What’s up with WhatsApp? 4 Tips for Avoiding Recordkeeping Fines

Recordkeeping:  the often-thankless administrative task that only gets noticed when things go wrong.  Why should your legal department even care?  Two reasons: 

1. The repercussions of poor recordkeeping fall squarely on its (proverbial) lap.
2. The lack of effective recordkeeping protocol and controls can result in major fines.

Let us layer on the additional complication of messaging apps…  Professional texts are corporate records, and their retention may be required.  Here are the facts:

On September 27, 2022, the US Securities and Exchange Commission (SEC) penalized sixteen financial institutions for recordkeeping violations through settlements, accounting for more than US$1.1 billion in fines.  You might be familiar with some of these massive multinational conglomerates (such as Barclays, Bank of America, and Morgan Stanley). Their employees utilized WhatsApp and other text messaging applications on their personal devices without preserving any records of the communications, resulting in violations of the Securities Exchange Act of 1934 and the Investment Advisers Act of 1940.

What exactly did these firms do (or not do)? The SEC generally requires firms to keep original communication records for no less than three years. Unfortunately, each firm allowed supervisors and brokers to communicate professionally using personal devices over private phone applications (such as WhatsApp) without saving records of the communications…thus violating the law.

So, what does this mean for you, dear Reader? No matter your industry, records retention periods apply to you.  (They are also good business sense.)  For example, U.S. Customs and Border Protection generally requires records to be kept for at least five years for documents related to entries, activities, or other reconciliation or liquidation. Similarly, the Office of Foreign Assets Control (in the US Treasury Department) requires the same, and the US Internal Revenue Service generally requires records to be kept anywhere from two to seven years, depending on the specific circumstances of the records.  To further complicate matters, retention requirements vary between countries and jurisdictions.

Here are a few key principles to keep in mind to help recordkeeping;

1. Create and implement a document management system. This will ensure that all documents are properly tracked, and access is limited on a need-to-access basis. This is wise from a recordkeeping perspective, and also from a data privacy and cybersecurity perspective (which you can read more about here).
2. Develop a right-sized records retention “schedule.”  This will ensure that your company does not similarly find itself facing penalties from government regulators.
3. Roll out mandates, policies, and controls to ensure that records are retained for the appropriate timeframe. If your employees are ignorant, the strongest internal requirements will be of no use.  Consider the type(s) of training, communications, and automated solutions that optimize your records retention program.
4. Based on your company’s risk profile and tolerance, as well as its industry sector, determine the right point on the spectrum between “data destruction as quickly as possible” and “data retention for business continuity concerns.” Your backing up of records should reflect this point on the spectrum.

Proper recordkeeping can only be assessed on a case-by-case basis.  We recommend analysis by experts in data protection and corporate compliance. Luckily, our experts at the Wallenstein Law Group stand ready to assist. Let us help you find comfort in your internal recordkeeping controls and processes. Contact us today!