April 05, 2024 by Bojana Krstic

Navigating the Risks and Compliance of Off-Channel Communications

Off-channel communications create challenges in compliance and risk management. Recent actions by the Securities and Exchange Commission (SEC), including substantial fines imposed against firms for failures in controlling off-channel communications, highlight the importance of this issue.

In this article, we’ll go over:

  • The overview of off-channel communications
  • Regulatory and compliance landscape
  • Recent SEC enforcement actions
  • Best practices for compliance

Drawing from recent SEC cases, this guide can be used by IT Directors, Technology Managers, CIOs, CTOs, and Compliance Officers to understand and navigate the complexities of off-channel communications within regulated industries.

Understanding Off-Channel Communications

Off-channel communications refer to any corporate conversation or data exchange outside officially sanctioned and monitored communication channels.

Traditionally, firms have relied on email and company-approved messaging systems to conduct business, as these can be easily archived and monitored for compliance purposes.

However, smartphones and social media have significantly broadened employee communication tools, increasing off-channel methods such as personal messaging apps, social media platforms, and encrypted services.

Examples of off-channel communications include:

  • Text messages sent from personal devices.
  • Conversations on messaging apps like WhatsApp or Signal.
  • Social media interactions related to business matters.
  • Encrypted emails sent outside of the company’s email system.

The rise in off-channel communication can be attributed to several factors:

  • Convenience and efficiency — Employees often find it faster and more convenient to use personal devices or familiar apps for quick communication.
  • Remote work environments — With the increase in remote work, employees may resort to various communication tools that aren’t officially monitored.
  • Privacy concerns — Sometimes, the desire for confidential discussions might drive employees to use encrypted or private channels.

Several laws and regulations in the U.S. mandate the archiving and monitoring of business communications.

Failing to capture these off-channel communications can lead to compliance breaches, legal risks, and penalties, as seen in recent SEC actions against firms for non-compliance.

What are business records?

Business records are documents or files that systematically document an organization’s activities, transactions, and operations. They encompass a wide range of materials, including emails, financial statements, contracts, employee records, meeting minutes, and communication logs.

For something to constitute a business record, it is the content of the message that counts, not the device or the channel from which it was sent.

Given their importance, they must be preserved, organized, and accessible in accordance with specific industry standards and legal requirements.

When are SMS and text messages considered business communications?

In the United States, SMS and text messages are considered business records when they contain information related to business conduct, such as discussions about company operations, transactions, decisions, or other business-related exchanges.

This classification aligns with laws and regulations that govern business communications, including the Federal Records Act and various state-level statutes.

These messages can become discoverable in legal contexts through court orders or subpoenas. The discovery process, governed by the Federal Rules of Civil Procedure, allows courts to order the production of evidence relevant to the dispute being litigated, including electronic communications.

Organizations are, therefore obligated to preserve and be able to retrieve SMS and text messages that may be considered business records, ensuring that they can comply with such legal orders.

The Compliance Landscape

In regulated industries such as finance, healthcare, and government, compliance is not just a best practice but a legal requirement. Understanding the regulatory framework that governs communications is vital for entities operating in these sectors.

Here’s a list of major laws that govern official communication and record-keeping.

  1. SEC regulations and guidelines — The Securities and Exchange Commission (SEC) sets strict guidelines for record-keeping, particularly for communications related to business transactions. These regulations are designed to maintain transparency and protect investor interests. Financial services firms must archive all business-related communications, including those on off-channel platforms.
  2. Health Insurance Portability and Accountability Act (HIPAA) — HIPAA mandates confidentially handling protected health information (PHI) in healthcare. This extends to communication channels, where any exchange of PHI must be secure and compliant with HIPAA standards.
  3. Sarbanes-Oxley Act (SOX) — SOX applies to public companies and accounting firms, requiring the retention of financial records and correspondence for a specified period. This includes electronic records and communications.
  4. Freedom of Information Act (FOIA) — At the government level, FOIA demands transparency in the communication of public servants and requires proper archiving of electronic communications, including those occurring through off-channel means.
  5. Family Educational Rights and Privacy Act (FERPA) — FERPA is particularly relevant for the U.S. K-12 education sector, including school districts. FERPA mandates that schools have written permission from the parent or eligible student to release any information from a student’s education record. This extends to electronic communications, including emails and digital messages, that may contain student information.
  6. Financial Industry Regulatory Authority (FINRA) — FINRA plays a crucial role in the U.S. financial services sector. FINRA’s rules require the archiving of all business-related communications, including those occurring through electronic means. This encompasses emails, instant messaging, and potentially any off-channel communications that involve business transactions or client interactions.

For regulated entities, not complying with these regulations can lead to severe consequences. The SEC, for instance, has the authority to impose fines and other penalties for non-compliance. These fines are financial and can also include reputational damage and operational setbacks.

To illustrate, consider the SEC’s recent enforcement actions, where several firms collectively faced penalties exceeding $81 million for failing to preserve off-channel communications.

Staying compliant involves understanding these regulations and implementing systems and policies that ensure all forms of communication, including off-channel, are appropriately monitored and archived.

Recent SEC Enforcement Actions

In the past few years, the SEC has intensified its focus on off-channel communications, targeting firms that fail to preserve business-related communications outside official channels.

The SEC’s recent crackdown on off-channel communications has resulted in significant fines and public notices, underscoring the seriousness with which the Commission views these violations.

  • February 2024 charges — The latest SEC fines targeted 16 broker-dealers and investment advisors for longstanding uses of off-channel communications. The firms agreed to pay combined more than $81 million.
  • September 2022 charges — The SEC charged 16 Wall Street firms with recordkeeping failures resulting in combined penalties of more than $1.1 billion. These companies failed to maintain and preserve electronic communications. Notably, Bank of America Securities was fined $50 million for similar violations related to off-channel communications.
  • December 2021 enforcement actions — In December 2021, the SEC announced enforcement actions against several prominent financial institutions for failing to maintain and preserve electronic communications. For instance, J.P. Morgan Securities LLC was fined $125 million for its lapses in preserving written communications on personal devices and messaging apps.

Capture WhatsApp, text messages, and Bloomberg chat with Jatheon’s cloud archiving solution

 

Analysis of the SEC’s rationale

By penalizing firms for not adhering to record-keeping requirements, the SEC aims to set a precedent about the non-negotiability of compliance standards.

These actions remind other companies, especially in the financial sector, about the critical importance of maintaining compliant communication practices. Firms are now more than ever aware that non-compliance can lead to hefty fines and reputational damage.

Key takeaways include the necessity of comprehensive policies for electronic communications, regular training for employees on compliance matters, and the implementation of robust monitoring and archiving systems.

Best Practices for Compliance

These practices help organizations adhere to regulatory standards and manage potential risks:

Utilizing archiving software

To effectively manage off-channel communications, it is important to use advanced archiving software. Such software should be capable of integrating with a wide range of communication platforms, including email clients, instant messaging apps, social media, and any other channels employees might use for business communication.

The key features to look for in an archiving solution include:

  • Advanced search and retrieval functions — The system should offer efficient search capabilities, allowing for quick retrieval of specific communications from multiple channels such as email and SMS, allowing you to combine exports in a single file.
  • Secure storage and encryption — To protect sensitive data, the software must employ robust security measures, including encryption.
  • Compliance with regulatory standards — The software should comply with relevant industry regulations (such as SEC, FINRA, HIPAA, FERPA) regarding data retention and privacy.

Developing clear communication policies

Organizations should have clear, documented policies governing off-channel communications. This includes guidelines on acceptable platforms and the proper handling of business-related messages.

Regular training and awareness programs

Implement continuous training programs for employees, emphasizing the importance of communication policies and the potential risks and consequences of non-compliance.

Ensuring easy access to compliance information

Make compliance resources available to all employees. This includes clear, accessible documentation of communication policies and procedures.

Conducting regular compliance audits

Regularly auditing communication practices and archiving processes helps identify gaps and ensures compliance standards.

Continuous policy review and update

Update communication policies and compliance strategies regularly to keep pace with changing technology and regulatory landscapes.

Engaging legal and compliance experts

Collaborate with legal and compliance experts to ensure strategies align with the latest laws and best practices.

How the Right Technology Helps

With Jatheon’s archiving solutions, organizations can confidently manage their off-channel communications, ensuring compliance with relevant regulatory standards and reducing the risk of fines and legal complications.

Besides email, Jatheon allows you to archive social media, WhatsApp, text messages and Bloomberg chat. The powerful search tool provides quick and precise retrieval of archived communications. This feature is helpful during audits or investigations, ensuring that organizations can easily comply with requests for information.

Jatheon Cloud Advanced Search

Speaking of regulations, Jatheon’s archiving solutions meet the compliance requirements of various regulatory bodies like the SEC, FINRA, HIPAA, and FERPA.

Summary of the Main Points

In brief, our article covered:

  • The significance of off-channel communications in businesses.
  • Regulatory frameworks including SEC, FINRA, HIPAA, FERPA, FOIA and SOX.
  • Recent SEC fines demonstrating compliance importance.
  • Best practices, focusing on advanced archiving software.

Stay compliant with Jatheon’s cloud email archiving solution. Capture data automatically, find important information, and manage your data with ease.

 

FAQ

What are off-channel communications and why do they matter?

Off-channel communications refer to business-related conversations that occur outside of official, monitored channels, such as personal messaging apps or emails. They matter because they can contain critical business information that must be archived and monitored to comply with regulations like those from the SEC, FINRA, HIPAA, and FERPA.

What role does archiving software play in managing off-channel communications?

Archiving software is essential for capturing, storing, and retrieving electronic communications across various platforms. It helps ensure that all business-related communications, including those from off-channel sources, are securely archived and can be accessed during audits or investigations, aiding in regulatory compliance.

What steps can organizations take to ensure compliance with regulations governing off-channel communications?

Organizations should implement advanced archiving solutions, establish clear communication policies, conduct regular employee training, perform compliance audits, and continuously update their policies and strategies in response to technological and regulatory changes.

Read Next:

How To Ensure FINRA Compliance & SEC 17a-4 Record Retention

Document Retention Policy and Requests for Production

Ultimate Guide to Creating a Data Loss Prevention Policy

About the Author
Bojana Krstic
Bojana Krstic is the Marketing Director at Jatheon, where she leads strategic initiatives and creates content on data archiving, ediscovery, and compliance. When AFK, you’ll find her in the forest, discovering new music, or exploring the Adriatic.

See how data archiving can simplify compliance and ediscovery for your organization

Book a short demo to see all the key features in action and get more information.

Get a Demo

Jatheon is a “Trail Blazer” in The Radicati Group’s 2024 Information Archiving MQ

Share via
Copy link
Powered by Social Snap