A Messaging Violation in Detail
Amid all the consternation these days about employees’ improper use of messaging apps, how did we overlook this? An enforcement action from FINRA earlier this year over a financial firm’s mishandling of iMessages, which happens to offer a fascinating glimpse of the control failures that can happen here.
The firm in question is Deloitte Corporate Finance, a subsidiary of Deloitte that helps clients with M&A projects and debt financing. That makes the firm subject to FINRA oversight; and one of its many compliance obligations is FINRA Rule 4511, requiring firms to preserve their books and records.
So what happened? As outlined in a FINRA disciplinary report published in March, Deloitte Corporate was fined $200,000 for failing to preserve iMessages that employees sent and received on company-issued iPhones. (Deloitte Corporate neither admitted to nor denied FINRA’s findings, but consented to the sanctions and to the entry of findings.)
The details are as follows. Deloitte Corporate allowed its employees to use text messages to do business on the company-issued iPhones. Except, iPhones automatically create end-to-end encrypted messages by default, and Deloitte Corporate’s third-party archiving system couldn’t capture and retain such messages. So the firm decided to disable the iMessage function — which would mean that the phones could only send and receive standard text messages, which could be captured and archived.
So what went wrong? IT managers noticed that when they tried to disable iMessages on new employees’ iPhones, the disabling control wasn’t working, possibly because of an issue with a new version of the iPhone operating system. Even worse, the person at Deloitte Corporate in charge of rolling out that disabling control left the firm, and his control duties weren’t assigned to a new person. So the disabling control wasn’t functioning on newly issued iPhones, and as time passed and the firm hired more new employees, the records retention failure kept getting worse.
Eventually one employee mentioned sending and receiving specific text messages that Deloitte Corporate couldn’t find in its archiving system. Management investigated and discovered the error: that lots of people were blissfully texting away via iMessages, and none of those communications were being captured.
Management then collected the errant iPhones, uploaded the iMessages into its archiving system, and worked with tech vendors to implement a better blocking control that worked as originally planned.
What This Case Tells Us
Sure, the penalties involved in this case are small — but who cares? For anyone who wants to understand how messaging compliance violations happen at a practical level, and the measures you need to take to avoid those violations, this is an excellent case to study.
First is the risk assessment of IT devices to understand your messaging risks. Deloitte Capital did good at the beginning here, because it correctly identified that iMessage encryption can leave text messages unobtainable. Then again, eventually that risk assessment fell out of date because the blocking control that the firm deployed stopped working.
If we assume that an update to the iPhone operating system caused the control failure, that’s a powerful reminder too: that modern corporations struggle mightily to control their IT operating environment, and it needs constant attention. So do you have policies and procedures to re-evaluate controls every time one of your technology providers updates its systems? Have you tested those procedures to be sure they work? If an upgrade then makes a control defective, do you have compensating controls and procedures to remediate the situation?
Second, remember that compliance officers can’t do this alone because they don’t know the tech — but IT people can’t do this alone either, because they don’t know the compliance obligations. Both teams need to work together, sifting through each system, app, and device, to assure that their configurations meet your compliance requirements. (I know one lawyer who spent seven hours on a Saturday going through all a client’s messaging apps with the IT team, configuring controls for each one. Who says compliance isn’t thrilling?)
The third lesson here, however, has little to do with tech. The control failure described above happened because key personnel left, and that person’s duties weren’t properly re-assigned to other workers. That kind of error can happen all the time, in all sorts of ways: a supervisor gets laid off and an approval process stops working; or one half of a two-person review process is on vacation so the second person does both duties; or, as we see here, somebody quits and everyone else overlooks a critical task that person did.
It’s a reminder that control duties need to be assigned to specific roles, with clear communication between HR and other risk management functions — so that when Joe from IT takes a new job, internal audit or the compliance team gets an alert that Joe’s control duties are currently going unattended.
Other Enforcement Cases
I’m also intrigued by this case for what it tells us about other enforcement actions over messaging apps that we’ve seen lately. For example, earlier this month the Securities and Exchange Commission sanctioned two broker-dealer firms for poor oversight of employees using “off-channel communications.”
As usual with such cases, the SEC required both firms to hire an independent compliance consultant to review their messaging policies, procedures, and controls. One part of that consultant’s assignment is this:
An assessment of the technological solutions that [the firms] have begun implementing to meet the record retention requirements of the federal securities laws, including an assessment of the likelihood that personnel will use the technological solutions going forward and a review of the measures employed by [the firms] to track employee usage of new technological solutions.
To be clear, the Deloitte Corporate Finance was not one of the two firms sanctioned by the SEC, and Deloitte Corporate didn’t need to have an independent consultant review its program. But the Deloitte Corporate case does give us a sense of what these independent consultants might review at other firms. When we see abstract language in enforcement actions about “technological solutions” firms have implemented, and “reviews of the measures employed” — Deloitte Corporate’s missteps are an example of what these consultants might ask about.
Now, we should remember that when the SEC and Justice Department sanction firms over messaging, typically those enforcement actions involve failures of corporate culture, where supervisors who should know better are violating the messaging app policies.
But technology does play an important role in getting messaging compliance right or wrong, and this overlooked case is a good example of how.