Reports show SEC’s ongoing two-year Wall Street investigation includes employees’ off-channel use of private messaging apps like WhatsApp.
September 26, 2023
The US Securities and Exchange Commission (SEC) has collected “thousands” of staff messages from more than a dozen major Wall Street investment firms as part of a long-term investigation, sources told Reuters this week.
The SEC had previously asked the companies to internally review use of WhatsApp, Signal and other instant messaging services to discuss work. The firms included in the latest probe include Apollo, Blackstone, Carlyle, KKR, TPG, and more.
With the popularity of encrypted messaging services like WhatsApp, WeChat, Telegram, and other SMS apps, organizations’ compliance departments are faced with the daunting challenge of how to handle “off-channel” business communications without running afoul of federal regulations.
Ji Kim, director of operations at SEC Compliance Consultants, said the SEC’s interest in internal encrypted communications has been increasing in the last few years — particularly in the financial advisor industry. Messages that break data privacy laws can lead to massive fines. Just last month, the SEC announced $549 million in fines associated with WhatsApp and Signal use at 11 large firms, including Wells Fargo.
Last year, JPMorgan Chase, Goldman Sachs, Morgan Stanley, and Citigroup were hit with fines as well. So far, the SEC has netted more than $2 billion in fines for non-compliance with record-keeping rules. JPMorgan Chase’s issues with off-channel communications violations goes back to 2018.
Data Sovereignty, Compliance Shape IT Leadership
“These off-channel communications have become a bigger issue,” Kim told InformationWeek in an interview. “I think we’ll continue to see a lot more cases.”
Kim said the line between business and personal can get blurred when using messaging services, so companies should have a clear policy in place that separates business communications from personal communications. “Some companies have a strict rule where they just forbid any sort of text communication or SMS messaging platforms, and they have employees attest to that on a quarterly basis as part of their code of ethics requirements.”
While Kim’s firm works exclusively with financial advisor firms, he said it’s important for companies to have the right policies and procedures in place when it comes to messaging apps. “It’s important to have the appropriate policies and to make sure the compliance team is understanding what apps are being used.”
Several companies offer enterprise information archiving services for direct messaging services for reporting, with the most widely used being Smarsh and Global Relay.
US Data Privacy Relationship Status: It’s Complicated
Brian Fricke, CISO of City National Bank of Florida, agreed. Beyond establishing clear guidelines, companies should also use alternative messaging platforms, and conduct regular audits and training sessions, he said. "Companies should consider implementing enterprise-grade messaging platforms with end-to-end encryption that also comply with record-keeping regulations," he said.
While the most recent SEC probes have been focused on Wall Street firms, the laws regarding messaging apps and records keeping apply to all publicly traded companies.
After the Enron and WorldCom accounting scandals of the early 2000s, the Sarbanes-Oxley Act (SOX) of 2002 sought to establish clear guidelines for business-related communications and records for publicly traded companies.
SOX laid out important rules relating to electronic records archiving and management. Companies are required to retain records — including electronic messages — for a period of seven years. All incoming and outgoing SMS messages relating to business are included in the requirements.
Fricke said other enterprises should be vigilant when it comes to encrypted messaging apps. The SEC probe has the potential to impact other industries as well, he said. "Enterprises using WhatsApp and other encrypted messaging apps for business communication might face increased scrutiny from regulatory bodies, especially if they operate in sectors with potential for compliance failures. The SEC's deep dive into these messages might uncover compliance issues unrelated to the main investigation, posing a risk to other companies and their executives."
4 Big Regulatory Issues To Ponder in 2023
For the current SEC probe, Kim said the affected firms will likely be making big payouts. “There will probably be a settlement and some sort of fines. That’s the industry trend lately,” he said.
SEC Chair Gary Gensler, in a press release, said record-keeping fines are essential to business regulation. “Since the 1930s, such recordkeeping has been vital to preserve market integrity,” he said. “As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”
Shane Snider
Senior Writer, InformationWeek, InformationWeek
Shane Snider is a veteran journalist with more than 20 years of industry experience. He started his career as a general assignment reporter and has covered government, business, education, technology and much more. He was a reporter for the Triangle Business Journal, Raleigh News and Observer and most recently a tech reporter for CRN. He was also a top wedding photographer for many years, traveling across the country and around the world. He lives in Raleigh with his wife and two children.
You May Also Like
Unlocking Maximum Productivity: AI-Powered Document Redaction & GenAI Innovation
Evolution in ITSM: Navigating the New Horizon
Cloud Crisis Management
[Virtual Event] DevSecOps Essentials That Enable Efficient Security
The State of Data Security and Management: Practical Tips for Building Cyber Resilience Strategies for IT and Security Leaders
You've Been Attacked Now What?
The New Frontier of Cyber Security: Securing the Network Edge
2023 IT Salary Report
2022 Retrospective: The Emergence of the Next Gen of Wi-Fi
2022 State of Network Management
Unlocking Maximum Productivity: AI-Powered Document Redaction & GenAI Innovation
Evolution in ITSM: Navigating the New Horizon
Cloud Crisis Management
[Virtual Event] DevSecOps Essentials That Enable Efficient Security
The State of Data Security and Management: Practical Tips for Building Cyber Resilience Strategies for IT and Security Leaders
US privacy in 2023: Top 3 compliance priorities
EKC Group Customer Story
Threat Horizons Report
10 Considerations to Building Hybrid Mesh Firewall
ChatGPT: Benefits, Drawbacks, and Ethical Considerations for IT Organizations
Forrester – Security & Risk / Nov. 14-15 – Washington DC & Digital
[Virtual Event] DevSecOps Essentials That Enable Efficient Security
ICMI Contact Center Expo, October 16-19, 2023
You've Been Attacked Now What?
The New Frontier of Cyber Security: Securing the Network Edge
2023 IT Salary Report
2022 Retrospective: The Emergence of the Next Gen of Wi-Fi
2022 State of Network Management
Copyright © 2023. All rights reserved. Informa Tech, a trading division of Informa PLC.