REGULATORY ALERT: SEC Targets Its Own Staff’s Text Messaging
This month, the Security and Exchange Commission (SEC) announced that it is moving toward a ban of third-party messaging apps and text messaging from employee’s work mobile phones.
The move, which, in theory, demonstrates a move toward its own enforcement standards in the financial services industry, will likely produce other dynamics that have led firms to the conclusion that it is a dynamic and unsolvable challenge.
The SEC states that it is an attempt “to reduce potential risks” by blocking access to apps on agency-controlled infrastructure and devices, where vulnerabilities and recordkeeping challenges can be created. The move, which began with removing third-party apps in September, now adds text messaging as of March of this year. As with the case of financial services firms, a combination of technology controls, policy updates, and employee training would accompany the change. It is believed that the Commodity Futures Trading Commission is considering whether to follow suit.
Potential risk vs. benefit?
What is not clear from the announcement is the due diligence conducted by the agency to assess how text messaging and mobile applications are being used by employees, including the benefits to the agency in productivity or response time. Are staff members able to conduct investigations more efficiently, communicate faster, or collaborate on a third-party application more effectively than through agency approved tools, including email?
This question is essential for any organization attempting to stay updated with technology. We’ve learned that the use of unapproved communications tools happens for three primary reasons:
- Because the tool works better.
- Because of push from your constituents or clients.
- By those with intent on wrongdoing and who are attempting to avoid detection.
Of those three, the latter is a small minority. Consequently, most financial services organizations have responded to off-channel enforcement by re-examining their cost-benefit-risk decision-making processes to ensure that business benefits can be properly evaluated against the regulatory, data security, privacy, and IP risks that may arise. For example, suppose the business case shows that a tool can enable productivity or greater efficiency. In that case, the analysis shifts toward policy adjustments and available technology controls that ensure that historical records can be securely captured and preserved. If that case cannot successfully be made, then an alternative messaging app can be explored to make mitigating the risk easier.
The risk never leaves
However, as we've seen over time, compliance gaps never leave. They can evolve and move, but the risk that employees either accidentally or intentionally wind up on an unapproved tool or device is only as far away as the nearest social app on a personal phone. Chairman Gensler himself has stated that the issue is not addressed by policies alone, and firms need to demonstrate that they are actively monitoring their internal adherence to their policies. This is the hard part, but it's also the part that puts us in control. Even with a prohibition policy, firms need to be confident that hot spots are not springing up somewhere in the organization, where they need to focus additional action on changing behavior. That is the stated goal of the SEC: to change behavior, and we have the power to make that change through active monitoring.
The whack-a mole-problem
What makes this challenge unsolvable is that it is dynamic. WhatsApp and text messaging are already being out-innovated by newer tools that simply work better. This is largely due to the proliferation of generative AI now being integrated into virtually every application that has a messaging feature. That’s the hard part, and every firm will continue to spend resources chasing new tools as they emerge. This is the whack-a-mole problem.
As we’ve heard from the industry, best practices around off-channel communications continue to evolve, and we continue to lack a prescriptive formula to mitigate the risks. This creates a great opportunity for the SEC to signal to the industry the proactive steps they’ll take in their own internal enforcement of this policy.
Share this post!
Robert Cruz
Latest posts by Robert Cruz (see all)
- REGULATORY ALERT: SEC Targets Its Own Staff’s Text Messaging - April 30, 2024
- Smarsh Connect 24: Stronger, Faster and Smarter - April 24, 2024
- The Big Question at SIFMA C&L Orlando: “Can We Just Be Done with Off-Channel Enforcement Now?” - March 25, 2024
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US