgoing SMS messages relating to business are included in the requirements.

Fricke said other enterprises should be vigilant when it comes to encrypted messaging apps. The SEC probe has the potential to impact other industries as well, he said. "Enterprises using WhatsApp and other encrypted messaging apps for business communication might face increased scrutiny from regulatory bodies, especially if they operate in sectors with potential for compliance failures. The SEC's deep dive into these messages might uncover compliance issues unrelated to the main investigation, posing a risk to other companies and their executives."

Related:4 Big Regulatory Issues To Ponder in 2023

For the current SEC probe, Kim said the affected firms will likely be making big payouts. “There will probably be a settlement and some sort of fines. That’s the industry trend lately,” he said.

SEC Chair Gary Gensler, in a press release, said record-keeping fines are essential to business regulation. “Since the 1930s, such recordkeeping has been vital to preserve market integrity,” he said. “As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”