Why the SEC Fined 26 Firms for Off-Channel Communications

Between December 2021 and the end of 2024, the SEC charged more than 40 financial firms for recordkeeping violations related to off-channel communications — employees using WhatsApp, Signal, iMessage, and personal email for business conversations that were never captured or retained. The fines exceeded $2.5 billion. The violations were not accidental. They were systemic, persistent, and in many cases known to management.

What the Recordkeeping Rules Require

Section 17(a) of the Securities Exchange Act and Rule 17a-4 require broker-dealers to retain all business-related communications — including electronic communications — for defined periods. Rule 204-2 under the Investment Advisers Act imposes similar requirements on registered investment advisers. The rules do not specify which platforms employees may use. They require that all business communications, wherever they occur, are captured and retained in a format that can be produced to the SEC on demand.

If an advisor uses WhatsApp to discuss a client trade recommendation, that conversation is a business record that must be retained — regardless of whether the firm's policy says to use only firm-approved channels.

What the Firms Actually Did Wrong

The enforcement actions were not primarily about individual employees sending one or two WhatsApp messages. They were about firms with systemic programs of off-channel communication — practices that were widespread, in some cases encouraged by supervisors and senior managers, and that produced no records for years. The SEC found in multiple cases that employees at all levels used personal devices and non-firm applications for client and counterparty communications, that supervisors were aware of or participated in these communications, that firms lacked meaningful supervisory procedures for off-channel communications, and that when the SEC requested communications from specific periods, the firms could not produce them.

The last point is critical. The violation that becomes an enforcement action is typically the failure to retain and produce records when requested — not the use of WhatsApp itself.

The Enforcement Scale

The first wave in 2021 and 2022 targeted 16 firms including major broker-dealers and investment banks, resulting in fines totaling $1.8 billion. A second wave in September 2023 added more than $289 million in penalties from 11 firms. In April 2024, the SEC charged its first RIA with no broker-dealer affiliation for off-channel communications violations — signaling that the enforcement priority extends beyond the broker-dealer community.

What Compliance Programs Need Now

Written supervisory procedures for off-channel communications need to address three things:

Platform policy: The firm's WSPs must specify which communications platforms are approved for business use and explicitly prohibit business communications on non-approved platforms. Listing approved platforms and stating that all others are prohibited for business communications is the minimum.

Supervision of communications: For approved platforms, the firm must have a technical mechanism for capturing and retaining all business communications. For prohibited platforms, the firm must have a supervisory procedure for detecting violations — employee attestations, spot reviews of personal device use, monitoring for red flags.

Enforcement: Supervisory procedures without consequences are not supervisory procedures. The WSP must specify the consequences of off-channel communication violations, and those consequences must actually be applied. The SEC found in multiple cases that firms had policies on paper but no enforcement in practice — which was itself a supervisory failure.

The Examination Risk Going Forward

The SEC's Division of Examinations has flagged off-channel communications as an ongoing priority. Examiners are now specifically requesting samples of electronic communications across platforms and asking firms to demonstrate their supervisory procedures. Firms that cannot produce records, cannot demonstrate supervision, or have WSPs that do not address the issue are at significant examination risk. Building a compliant off-channel communications program is not technically complex — but it requires clear policies, technical implementation, supervisory procedures with real enforcement, and regular testing.