In 2023, nearly everybody texts. It is often difficult to avoid, particularly where a relationship has both a business and personal component. Trying to prevent employees from texting each other is often challenging, and certainly thankless. While compliance with records management requirements has rarely been top of mind for busy employees or even senior management in many industries, recent aggressive activity by US securities regulators targeting the use of other electronic messaging platforms on Wall Street is causing many to reconsider their practices.

US Securities Regulators – Recent Sanctions Related to Recordkeeping Practices

As the latest round of charges and settlements announced by the US Securities and Exchange Commission (SEC) demonstrate, failing to ensure that recordkeeping practices comply with securities law requirements can be a very costly mistake.1 Since December 2021, the SEC and the Commodity Futures Trading Commission (CFTC) have fined investment brokers and dealers, investment advisors and futures traders over US$3 Billion in fines for "widespread and longstanding failures to maintain and preserve electronic communications." The culprit? The use of "off-channel communications", i.e., text messages and messaging apps, such as WhatsApp, Signal and Telegram for business purposes.

US securities market participants are subject to specific and well-defined recordkeeping requirements. Multiple instruments2 not only define the types of records that must be created and maintained, but also the types of electronic recordkeeping systems that must be used to store those records. These recordkeeping systems must allow for appropriate supervision and have the ability to preserve records for the required duration of time in a non-rewriteable, non-erasable format, or be able to recreate an original record if it is modified and deleted.

Messaging apps like WhatsApp, Signal and Telegram allow users to exchange encrypted messages, preventing third parties from accessing data, and delete messages without a trace. The SEC has made it clear that the use of "apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up" is "specifically prohibit[ed]."3 The SEC takes the position that such use results in violation of securities rules, prevents the firms from fulfilling their supervision obligations, and deprives the regulators of those off-channel communications in its various investigations.

In what appears to be a recent escalation of its enforcement and monitoring practices, the SEC has – in addition to issuing significant fines noted above from enforcement proceedings – been reported to have moved from asking firms to review and report back on their messaging practices to requiring them to turn over thousands of staff's messages discussing business that are stored on personal devices or applications. Employees specifically targeted by the probes, including senior executives, were asked to turn in their personal devices to their employers to be copied, and for messages discussing work to be extracted and turned over to the SEC. These requests are highly invasive and typically require the imaging of the entirety of the individual's personal device and a comprehensive review of communications on the device, many of which will be personal in nature.

Canadian Securities Regulators – No High-Profile Sweeps to Date, Yet

While to the authors' knowledge no similar high-profile sweeps have been conducted to date by Canadian securities regulators, Canadian securities market participants – like their US counterparts – are required to keep proper records of their business activities, transactions and compliance with securities laws.4 One notable difference from the US is that aside from the requirement that specifically enumerated records be maintained "in a durable and accessible form", Canadian regulations do not clearly establish any particular requirements for those systems or any specific mode of preserving and storing the records.

However, the failure to maintain proper records has resulted in enforcement activity from Canadian securities regulators in the past. For example:

  • a number of prior OSC decisions have taken issue with the failure to keep records of significant transactions involving the uses of investors' funds and events affecting the value of their investments.5
  • the MFDA (now CIRO) has fined multiple firms and individuals for failure to comply with its recordkeeping rules, including for deliberate failure to record transactions and "interfering" with their firm's ability to "keep such books, records and other documents as are necessary for the proper recording of its business transactions, financial affairs and the transactions it executes on behalf of others".6
  • in June 2023, CIRO settled an enforcement proceeding with its investment dealer member for significant disgorgement, fines and costs based on admissions that the member, among other things, failed to adequately record trading activities on its books and records and sold securities via private placements without creating the required records.7 In 2022, it settled another proceeding where a registered representative was charged with prohibited client communications, specifically for communicating with clients via WhatsApp and Signal messengers, contrary to the firm's policies and procedures 8.

What Should Canadian Registered Firms Do to Mitigate Risk?

While it remains to be seen whether Canadian securities regulators will adopt the more aggressive stances taken by the SEC and CFTC, in the interim Canadian registered firms and individuals should review their existing policies and procedures about electronic communications and recordkeeping, the extent of compliance with those policies and procedures, and what they can do to mitigate the risk of enforcement activities.

A registered firm's policies and procedures should, ideally, make it clear what forms of electronic communications are permitted within the firm for business purposes, prohibit the use of apps and other non-compliant technology for business communications, and make it clear what employees are required to do to capture outside messages if received. Firms can also issue practical guidance, such as requiring employees to tell their clients or counterparties that they are not allowed to text, and outlining the limited instances where text messaging is permitted (such as messages checking someone's availability and other ephemeral communications that are not considered to be official records and do not need to be retained).

Bring your own devices (BYOD) policies in particular require close scrutiny. While attractive on a practical level, these policies can blur the line between the employer's business books and records and the employees' personal information, raising significant privacy concerns. Simply informing employees that they have no privacy rights with respect to their workplace activities does not align with the requirement under the Personal Information Protection and Electronic Documents Act9 (PIPEDA) that consent to personal information collection must be clear, informed and voluntary, and that the collection of personal information must be limited to specific and appropriate purposes.

A BYOD-specific policy should address such issues as the organization's right to monitor employees' personal devices, the privacy practices the organization has adopted with respect to the personal use of BYOD devices, acceptable and unacceptable use of BYOD devices, device security requirements and approved applications, how access requests, legal holds and legal discovery will be carried out on the devices, and the responsibilities of the firm and the employees for devices that exit the BYOD program.

Policies are only as good as their enforcement. Many of the firms charged by the SEC with non-compliance had appropriate recordkeeping policies that were widely disregarded, including by senior management. Firm employees must be trained on the creation, storage and retention of records for a policy to be effective. Firms may wish to consider requiring attestations from personnel, issuing regular reminders, and establishing audit mechanisms and potential disciplinary practices for employees that violate the policies.

The use of personal devices and messaging platforms pose significant challenges to firms and regulators. While these challenges will likely persist, taking proactive steps to address the issues of creation, retention and retrieval of electronic business communications is the best defense to potential enforcement risks faced by securities market participants.

Footnotes

1. SEC.gov | SEC Charges 10 Firms with Widespread Recordkeeping Failures

2. Including Rule 17a-4(b)(4) of the rules and regulations under the Securities Exchange Act of 1934, 15 U.S. Code § 78a; Rule 204-2 under the Investment Advisers Act of 1940, 15 U.S.C. § 80b-1 through 15 U.S.C. § 80b-21, FINRA Rule 3110 and CFTC Rule 1.31(c-d)

3. SEC, Office of Compliance Inspections and Examinations, National Exam Program Risk Alert: Observations from Investment Adviser Examinations Relating to Electronic Messaging (December 14, 2018). Online: https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Electronic%20Messaging.pdf

4. The requirements are found in the books and records sections of provincial securities acts (such as s. 19 of the Ontario Securities Act, R.S.O. 1990, c. S.5, National Instrument 31-103, Rule 3800 of CIRO's Investment Dealer Rules and Rule 5 of its Mutual Fund Dealer Rules.

5.Re Norshield Asset Management (Canada) Ltd., 2010 ONSEC 4; Re Sextant Capital Management Inc. (2011), 34 O.S.C.B. 5863 (Ont. Sec. Comm.); and Re Caldwell Investment Management Ltd. (2011), 34 O.S.C.B. 6369 (Ont. Sec. Comm.)

6. Maynes (Re), 2013 CanLII 62252 (CA MFDAC); Stuart (Re), 2016 CanLII 48527 (CA MFDAC)

7. In the Matter of Red Cloud Securities Inc., Settlement Agreement. June 21, 2023. Online: < https://www.iiroc.ca/sites/default/files/2023-07/Red-Cloud-Securities-Inc-Settlement-Agreement.pdf >

8. Re Sweeney, 2022 IIROC 22 (CanLII)

9. S.C. 2000, c. 5

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.