The use of “off-channel” messaging apps such as iMessage, WhatsApp, and Signal has landed 11 Wall Street firms in hot water, with the industry regulator, the US Securities and Exchange Commission (SEC), issuing combined penalties of $US289 million.

The firms which include Wells Fargo Securities, LLC and BNP Paribas Securities Corp have admitted to violating recordkeeping provisions of US federal securities laws and agreed to pay the penalties.

Meanwhile, the Commodity Futures Trading Commission has issued orders for four financial institutions to pay $US260 million for “Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods.”

The four financial institutions are: BNP Paribas $US75 million, Société Générale $US75 million, Wells Fargo $US75 million and Bank of Montreal $US35 million.

The use of consumer messaging apps in the workplace, a form of shadow IT, is making it increasingly difficult for enterprises to protect their data and ensure compliance.

These concerns have been raised in other countries, such as the UK, where the Information Commissioner’s Office (ICO ) has warned against government officials using WhatsApp and personal email.

The SEC has criticised the widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications.

“Compliance with the books and records requirements of the federal securities laws is essential to investor protection and well-functioning markets. To date, the Commission has brought 30 enforcement actions and ordered over $US1.5 billion in penalties to drive this foundational message home. And while some broker-dealers and investment advisers have heeded this message, self-reported violations, or improved internal policies and procedures, today’s actions remind us that many still have not,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.

“So here are three takeaways for those firms who haven’t yet done so: self-report, cooperate and remediate. If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.”

The SEC’s investigation uncovered pervasive and longstanding “off-channel” communications at all 11 firms. As described in the SEC’s orders, the firms admitted that from at least 2019, their employees often communicated through various messaging platforms on their personal devices, including iMessage, WhatsApp, and Signal, about the business of their employers.

The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws. By failing to maintain and preserve required records, certain of the firms likely deprived the Commission of these off-channel communications in various SEC investigations. The failures involved employees at multiple levels of authority, including supervisors and senior executives.

“Today’s actions stem from our continuing sweep to ensure that regulated entities, including broker-dealers and investment advisers, comply with their recordkeeping requirements, which are essential for us to monitor and enforce compliance with the federal securities laws. Recordkeeping failures such as those here undermine our ability to exercise effective regulatory oversight, often at the expense of investors,” said Sanjay Wadhwa, Deputy Director of Enforcement.

“The 11 firms settling today have acknowledged that their conduct violated the law regarding these crucial requirements, and are implementing measures to prevent future similar violations. However, we know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues.”

In addition to the significant financial penalties, each of the firms was ordered to cease and desist from future violations of the relevant recordkeeping provisions and was censured.

The firms also agreed to retain independent compliance consultants to, among other things, conduct comprehensive reviews of their policies and procedures relating to the retention of electronic communications found on personal devices and their respective frameworks for addressing non-compliance by their employees with those policies and procedures.

CFTC Director of Enforcement Ian McGinley, said, “The Commission’s message could not be more clear – record-keeping and supervision requirements are fundamental, and registrants that fail to comply with these core regulatory obligations do so at their own peril.”

Each order finds the swap dealer and/or FCM in question, for a period of years, failed to stop its employees, including those at senior levels, from communicating both internally and externally using unapproved communication methods, including messages sent via personal text or WhatsApp. The firms were required to keep certain of these written communications because they related to the firms’ businesses as CFTC registrants. These written communications generally were not maintained and preserved by the firms, and the firms generally would not have been able to provide them promptly to the CFTC when requested.