A Reminder On Retaining Records Of Staff's Communications
Last year, federal regulators' holiday gift to financial services firms was not a chronicle of good tidings; it was a cautionary tale targeting one of the sector's biggest players.
On Dec. 17, 2021, two federal agencies simultaneously unveiled charges against JPMorgan Chase and announced their settlement to the tune of $200 million.[1] JPMorgan agreed to the fines, as well as various remedial actions, after admitting to years of failing to preserve business communications its employees exchanged via apps on their personal devices.
In their announcement, the agencies warned of additional enforcement actions to come against other financial services firms. But even absent that stern admonishment, firms and corporations would do well to heed the high-profile reminder of the nature and scope of their duties to appropriately retain company data.
Background
As alleged by the U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission, and admitted by JPMorgan, the firm's employees for the last several years made extensive use of various communications channels on their personal phones and devices to discuss and conduct business.
These channels included personal email accounts and chat and messaging applications such as WhatsApp. All of these channels were unauthorized by the firm, so none of them were monitored or subject to company records retention policies.[2]
Since the 1930s, federal securities laws and regulations have required financial services companies to retain, and keep accessible, various documents and records related to their business operations.[3] Numerous regulations specifically require the retention of employees' business-related communications,[4] a category of records that has grown in recent years to include email, text messages and communications via instant messaging applications.
The charges and fines against JPMorgan serve as an emphatic reminder that these record retention requirements extend to business communications wherever they are conducted, including on employees' personal accounts, apps and devices.
Key Aspects of the Charges and Settlements
Regulators learned of unauthorized communications via third parties.
Although JPMorgan ultimately admitted to the underlying misconduct, it was not self-reported. The SEC and CFTC orders highlight that investigators only learned of JPMorgan employees' use of unauthorized communications methods by chance: The agencies received copies of some such JPMorgan communications from third parties in the course of other investigations.
Investigators then determined that some of those communications should have been provided in response to subpoenas previously issued to JPMorgan and subsequently confronted the firm.[5]
JPMorgan's misconduct impeded regulators' investigations.
Until federal regulators raised the issue, JPMorgan had not collected any of its employees' communications via unauthorized channels.
According to the SEC, this failure to retain relevant records, and therefore the inability to produce them in response to the commission's requests, "compromised and delayed Commission investigations."[6]
The problem was firmwide and well-known internally.
As described repeatedly by the SEC and CFTC, JPMorgan's record retention failures were long-standing,[7] firmwide,[8] and involved "employees at all levels of authority."[9]
The orders further note that the conduct at issue was "not hidden";[10] Rather, the conduct continued "[e]ven after the firm became aware of significant violations."[11]
JPMorgan's policies already prohibited the behavior at issue.
Both regulators' orders emphasize that JPMorgan had policies in place to prevent the violations alleged and admitted here. Namely, the use for business purposes of unapproved electronic communications channels — specifically, personal email accounts and text and messaging applications — was expressly prohibited.
The failure here was enforcement of those policies.[12]
Supervisors engaged in improper communications.
Underscoring the point on the lack of policy enforcement, the SEC and CFTC orders highlight that managing directors and senior supervisors were also implicated. As the orders put it, the "people responsible for supervising employees to prevent this misconduct" were themselves failing to follow company policy.[13]
No aggravating misconduct was alleged.
Significantly, neither the SEC nor the CFTC alleged that the unauthorized communications channels were used for any unlawful purpose. Neither agency's order mentioned any misconduct beyond the use of unauthorized communications channels resulting in the failure to retain required records.
The data retention charges alone accounted for the entirety of the $200 million in fines.[14]
The Landscape Ahead
In its press release announcing the charges and settlement, the SEC noted that its investigation of these matters continues, and it has begun looking into the record retention policies and practices at other financial firms.[15] JPMorgan may have been the first to run this gauntlet, but it likely will not be the last.
Outside of financial services and other highly regulated sectors, companies may not be subject to comparable targeted laws and regulations for proactive records retention. But all companies are potentially subject to discovery obligations in litigation, which frequently require collection, review and production of employees' business communications via email and messaging services.
Moreover, in certain circumstances, those obligations have recently been found by courts in various jurisdictions to include preservation and collection of business communications and data located on employees' personal devices.[16]
Considerations for the Future
In addition to the monetary fines levied against JPMorgan, the firm's settlements with the SEC and CFTC require significant remedial measures.
Foremost among those, the firm has had to retain a compliance consultant to conduct a comprehensive review and assessment of its compliance policies, training practices, communications surveillance programs, measures to prevent the use of unauthorized communications channels, and record retention policies and technological solutions.[17]
And the settlements are exacting in their expectations: By their express terms, all final recommendations from the consultant must be implemented by the firm.[18] Other firms and corporations would do well to heed the lessons of JPMorgan's experience and conduct their own assessments on their own terms before federal regulators step in.
To that end, firms and corporations should consider these proactive actions to get the corporate house in order:
- Harmonize and consolidate various record retention, information security, acceptable use and business communications policies into a cohesive and consistent information governance policy. Doing so helps to set the overarching expectations for information and data across the corporation, while still allowing for sub-policies directed at specific business functions or governance concerns.[19]
- Revisit technology-related policies and practices to ensure continued suitability as new communications channels gain popularity, data becomes ever more portable and employees increasingly work outside the office.
- Consider whether to continue or introduce a bring-your-own-device policy[20] and whether there are additional work-issued — and work-controlled and work-surveilled — technology solutions that would better meet employees' needs.
- Assess current mobile device management systems to identify gaps in capabilities and potential new solutions, including as applied to employees' personal phones and devices where appropriate.
- Investigate the use of application and platforms to determine if there is any use of unauthorized channels or locations for communicating or storing business information. It is critical to understand what is actually happening on the ground in the enterprise to gauge the potential exposure and need for remediation.
- Stand up or reinforce internal controls sufficient to enforce the information governance policy.
- Update employee training modules to reflect current use cases and new technologies;
- Provide clear delegation of formal supervisory duties throughout the business functions and empower informal supervisors to identify concerns;
- Authorize compliance department personnel to conduct communications surveillance and monitoring, where appropriate; and
- Require regular certifications and attestations from employees to confirm compliance with corporate policy.
Corporations undertaking such internal assessments may find that the policies and practices that may have been sufficient over the last two decades are increasingly showing their age.
For example, the tide is unlikely to turn on trends like a more remote workforce — relative to just a few years ago — the pervasiveness of the use of personal devices to conduct business, and the growing popularity of new communications apps like WhatsApp.
This reality means that the need for well-developed and appropriately tailored information governance protocols and policies is more important now than ever before.
The SEC concluded its press release on the JPMorgan settlement by promising additional investigations and encouraging other firms to self-report information governance and record retention failures.[21]
Ideally, if proactive actions are implemented, a corporation that finds something worth self-reporting will be able to contemporaneously highlight the remedial measures it has already taken.
Jordan Blumenthal is counsel at Redgrave LLP.