CCO Resource Center: E-Communications Policies and Procedures

Chief Compliance Officer Committee

Members’ Electronic Communications Policies and Procedures

In December 2021, the SEC settled an enforcement proceeding with JP Morgan Securities, a broker-dealer involving electronic communications on social media. (See https://www.sec.gov/litigation/admin/2021/34-93807.pdf) In the settlement, the firm admitted that it had violated the recordkeeping requirements of the Federal securities laws by failing to capture and maintain “off channel” communications, such as those on What’s App and other platforms. The settlement noted that this failure was not limited to certain persons in the firm but, instead, was rampant throughout the firm and violations were committed by all levels of employees, including those in senior management. (No individuals were named as respondents in this action.) In settling this case, in addition to being required to admit to the violations, the firm was fined $125 million and had to agree to rigorous undertakings. These included requiring the firm to retain a Compliance Consultant to address the issues described in the action. Among other things, the Compliance Consultant must:

  • Conduct a comprehensive review of the firm’s supervisory, compliance, and other policies designed to ensure all e-communications, including those on personal devices, are preserved as required by law;
  • Conduct a comprehensive review of the firm’s training related to preservation of e-communications, including those on personal devices;
  • Ensure that firm employees are required to certify at least quarterly that they are complying with preservation requirements;
  • Assess the firm’s surveillance program to ensure compliance with requirements related to preserving e-communications, including those on personal devices;
  • Assess the technological solutions the firm has begun to implement to meet its recordkeeping requirements under the law, including assessing “the likelihood the firm’s personnel will use these solutions and the firm’s ability to track such usage;”
  • Review the firm’s e-communication surveillance routines to ensure that e-communications through approved communications methods found on personal devices are incorporated into the firm’s overall communications surveillance program; and
  • Conduct a comprehensive review of the framework adopted by the firm to address instances of employees’ non-compliance with the firm’s policies and procedures regarding the use of personal devices to communicate about the firm's business. Such review must include how the firm determined which employees failed to comply with its policies and procedures, the corrective action carried out, an evaluation of who violated the policies and why, what penalties were imposed, and whether such penalties were handed out consistently across business lines and seniority levels.

A fuller description of the undertakings the firm had to agree to can be found in the ICI’s memo No. 33965 (December 17, 2021), which summarized the case. A link to this memo is below.

This action was followed in September 2022 by 15 other actions alleging the same violations by a variety of broker-dealers. Like the JP Morgan case, these cases involved broker-dealers failing to capture and maintain off-channel communications. Also, like JP Morgan, the majority of these firms were fined $125 and required to agree to undertakings substantively similar to those impose on JP Morgan. [Two of the firms were only fined $50 million and one was fined $10 million. It is not obvious from the orders why these three firms received smaller fines.] In announcing these cases, the SEC’s Enforcement staff noted that the SEC’s review of off-channel communications is “on going.” [See https://www.sec.gov/news/press-release/2022-174. The press release also includes a link to the orders in these cases.] The ICI sent members a memo, No. 33965 (October 12, 2022), summarizing these cases.  The memo included a list of documents the SEC has been seeking from registrants as it continues this review. There is a link to this memo below. 

There is an important caveat to keep in mind as the SEC continues to focus on “off channel” communications. The actions, to date, have been filed against broker-dealers. Under the Federal securities laws, the records broker-dealers are required to keep pursuant to SEC Rules 17a-3 and 17a-4 under the Securities Exchange Act are quite broad and include all records relating to “the business as such” of the broker-dealer. By contrast, the recordkeeping requirements imposed on advisers and investment companies, Rule 204-2 under the Investment Advisers Act and Rules 31a-1 and 31a-2 under the Investment Company Act, respectively, are far more limited. Accordingly, if advisers’ and funds’ recordkeeping policies and procedures track these narrower recordkeeping requirements, they are less likely to have off-channel communications subject to the recordkeeping requirements and therefore likely less susceptible to an enforcement action relating to such communications. However, for those fund complexes that include broker-dealers, it is not uncommon for their recordkeeping requirements to default to the broader requirements of the Exchange Act’s requirements. [For more information on the recordkeeping requirements applicable to mutual fund complexes, see the ICI white paper, Recordkeeping Requirements For a Mutual Fund Complex (2018), which is available in the Miscellaneous Resources section of the CCO Resource Center under the heading “Recordkeeping.”]

Against this backdrop, in late 2022, members of the CCO Committee asked us to collect members’ electronic communications policies and procedures. As members reconsider their own current policies and procedures, they wanted to compare them to their colleagues to make sure they are comprehensive as possible. We collected members’ policies and procedures, anonymized them, and compiled them. Links to this compilation as well as the two memos mentioned above are below. Please note that we have made every effort to redact any identifying or proprietary information from these documents. We apologize in advance if we failed to completely redact such information. Please do not share this document with anyone outside of your member firm. As additional members of the Committee share with us any policies and procedures they have relating to electronic communications, we will add them to this compilation.

A final note of advice for members. Anytime you conduct a review of your policies and procedures, including those relating to recordkeeping, it is advisable to maintain a record of your review – even if no changes were made. This record will serve you well as evidence of your ongoing compliance efforts should the SEC’s staff ask questions about actions you’ve taken to ensure that your policies and procedures are up-to-date and your familiarity with the SEC’s expectations in the wake of an enforcement proceeding involving another registrant. 

Here are the links to the information discussed above:

The documentation provided by ICI that may be accessed by members of the CCO Committee is restricted to the member’s use only and not for distribution or reproduction. Documentation may be used internally at member organizations but may not be shared outside the organization.