In this episode, Troutman Pepper Partners Chris Willis and Kim Phan have an in-depth discussion about the Securities and Exchange Commission's recent record retention enforcement actions.
Please join Troutman Pepper Partners Chris Willis and Kim Phan for an in-depth discussion about the Securities and Exchange Commission's (SEC's) recent record retention enforcement actions. Chris and Kim explore the uptick in enforcement actions over the last year, the claims made in these cases, the SEC-imposed requirements and penalties on these companies, what we can expect going forward from the financial services regulators, and what financial institutions should do now to get ahead of these types of enforcement actions.
Privacy + Cyber Partner Kim Phan focuses her practice on providing guidance to clients on regulatory compliance matters, including supervisory and enforcement interactions with the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and other federal regulatory agencies, including the SEC. She has successfully represented multiple national companies through the FTC investigatory process, resulting in "no-action" letters. She has counseled a national consumer reporting agency through its CFPB compliance obligations, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing an audit process to assess compliance with federal consumer financial laws. Kim also has advised clients through state attorneys general and departments of consumer protection investigations.
The Consumer Finance Podcast – SEC Record Retention Enforcement Actions
Aired: May 11, 2023
Host: Chris Willis
Guest: Kim Phan
Chris Willis:
Welcome to The Consumer Finance Podcast. I'm Chris Willis, the co-leader of Troutman Pepper's Consumer Financial Services Regulatory Practice, and I'm glad you've joined us today for a discussion about recent record retention enforcement actions by the Securities and Exchange Commission and what it means for the financial services industry as a whole. But before we jump into that very interesting topic, let me remind you to visit and subscribe to our blog at ConsumerFinancialServicesLawMonitor.com where you'll see all of our daily updates about the world of financial services. And don't forget to check out our other podcasts. We have lots of them. We have the FCRA Focus, all about credit reporting, The Crypto Exchange, which is about everything crypto, and Unauthorized Access, which is our privacy and data security podcast, and all of them are available on all the popular podcast platforms. And speaking of those platforms, if you like this podcast, let us know. Leave us a review on the podcast platform with your choice and let us know how we're doing.
Today, we're going to be talking about record retention, and in particular, I think everybody has sort of a story about being in a regulatory investigation or a piece of litigation and you go find the employees' emails or instant messages and that's where the really bad stuff is. And whenever that happens, everybody's reaction is, "Why did we keep that?" Part of the answer to that question is going to come from my guest today, my partner, Kim Phan. Kim is a partner at our Washington DC office. She's a member of our privacy and cyber group, and I'd really like to welcome her on the program today, so, Kim, thanks for being here.
Kim Phan:
Thank you for having me, Chris.
Chris Willis:
As I said, my kneejerk reaction is why are we keeping these instant messages because they're so problematic. But yet, some of the SEC enforcement actions that we're about to talk about involve things like instant messages and text messages. In the past year, the SEC seems to have brought a number of enforcement actions, totaling over $2 billion, against financial institutions relating to record retention. So just tell the audience what's happening.
Kim Phan:
The SEC has very much started to crack down on what they consider non-official channels to conduct official business. Now, this has always been a problem with potential recordkeeping. Emails fly back and forth and what are you keeping, what are you not, text messaging. But now, we have new messaging apps that can be downloaded to phones, things like WhatsApp and Signal, and some of these technologies have automatic deletion properties to them, right? They're only intended for those messages to last for a certain period of time before they're automatically deleted. And now, the SEC has taken issue with this because the reality is there are specific recordkeeping requirements that financial institutions are required by law to comply with regard to some of their regulated activities. The big focus in the past year for the SEC has been looking not generally at record retention policies, but specifically, with these new innovative technologies.
The SEC chair, Gary Gensler, even said technology changes and businesses have to be mindful of that and keep track of their official channels and maintain and preserve any required communications, whether or not they're happening on those channels or not. And Chris, I would compare the current set of enforcement actions to the ones that were brought like 20 years ago by the SEC when email had finally become ubiquitous, right? It was an early thing that was adopted by some companies, but really, eventually, everyone started using email. Those were considered business records, official communications. So where we were with the email and the pain that you described with e-discovery involving email in the years following that is where we are today with some of these text messages and messaging apps.
Chris Willis:
Okay, so I get it that the SEC wants records kept because any regulator wants more information, especially the channels where the really juicy stuff is going to be. But what were the SEC's actual legal claims in these enforcement actions that you've been telling us about?
Kim Phan:
That's specifically it. Some of their allegations were that the SEC said that by depriving them of these records being retained, the companies were preventing SEC regulators from being able to get access to the documents they need to conduct their oversight and root out misconduct. They also said that certain applications, because of those self-deleting functionalities, make it impossible for companies to respond to SEC subpoenas or other requests for documents. So that was actually a prime motivator for why the SEC brought these enforcement actions.
But some of the other allegations that they included in these claims was that these types of practices were widespread and longstanding and that firms, financial institutions employees were not paying attention to what their obligations were to maintain and preserve electronic communications. They also said that this was pervasive and was occurring on off-channel mediums like text messages, personal email, messaging platforms like WhatsApp, Signal.
And the reality is most of these financial institutions already had record retention policies in place that presumably would have addressed some of this as far as these new technologies and how to deploy them. And the SEC said that these policies weren't being followed or enforced or even reviewed to make sure that they were up to speed and up to date with the most current technologies. And the fact was that managers and supervisors were actually the ones themselves who were violating these policies, encouraging the employees that they oversaw to engage with each other through these, again, off channel mediums.
Chris Willis:
Just one quick editorial comment, just as a diversion, but the idea of this is a violation of law because it prevents you from responding to a subpoena that I later sent you sounds like, "Oh, you had an obligation to put a hold in place knowing that I was going to send you a subpoena," which isn't usually how we think about holds or document preservation on specific topics, but I'll just let that one go and let's keep finding out more about this. So, in addition to the very large amount of penalties that the SEC has imposed on the targets of these enforcement orders, what other requirements did the agency impose on the companies that were the subject of them?
Kim Phan:
So of course, the SEC said for any records that are required by law to be maintained, they had to, by mandate, be retained under these consent orders, which is pretty straightforward. However, the SEC did state that there had to be enhanced processes put into place to monitor communications that were involving business activity in order for the company to self-identify and head off improper conduct. For example, in one of the cases, the SEC stated that the sale of ESG-related products were being made available by an affiliate of a credit rating agency. And the SEC said that making those products available by an affiliate could potentially create conflicts of interest with those creative rating agencies like Moody's and those types of entities.
The SEC also warned that agencies can't overwork their analysts. You can't force a small set of analysts to be going through like numeral number of records in order to identify this conduct because it could jeopardize the quality of their reviews. So the SEC said that in addition to internal audits, these financial institutions had to retain compliance consultants, third parties that would come in and conduct comprehensive reviews of their policies and procedures related to data retention on personal devices and off-stream communications, as well as assess frameworks for addressing non-compliance by employees, monitoring, that sort of thing.
These third-party compliance consultants would come in and do an initial assessment. They would be required to come in to do a follow-up evaluation after one year and then they would issue a report to the SEC. Now, as a result of a company's own internal audits, the consent orders now require that if there are identification of compliance violations by individual attorneys and if any disciplinary measures have to be taken against those employees, these companies will now have to report that to SEC staff.
Chris Willis:
Okay. That's a lot, a lot for the industry to understand and absorb and a lot for us, both inside and outside lawyers, to have in mind in advising clients. But is there more coming? Is the SEC done for now, or should we be expecting more activity in this area?
Kim Phan:
You would think $2 billion in fines would be enough to satisfy the SEC, but it is not. Keep in mind that the enforcement actions they've brought so far were against 10 or 15 of the very largest financial institutions. They're now engaged, even as we speak, in a mid-market inquiry where they have been sending out requests to various mid-level financial institutions with requests in this same vein, asking for organizational charts, identifying specific business units, and who oversees retention of electronic communications within those business units. What policies and procedures are in place to allow or prohibit these different types of electronic communications? What key staff whose texts, emails, messages, and social media are expected to be archived because what their communications are will almost always inherently impact the company like the CEO or other major C-suite players.
Chris Willis:
Some of our listeners may be sitting out there right now and saying, "Well, hey, I'm a consumer financial services company and I'm not a publicly traded company and I don't really care what the SEC is doing because it doesn't affect me." Let me ask you this important question, Kim. Is this focus on record retention, in particular, these sort of off channel unofficial communications on messaging apps and text messages and stuff like that? Is that limited to the SEC or are we going to see contagion of this theory to other regulators?
Kim Phan:
I think we're almost certain to see contagion to other regulators. The CFTC, the Commodities Features Trading Commission, has already followed suit and issued some of its own enforcement actions in cooperation with the SEC. But the DOJ is also taking a hard look at this as part of its not only criminal investigations, but antitrust investigations and other areas where it's doing investigations, essentially stating that if there's corporate activity occurring through, again, these kind of off channel communication mediums, that they want that information being retained as well in the event that it's supporting one of their investigations. Those are only just a couple of additional agencies who have followed in the SEC'S footsteps here. I think we're almost certain to see it spread to other agencies as well.
Chris Willis:
So, Kim, given the fact that you think that this is going to other regulators, and I have to say my own experience backs that up because I feel like every regulatory investigation I have right now, whether it's federal or state, contains a specific request for messages from messaging apps like Slack or WhatsApp or Microsoft Teams or whatever. And so clearly, the memo has gotten around to all the regulators, including the ones we routinely deal with. That's where they need to look. And I feel like it's only a matter of time before they make pronouncements similar to those that you've outlined for the SEC. Given that we both feel that this is coming sort of in a very big way to the financial services industry writ large, what should financial institutions and consumer financial services providers be doing to get ahead of these types of issues with all the regulators?
Kim Phan:
Financial institutions absolutely need to be taking a hard look at their own retention policies. If it has not been revisited in the last couple of years, that's a high priority, again, because the reality is there are changing technologies that will change how those retention policies should be written. For example, the definition of what is a record that needs to be retained. Companies should be focusing on the content of those records and the activity being described in those communications and not the media, whether it's a phone call, whether or not it's a memo, whether or not it's an email or it's a text message or a message through one of these social channels. Things like business strategies, discussions of specific clients, market trends, firm decisions that are being made. All of this need to be looked at very hard to determine what should or should not be retained.
And then, building a process around those retention policies, including implementing systems that are monitoring for what is actually being retained, what is occurring with their employees, training their employees on what that policy actually says, so employees are aware that if they are making those types of communications through non-traditional channels, that they need to be either creating a new record through email to memorialize, maybe, a text message conversation so that it can be retained and otherwise, ensuring that their employees, to the extent that they are not complying with these policies, that they actually are taking a disciplinary action in some way. That's a clear expectation that if there are violations of policy, they want to see that there has been retraining up to and including termination of an employee for not complying with company policy. So these are all things that are good best practices already that should be considered more and more important as we see more of these enforcement actions roll out.
Chris Willis:
And Kim, I think I'd add to that. Now that we know there's a regulatory focus on looking at these kinds of less formal communications like instant messaging platforms, it seems to me that any internal investigation about whether something's going off the rails or not working like it's supposed to within a company has to include at least a consideration of looking at and searching those messages because employees may speak there in a more open way than they would in email, now that everybody's used to email being retained forever. And so I think it becomes a necessary part of internal reviews that may occur. And I'd like to underline one of the things you said, which is making employees aware that those channels are preserved and will be monitored and so that also, hopefully, we get employees in the right frame of mind to conduct themselves accordingly is what I would say.
Kim Phan:
One of the challenges of those types of internal investigations is the reality is we've moved away from the corporate assigned mobile device. I mean, people just are not carrying two devices around with them anymore. That's the reality. So you should be making employees aware that if there were going to be some kind of investigation that might require handing over your personal device for a forensics audit and other investigation and not all employees are going to be happy or willing to do that, but you have to make sure that they're aware that that's a risk.
Chris Willis:
Particularly if there's some indication that personal devices were used to communicate about company business, as was the case, I think, in some of these SEC cases. As I recall, at least one of the cases involved the idea that people were using their personal cell phone text messages to communicate about whatever it is the SEC was investigating, right?
Kim Phan:
That's correct. Where they were making decisions about deals or brokering trades, those types of communications being confirmed over text was one of the issues that the SEC was very much concerned about.
Chris Willis:
If everybody could obey the rule and not use personal devices for work communications, then this wouldn't be a problem. But that hadn't been the case, at least in one of the instances with the SEC.
Kim, thanks a lot for being on the podcast today. This is a very important reminder to the industry and I'm really glad you've come on to deliver it to our audience. And of course, thanks to our audience for listening in to today's episode as well. Don't forget to visit us at our blog, ConsumerFinancialServicesLawMonitor.com and hit that subscribe button so that you can see all of our daily updates about the world of consumer financial services. And while you're at it, why don't you head on over to troutman.com and add yourself to our Consumer Financial Services email list so you can get the alerts that we send out, as well as invitations to our industry only webinars. And of course, stay tuned for a great new episode of this podcast every Thursday afternoon. Thank you all for listening.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.