skip to main content

In litigations and investigations, e-discovery is a critical component of strategy and fact development. Businesses that give it short shrift do so at their peril. Paul, Weiss has achieved a reputation for unparalleled excellence in litigation and investigations; our e-discovery efforts are an integral part of this success.

U.S. Regulators Increase Enforcement Relating to Chat and Text Communications, Including on Personal Devices

December 17, 2021 Download PDF

Key Takeaways:

  • Employees are conducting business and communicating via text and chat applications; COVID-19 and work at home have resulted in increased business use of texts and chats.
  • As demonstrated by today’s announcements of $200 million in penalties against a financial institution, U.S. regulators are increasingly focusing enforcement efforts on retention requirements as they relate to non-email electronic communications.
  • Companies should consider how to mitigate risk and promote compliance with record-keeping requirements, including by implementing appropriate policies, processes and technology.

In the early 2000s, financial institutions were still in litigation with their regulators over their obligation to preserve email communications as business records. We all know how that skirmish ended.[1] Today, in a trend that has been coming for some time, but that has been accelerated by the realities of work from home brought to light by the COVID-19 pandemic, U.S. regulators and financial institutions are again engaged in litigation over record-keeping obligations, this time over text and chat applications. Indeed, U.S. regulators are increasingly focusing investigatory and enforcement efforts on ensuring that companies track, manage, and archive business-related employee communications, including text and chat communications on personal devices.

For some time, but especially over the course of the COVID-19 pandemic when away from traditional office settings, workers have been increasing their business use of text messaging (for example via SMS or iMessage) and chat applications (such as WhatsApp, Signal, and WeChat). This new reality in communication methods has led regulators to focus on how companies manage this data. Financial institutions such as banks have an obligation to record certain business communications, including phone calls and emails. Traditionally, this obligation has been limited to work devices. Company policies have tried to keep the line between work and personal devices by prohibiting the use of unapproved communication methods that were not subject to corporate retention policies, such as personal email accounts, text messaging, or mobile apps. This approach has been consistent with the processes and technology designed to support compliance with record-keeping obligations, many of which have been focused on corporate email and voice communications.

But pre-pandemic signals were there that the focus was shifting. For instance, on March 8, 2019, the Department of Justice (DOJ) announced several revisions to its Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy, including relaxing the prior prohibition against employees communicating via ephemeral messaging services such as WhatsApp where messages self-destruct. Now, under § 9-47.120.3c of the Justice Manual, companies must “implement[] appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications.”[2]  In late 2019, the Securities and Exchange Commission (SEC) addressed a broker-dealer’s failure to preserve business-related text messages despite company policy prohibiting use of such communication means.[3]  Moreover, in October 2019, the Financial Industry Regulatory Authority (FINRA) observed that some firms "encountered challenges complying with supervision and recordkeeping requirements for various digital communication tools, technologies and services," noting that, while firms often "prohibit[] the use of texting, messaging, social media or collaboration" apps for business-related communication, some "did not maintain a process to reasonably identify and respond to red flags" regarding the use of "impermissible personal digital channel communications in connection with firm business."[4]  Since the onset of the pandemic, this new focus has been made express.

In an October 6, 2021 speech, “PLI Broker/Dealer Regulation and Enforcement 2021,”[5] the SEC’s new Division of Enforcement Director Gurbir Grewal told companies, “You need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps.”

A week later, Director Grewal specifically addressed “corporate responsibility” and the SEC’s adoption of robust laws and rules aimed to ensure that these “corporations are being responsible and playing fair.” In his remarks at SEC Speaks 2021,[6] Grewal focused on newer forms of communication and technology, including ephemeral messaging, stating,  

We’ll consider all of our options when this sort of misconduct occurs prior to or during our investigations. For example, if we learn that, while litigation is anticipated or pending, corporations or individuals have not followed the rules and maintained required communications, have ignored subpoenas or litigation hold notices, or have deliberately used the sort of ephemeral technology that allows messages to disappear, we may well conclude that spoliation of evidence has occurred and ask the court for adverse inferences or other appropriate relief. These rules are not just ‘check the box’ exercises for compliance departments; they are important to ensure that the SEC and other law enforcement agencies can understand what happened and make appropriate prosecutorial decisions. When that doesn’t happen, there can and should be consequences.

Indeed, the SEC recently opened a broad inquiry into how banks are keeping track of employees' digital communications. As widely reported[7] in October, “SEC enforcement staff contacted multiple banks in recent weeks to check whether they have been adequately documenting employees' work-related communications, such as text messages and emails, with a focus on their personal devices[.]” Even more recently, other reports[8] had suggested that substantial settlements with financial institutions in connection with this inquiry were forthcoming.

Today the SEC announced[9] an agreement resolving charges against “J.P. Morgan Securities LLC (JPMS), a broker-dealer subsidiary of JPMorgan Chase & Co., for widespread and longstanding failures by the firm and its employees to maintain and preserve written communications.” The SEC’s announcement states “employees often communicated about securities business matters on their personal devices, using text messages, WhatsApp, and personal email accounts. None of these records were preserved by the firm as required by the federal securities laws.” Additionally, the “failures were firm-wide” and even “managing directors and other senior supervisors – the very people responsible for implementing and ensuring compliance with JPMS’s policies and procedures – used their personal devices to communicate about the firm’s securities business.” JPMS agreed to pay a penalty of $125 million. The SEC’s announcement additionally notes that “As a result of the findings in this investigation, the SEC has commenced additional investigations of record preservation practices at financial firms.” The Commodity Futures Trading Commission (CFTC) contemporaneously announced[10] its settlement with JPMS and related entities for the same conduct, issuing a fine of $75 million.

Given the realities of modern communications and the overlay of record-keeping requirements, some companies have begun deploying technology that allows their employees to utilize chat and text applications on personal devices, but still archive and manage such communications in line with their emerging preservation obligations. While such tools are still in their relative infancy compared to long-standing enterprise archiving systems, their use may support a company’s efforts to demonstrate their best efforts to comply in a rapidly changing work-from-home world.

While text messaging and chat applications may be a focus today, companies should expect continued attention on other communications and technologies that may appropriately be considered as part of investigation and enforcement efforts. For example, collaboration tools with messaging functions such as Slack or Teams could be subject to future regulatory initiatives.

And even though data privacy or protection laws may generally restrict the collection and use of information on personal devices, companies should expect U.S. regulators in the financial industry, and likely in other heavily regulated areas, to focus more on data archiving and collection efforts relating to relevant business information on such devices instead of the applicability of such laws. And if the early 2000s are a model for what lies ahead, we can expect the trend to spread to other industries and civil litigation. Recall that the Federal Rules of Civil Procedure were not amended to expressly recognize email communications until 2006. It is not too soon to think that a similar path lies ahead for text and other chat applications.

Navigating the management and archiving of evolving methods of communications, especially in a hybrid-work, mobile-focused world, may be complex. But given recent pronouncements by regulators and the likelihood of settlements and enforcement action, companies would be well advised to focus on their policies and the processes and technology necessary to mitigate risk in this developing area. Doing so is not an easy task and requires that companies remain mindful to ensure mechanisms are in place to secure any data collected consistent with any obligations they may have to comply with rights exercised by data subjects under applicable data privacy laws such as the CCPA. Companies should also be aware of certain state laws requiring two-party consent to record telephone or electronic conversations and incorporate adequate safeguards into their surveillance apparatus.

In 2003, Judge Shira Scheindlin of the Southern District of New York issued the first of her seminal Zubulake decisions, rulings that focused a generation on their emerging obligation to preserve and collect email communications. Time will tell whether current developments are the beginning of a Zubulake moment for text and messaging applications.

                                                                                                      *       *       *


[1]        See In the Matter of Merrill Lynch, Pierce, Fenner & Smith, Inc., Administrative Proceeding File No. 3-12236 (Mar. 13, 2006); see also In the Matter of Banc of Am. Inv. Servs., Inc., Administrative Proceeding File No. 3-111952 (June 15, 2005); see also Press Release, Securities and Exchange Commission, SEC, NYSE, NASD Fine Five Firms Total of $8.5 Million for Failure To Preserve E-Mail Communications (Dec. 3, 2002)(on file with author).

[2]        See Dep't of Justice, Justice Manual, § 9-47.120(3)(c) (revised Nov. 2018), available at  

[3]        In the Matter of JonesTrading Institutional Servs. LLC., Administrative Proceeding File No. 3-20050 (Sept. 23, 2020)(SEC found that the broker-dealer, despite corporate policy prohibiting the use of text messaging, home computers, or personal devices for work-related communications, failed "to preserve business-related text messages sent or received by several of its registered representatives, including senior management, in violation of Section 17(a) of the Exchange Act and Rule 17a4(b)(4) promulgated thereunder.").

[4]        See 2019 Examination Findings Report, FINRA, Digital Communication (October 16, 2019),




[8]        See



© 2024 Paul, Weiss, Rifkind, Wharton & Garrison LLP

Privacy Policy