To the shock of no one with a job and a smartphone, employees use their personal devices to communicate about work and with colleagues and business contacts. That has never been truer than over the past two years, with employees working from home, on staggered schedules, or in a hybrid mix where some people work in the office and some people work at home. Conversations that would have taken place from one seat on a trading desk to another, across a cubicle, or in the doorway of a colleague’s office—and would never have been captured in writing—now are often memorialized in the informal medium of a text or a WhatsApp exchange. Banks and other financial institutions subject to the regulations of the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), or Financial Industry Regulatory Authority (FINRA) have long prohibited the use of personal devices and unmonitored apps for business communications. That rule is infinitely more difficult to enforce when the behavior occurs out of sight of the employer and colleagues.
Taking Regulatory Enforcement of Record-Keeping Rules to the Brink
Impact of the Recent Settlement Between JPMorgan and the SEC and CFTC
The recently announced settlement between JPMorgan and the SEC and CFTC—and the $200 million fine imposed by the SEC and CFTC for failure to prevent and preserve business-related communications on non-approved channels (J.P. Morgan Sec. LLC, Order, SEC Case No. 3-20681 (Dec. 17, 2021) (SEC Order); JPMorgan Chase Bank, Order, CFTC Case No. 22-07, (Dec. 17, 2021) (CFTC Order)—demonstrates that regulatory authorities are aggressively pursuing enforcement of these record-keeping requirements and are not inclined to overlook companies’ failure to prevent communications on private channels and capture and retain those communications as a pandemic glitch. (J.P. Morgan Securities LLC entered into the settlement with the SEC and JPMorgan Chase Bank, N.A., J.P. Morgan Securities LLC, and J.P. Morgan Securities plc entered into the settlement with the CFTC. This article refers generally to “JPMorgan” without specificity as to which entity.)
In a speech in October 2021, Gurbir Grewal, director of the SEC’s Division of Enforcement, warned that “[a] proactive compliance approach requires market participants to not wait for an enforcement action to put in place appropriate policies and procedures to preserve these communications and anticipate these emerging challenges.” Gurbir Grewal, Director, SEC Division of Enforcement, Speech at PLI, Broker/Dealer Regulation and Enforcement 2021 (Oct. 6, 2021). The related SEC and CFTC actions in December against JPMorgan, which included admissions by the bank or its subsidiaries of violating the record-keeping rules, along with the $200 million fine (the largest fine in history for record-keeping violations), show how serious the regulatory authorities are about strict compliance with these rules, notwithstanding the logistical, privacy, and legal concerns that internal controls designed to achieve exacting compliance with the record-keeping rules will raise. See SEC Order at 1 & 11; CFTC Order at 1 & 10–11.
Key Lessons from the JPMorgan Settlement
Beyond prohibiting business communications on channels outside a firm’s reach, what can and should firms do to ensure compliance? And how will that affect their employees now or in the event of a future government investigation? The JPMorgan settlement acknowledges that JPMorgan had an internal policy prohibiting the use of non-business channels of communication for discussing firm business. It has also been reported that JPMorgan reminded employees of its policies regarding records retention at the beginning of the pandemic. Hannah Levitt & Michelle F. Davis, “JPMorgan Staff Irked Over Order to Save Texts on Personal Phones,” Bloomberg, June 11, 2021. (Subscription required.) Despite these steps, the SEC and CFTC charged JPMorgan with, and JPMorgan admitted to, the failure of its internal controls to prevent or detect violations of the policy, both before and during the pandemic. See SEC Order at 1–7; CFTC Order at 1–4 (The SEC alleged violations spanning from at least January 2018 through November 2020, and the CFTC alleged violations spanning from at least July 2015).
Setting aside that some high-level employees at JPMorgan were allegedly themselves engaging in communications on prohibited channels (which tends to show how entrenched such forms of communication are even when the prohibition and the consequences of violating it are well known), how would JPMorgan’s internal controls have picked up that employees were communicating on personal devices on prohibited channels? Should the firm require its more than 240,000 employees to submit their personal devices for regular review or copying of their messaging apps to ensure any relevant records are saved by the company? It would be untenable, both financially and logistically, to search or review the messaging apps and personal emails of each employee or even a targeted group for relevant messages required to be preserved under record-keeping rules, meaning that wholesale copying or requiring an employer access point to the data would be more likely. Notably, as the Financial Times reported, Credit Suisse has asked employees for access to their personal devices if they are used to communicate with clients or colleagues. Joshua Franklin & Stephen Morris, “Credit Suisse Seeks Access to Personal Staff Mobiles,” Fin. Times, Dec. 11, 2021. (Subscription required.)
Employees would understandably balk at allowing their employer unfettered access to their personal devices and communications, and such rules could drive employees to maintain a separate personal device unknown to their employers or to increase their use of ephemeral messaging apps that do not save the messages or are intended to evade detection, like Signal, Telegram, or Snapchat. These unintended but predictable consequences would only thwart the regulators’ and the employers’ ultimate interests in obtaining and preserving any business-related messages required to be preserved under the rules.
Potential Solutions
A potential and preferable solution is the technological one hinted at in the SEC and CFTC orders and suggested by some commentators—that companies like JPMorgan provide employees with mobile business messaging apps hosted by the company, which would encourage messaging over an approved but convenient channel that the company could access and preserve. The Financial Times reported that in 2021 JPMorgan had its bankers install an app on their work phones that records all calls and tracks messages. Stefania Palma & Joshua Franklin, “JPMorgan to Pay $200m Over Staff Messages on Personal Devices,” Fin. Times, Dec. 17, 2021. (Subscription required.) That way, employees could avail themselves of the convenience of channels like texting and WhatsApp on their phones while still complying with firm policies.
Employees intent on not following the rule, or on keeping communications private, will still be able to evade surveillance with little difficulty by using other devices or platforms. But unless there are known violations that high-level management at the company ignores (as was alleged with respect to JPMorgan), regulators should not consider employee evasion to be a failure of the entity’s internal controls. Employees with access to increasingly sophisticated technologies will no doubt stay one step ahead of their employers and will resist the company’s intrusion into all their forms of communication, and the company’s internal controls, no matter how strict, are unlikely to achieve 100 percent compliance.
Ultimately, aiming to capture every single communication related to business would be a futile and overwhelming task for the employers charged with capturing them and the regulators or other litigants who subpoena and review them. Trying to capture every text or WhatsApp that exists about a topic would be like trying to capture every spoken word (the original “ephemeral message”)—not possible nor desirable—and regulators will have to come to terms with the limits of their capacity to force financial entities to capture every communication.
More intrusive methods would not be effective, nor should they be tolerated by employees or demanded by the regulatory agencies. Regulatory agencies and employers already have powerful tools and the leverage to obtain most relevant business communications held by employees on personal devices. An employee has limited ability to refuse to turn over to the employer any business documents maintained on his or her personal device. Employers wield the power of termination of employment for failure to turn over business documents. Regulators, of course, have immense power over the individual’s profession and even liberty, in the case of a criminal investigation.
Still, from the employee’s perspective, there is a big difference between the ability to demand business-related messages on a personal device and giving the employer access to the entire device, especially if a regulatory or criminal investigation may arise in the future. If the company has access to the individual’s personal phone for purposes of collecting and maintaining work-related messages, the employee has likely already lost the ability to assert any rights over his or her communications on that device, and the government would be able to subpoena the company directly for the communications. In contrast, if the employee retains control over the device, the employee or his or her individual attorney will be able to assert some control over the process of sorting business from personal communications, with an eye toward preserving any individual rights or privacy interests the employee may have. Significantly, even if a device is used for business communications, an employee retains the right in certain circumstances to assert the Fifth Amendment privilege against self-incrimination, at a minimum as to the act of producing personal documents demanded by the government, where the very “act of producing evidence in response to a subpoena has communicative aspects of its own, wholly aside from the contents of the papers produced.” Fisher v. United States, 425 U.S. 391, 410 (1976). See also In re Sealed Case, 877 F.2d 83, 85–85 (D.C. Cir. 1989) (“[T]he ‘act of production’ of incriminating evidence may be protected by the Fifth Amendment where that act would have independent testimonial significance, as by manifesting the holder’s acknowledgement of the existence of the documents or his custody or control over them, or his belief that they fit the description of the subpoena.”) (citing Fischer, 425 U.S. at 410–11 (1976)). These employee interests should be taken into consideration and must be preserved in determining how far companies must go to achieve compliance with the record-keeping rules.
The employee’s and employer’s interests are aligned here, as employers should be loath to take on the burden of responding to subpoenas for documents held on employees’ personal devices or policing all communications on those devices. As the Supreme Court has pointed out, our phones are “a digital record of nearly every aspect of [our] lives—from the mundane to the intimate” (Riley v. California, 573 U.S. 373, 395 (2014)), and access to them carries devastating consequences for our individual privacy—something that should be a concern to everyone, including regulators.