Another Take on Messaging Apps

For nearly three years now, the Securities and Exchange Commission has fired off one enforcement action after another at the financial services industry for employees’ improper use of messaging apps. Today let’s consider two contrarian voices that raise a fair question: exactly how are firms supposed to satisfy this nearly impossible compliance goal?

Those contrarian voices are Hester Peirce and Mark Udeya, the two Republican commissioners at the SEC. Earlier this week Peirce and Udeya published a joint statement that came out swinging against such penalties, urging the SEC to reconsider its approach to off-channel communications because “it does not appear that firms have an achievable path to compliance.”

I suspect more than a few compliance officers would agree. So let’s take a close look at what Peirce and Udeya had to say.

First, the history here. The SEC began enforcing against employees’ use of “ephemeral messaging apps” back in 2021, with a $200 million penalty against JP Morgan. Since then the agency (and occasionally other regulators) have fined dozens of firms a total of more than $1 billion. Typically the firms must also hire an independent compliance consultant, who then makes the firm spend scads of money on policies, procedures, and reporting to clamp down on recordkeeping failures. 

SEC enforcement against off-channel communications is now so routine that it barely makes news any more, such as when I ignored an announcement Monday that 11 more firms were fined a total of $88 million. Like, what more is there to learn from these cases? Same stuff, different firms. 

Peirce

Peirce and Udeya saw things differently. They picked up the plight of Qatalyst Partners, one of the 11 firms sanctioned earlier this week. The good news is that Qatalyst will not pay any monetary penalty because it did everything right: voluntary self-disclosure, cooperation, remediation of compliance program weaknesses. 

The bad news, Peirce and Udeya argued, is that Qatalyst (and many other firms behind it) must still meet painfully high SEC compliance expectations. “Today’s action against Qatalyst illustrates why we cannot enforce our way to compliance,” the commissioners wrote. “Under the standard applied in this case, even well-intentioned firms could find themselves in the Commission’s enforcement queue time and again.” 

Struggles With Compliance for Years

As noted in the SEC settlement order, Qatalyst had been battling employees’ use of off-channel communications as far back as 2008. For example, the firm had clear policies against the practice, and reinforced its policies at least annually with regular, mandatory training. Employees were specifically advised not to list personal phone numbers in email signatures. 

Then Qatalyst did more. In 2017, it provided employees with a compliant text-messaging process that could retain business communications. In 2020, it required all personnel to use a firm-issued device to conduct business. Then came more policies in 2020 and 2022 to retain Slack and LinkedIn communications. Qatalyst had procedures for all personnel, including supervisors, that required annual self-attestations of compliance. It also encouraged adherence to its policies by disciplining firm personnel for failure to retain off-channel communications.

In other words, Qatalyst increased its compliance posture as the risk increased and evolved. That’s the way it’s supposed to work. Then a few bad apples evaded those restrictions and used improper messaging apps anyway — and when they did, Qatalyst self-disclosed, cooperated, and remediated. So the firm embraced the spirit of ethics and compliance, which is also the way it’s supposed to work.

So given all that, what was the specific offense that drew the SEC’s ire? The agency described it as follows:

While permitting personnel to use approved communications methods, including on personal phones, for business communications, Qatalyst failed to implement sufficient monitoring to ensure that its recordkeeping and communications policies and procedures were always being followed. 

The word “always” in that final sentence is what drew Peirce and Udeya’s ire. 

Udeya

Udeya

“This statement sounds to us like one that equates reasonableness with perfection,” they wrote. “If we assess reasonableness based on whether policies and procedures always are being followed, firms will never escape our enforcement net. People are not perfect and so compliance will not be perfect — even at a firm that tries as hard as Qatalyst.”

The commissioners aren’t wrong. “Reasonable” does not mean perfect, but “always” typically does. With all the complexities of modern electronic communication, can we really expect any firm’s compliance program to meet such expectations?

Messaging Compliance in the Future

Peirce and Udeya kept going. Current SEC recordkeeping rules “are a product of simpler times,” they wrote, and now are woefully out of step with how people communicate today — so perhaps the SEC should revisit them? 

They then sketched out numerous issues that do at least merit contemplation, such as:

  • Many conversations that happened orally once upon a time now take place by text. Therefore, “Should we revisit the recordkeeping rules so that they do not capture the modern-day equivalent of oral chatter?”
  • Some clients might prefer to communicate by off-channel messaging apps, especially if you have a personal relationship with the client. (Say, you’re an investment adviser to your neighbor.) “How can we help firms as they think about seamless ways to accommodate client communication preferences and still meet recordkeeping obligations?”
  • Monitoring employees’ personal devices for off-channel communications can intrude on privacy rights. “So, What are best practices for monitoring compliance with off-channel communication prohibitions? How do the securities recordkeeping rules interact with other laws, such as employment or privacy laws?”

We could keep going; Peirce and Udeya certainly do, with more vexing but legitimate questions about how SEC recordkeeping rules no longer square with reality. Compliance officers are left to shoulder that burden anyway.

Still, this is where I roll my eyes at Peirce and Udeya. The SEC isn’t going to change its rules — at least, not this SEC, under a Democratic administration — and they full well know it. Thanks to recent Supreme Court rulings such as the Loper Bright decision (ending the Chevron doctrine) and Corner Post (allowing new challenges to long-standing federal rules), it’s now going to be far easier for people to challenge agency rules. 

So from the SEC’s perspective, why bother? Why go through the labor of adopting a new rule that by some miracle reaches a consensus on what “reasonable” efforts are, when right-wing activists will take the rule before a right-wing judge and invalidate all that work anyway? Just stick with regulation by enforcement, since most companies will settle rather than engage in expensive, risky court fights. 

That leaves compliance officers, Republican SEC commissioners, and even the SEC itself all in positions that nobody wants: laboring under rules that no longer make sense, trying to build compliance programs that can’t achieve the objective that was set, with no hope for a wiser solution any time soon. Ain’t life grand? 

Leave a Comment

You must be logged in to post a comment.