–
Appendix

New regulations and rules concerning recordkeeping

SEC Recordkeeping Rule 17a-4In January 2023, the SEC welcomed in the New Year by announcing that it would make amendments to recordkeeping Rule 17a-4 for the first time in 25 years. SEC Chair Gary Gensler said in a statement regarding the changes that they were aimed to “modernize” electronic recordkeeping requirements and “bring the Commission’s electronic recordkeeping requirements in line with technological innovation.” U.S. DOJ ECCP amendmentsIn March 2023, the U.S. Department of Justice (DOJ) announced “significant changes” to its Evaluation of Corporate Compliance Programs (ECCP) meaning that, for the first time, the DOJ will now consider a corporation’s approach to “the use of personal devices as well as various communications platforms and messaging applications” when conducting criminal investigations. Unlike the Rule 17a-4 changes, the updated ECCP approach spans all corporate entities - meaning that organizations across all industries must now consider their approaches to recordkeeping for communication data.In particular, the DOJ’s ECCP changes mean that, in the course of criminal investigations, it will be looking to see that business-related electronic data and communications “can be preserved and accessed” as appropriate, as well as examining the use of any “bring your own device” (BYOD) program. The DOJ has said that its prosecutors will dig deeper within investigations and ask probing questions, including whether the company is able to access third-party communications, where these communications are stored, and whether they meet applicable privacy and local laws.Regulation Best InterestRegulation Best Interest (Reg BI) came into force in June 2019. Reg BI applies to Broker-Dealers, Investment Advisers, and associated persons, and establishes a “best interest” standard of conduct. Effective recordkeeping forms a key pillar of this regulation, with guidance noting:

You must meet new record-making and recordkeeping requirements with respect to certain information collected from or provided to retail customers in connection with Regulation Best Interest. […] You must retain all records of the information collected from or provided to each retail customer for at least six years after the earlier of the date the account was closed or the date on which the information was replaced or updated.

Put simply, applicable entities must capture and preserve the conversations they are having with customers. If those conversations are happening on LinkedIn, WhatsApp, or social media channels, firms must establish a way to connect this communication data to a compliant archive. SEC’s Marketing RuleThe SEC’s Marketing Rule came into effect on November 4, 2022, and requires firms to have oversight of how their employees communicate with customers and prospects through advertising campaigns, social media, and websites. It notes that:

Social media has become an integral part of business communications. […] We recognize that electronic media (including social media and other internet communications) and mobile communications play a significant role in current advertising practices. We also believe this revision will help the definition remain evergreen in the face of evolving technology and methods of communication.

The new Marketing Rule aims to protect consumers in the face of increased digitalization. The rule was initially criticized for being unclear, but despite this criticism, the SEC issued two risk alerts announcing that the Marketing Rule is a key regulatory focus area for 2023/2024. This was reiterated in the regulator’s 2024 examination priorities. This priority has been recently cemented in the form of an $850,000 fine issued by the SEC to a firm that breached Marketing Rule requirements by advertising “hypothetical performance to the general public on their websites.” The SEC has made it clear that Marketing Rule compliance should be proactively tackled by financial institutions. Data capture for relevant channels to ensure recordkeeping compliance for this rule will be essential, and may be a definitive reason as to why current Connector accounts for LinkedIn and X are in such demand.FCA’s Consumer DutyThe FCA’s Consumer Duty came into force towards the end of July 2023 and, among other things, it governs how financial services should be communicating with consumers. It asks that consumers “get communications they can understand, products and services that meet their needs and offer fair value, and they get the customer support they need, when they need it.”While the Consumer Duty is an overarching obligation, it carries with it a wider need for firms to capture and preserve the communications and interactions that they have with customers. Once again, if these interactions are happening through non-traditional communication channels, firms will need to implement Connectors to ensure they are capturing the data they need to prove they are complying with the Consumer Duty rule.FCA’s ‘Finfluencer’ focusThe FCA’s Financial promotions data 2022 put firms on notice that the U.K. regulator is using tools to assess website and social media data, which likely means it will be expecting firms to do the same:

During the year, we used various tools to assess around 180,000 websites which resulted in just over 4,500 websites and social media platforms being reviewed. This led to 1,441 alerts being issued and approximately 400 of the offending websites were taken down.

As part of a wider focus on financial promotions, which includes a newly published Cryptoasset Financial Promotions Regime, the FCA has expanded its search capabilities to ensure that it is tracking “all social media to identify illegal financial promotions.” This has culminated in several actions against financial influencers, or “finfluencers,” as well as a s1375 order to an online retail broker for which the FCA had “serious concerns about the firm’s financial promotions” made through social media. European Securities and Markets Authority (ESMA) supervisory briefingIn July 2023, the ESMA issued a supervisory briefing in which it set out guidance around how social media can play a role in investment advice. It noted that

A recommendation concerning financial instruments made through internet websites, investment apps, and/or social media (including through influencers) could, in certain instances, be regarded as a personal recommendation and not as issued exclusively to the public.

Given broader regulatory recordkeeping requirements to capture all business communication, it is clear that firms who choose to use websites or social media to promote products to the public, in certain scenarios, must also be preserving records of those communications.

Critical regulatory enforcements for recordkeeping failures

U.S. enforcementSEC/CFTC $200m enforcement for WhatsApp and SMS capture failures In December 2021, the SEC and CFTC issued JP Morgan with a combined $200 million for failure to capture WhatsApp and SMS messages. In a statement, the SEC said that:

JPMorgan employees often communicated about securities business matters on their personal devices, using text messaging applications (including WhatsApp) and personal email accounts. None of these records were preserved by the firm. The failure was firm-wide, and involved employees at all levels of authority.

CFTC enforcement for Text/SMS and WhatsApp capture failuresIn September 2022, the U.S. Commodity Futures Trading Commission (CFTC) ordered 11 financial institutions to pay more than $710 million for recordkeeping failures where firms had failed to capture text and WhatsApp messages sent by employees. The regulatory rationale for the action was that:

The firms generally did not maintain and preserve these written communications, and therefore could not provide them promptly to the CFTC.

U.K. enforcementCMA finds anti-competitive behavior in Instant Bloomberg (Bloomberg Chat)In May 2023, the U.K.’s Competition and Markets Authority (CMA) issued provisional findings of anti-competitive behavior by five major banks, uncovered within Instant Bloomberg (Bloomberg Chat). Though not a recordkeeping failure, this enforcement made it clear to U.K. compliance teams that misconduct can take many forms, and that regulators other than those in the financial sphere are also overseeing communication activity. PRA censure for WhatsApp recordkeeping failuresIn April 2023, the Prudential Regulation Authority (PRA) censured a bank for regulatory failings including a lack of formal recordkeeping procedures to manage or retain WhatsApp data.Ofgem fine for WhatsApp recordkeeping failuresU.K. based energy regulator, Ofgem, surprised the industry in September 2023 with a £5.4 million fine to Morgan Stanley for traders’ use of private WhatsApp to discuss transactions. Ofgem detailed that the firm was found not to be “recording and retaining electronic communications.” Speaking at the time, Cathryn Scott, Regulatory Director of Enforcement and Emerging Issues at Ofgem, said:

Some of the firm’s senior executives and directors and external parties regularly exchanged messages in respect of the firm’s actual or potential transactions, its business and its strategy using the instant messaging application, WhatsApp, on both firm-issued and personal mobile phones.

However, the firm had no formal record keeping policies or procedures in place to manage or retain WhatsApp messages.

It is unacceptable that [the firm] failed to prevent electronic communications which could not be recorded or retained. It risks a significant compromise of the integrity and transparency of wholesale energy markets.

Relevant recordkeeping regulation and guidance

This report looks at communication capture required to meet ever-expanding recordkeeping rules. Global Relay Connectors enable compliance teams to meet various regional recordkeeping requirements, including (but not limited to):

U.K.

E.U.

U.S.

FINRA Rule 4511
FINRA Rule 3110
Securities Exchange Act Rule 17a-3
Securities Exchange Act Rule 17a-4
Securities Exchange Act Rule 204-2
Securities Exchange Act Rule 206 – including ‘Marketing Rule’

¹ Results are based on anonymized data from over 12,000 Global Relay Connectors customer accounts