Fine for firm where iMessage blocker failed: cooperation is key
The U.S. regulator has shown that it really will reward firms that cooperate with enforcement action, in a fine issued for iMessage failures.
The Financial Industry Regulatory Authority (FINRA) has issued a capital markets organization with a $200,000 fine, after the system it had employed to block certain communication channels failed. Despite being a repeat offender, the issued fine pales in comparison to recent regulatory fines for off-channel communications, owing to the firm’s “extraordinary cooperation”.
In December 2014, the organization in question received a $75,000 fine after it failed to retain emails and internal instant messages over a period of six years. This failure led to over nearly one million emails and instant messages being sent and received that were not captured or retained by the firm.
Following this initial regulatory enforcement, the organization looked to implement a solution to ensure they didn’t fall into future hot water for failure to retain messages.
In July 2017, the firm managed to establish a solution that allowed it to permit staff to use text messages for work-related purposes, on corporate-owned mobile devices. However, while the organization was able to capture SMS messages, it was not able to capture or retain iMessages (the end-end encrypted iPhone-iPhone messages). Knowing that this would expose weaknesses in contravention of the applicable regulations, the firm opted to block access to the iMessage function on employees’ corporate devices.
A year later, in 2018, the firm noticed that the blocking control was not working, and iMessages were not being blocked as expected. Around the same time, the individual responsible for implementing the block on iMessages left the firm and their responsibilities were not allocated to a new member of staff. This meant that many of the firm’s employees were able to use iMessage on their corporate-owned devices, but those iMessages were not being captured or retained.
Fast forward to 2022, four years later, a registered representative for the firm made reference to sending text messages that, on inspection, the firm could not access within its communication archive. On further investigation, it realized that this was because the messages were sent via iMessage. In short, it realized that an error had been made.
In a bid to rectify the mistake, the firm conducted an iMessage amnesty and collected 676,000 iMessages from employees’ phones, which it then placed within their archive for a supervisory review. The iMessage block had only worked on four of the 99 corporate-issued devices.
FINRA’s findings and the firm’s “extraordinary cooperation”
The firm’s operational ineffectiveness means that it fell in violation of:
+ Section 17(a) of the Securities Exchange Act of 1934;
+ Rule 17a-4 of the Securities Exchange Act of 1934;
+ FINRA Rule 4511; and
+ FINRA Rule 2010.
As such, FINRA issued the firm with a censure and a $200,000 fine.
As many will note, this fine was comparably light in comparison to other recent regulatory enforcement for similar violations. This is because FINRA took into consideration the firm’s “extraordinary cooperation”. In particular, it took the following action:
1. The firm had discovered the iMessage failure through its own compliance review.
2. It then engaged computer forensic and e-discovery personnel to assess the nature and extent of the problem, and collected all available iMessages from corporate phones and submitted them into its existing archive. As well as this, it investigated why the original block stopped working.
3. The firm then sought more robust controls for its company-wide communications.
4. Once the missing iMessages had been collected, the firm conducted a “comprehensive internal review”, which involved retrieval, review, and analysis of all the relevant data sources.
5. When engaging with FINRA, the firm provided “substantial assistance”, which it did so proactively and without prompt. This shortened the time that was needed to investigate the issue.
Compliant communication isn’t “one and done”
This case clearly demonstrates the practicalities and complexities of managing a compliant communication program. Not only must a program be established, it must be deployed, continuously monitored for effectiveness, and re-allocated in the event that the program owner leaves.
Corporate devices and blocked channels are not guarantees
It also clearly demonstrates how, even when a firm spends thousands – if not millions – on corporate devices, and even if they deploy a compliant strategy, it can still fail. Channel blockers, even those that are rooted in technology, are not always effective. In the fallout from recent regulatory enforcement for off-channel communications, it has been suggested that many firms are moving back to corporate device policies – likely at huge cost. This case goes to show that, even corporate-issued devices can’t ensure watertight compliance.
Cooperation really will be rewarded
The final lesson is that the regulator is staying true to its word in rewarding firms that cooperate. For some time, regulators – especially those in the US – have called for increased self-disclosure , and leniency in the event that a firm cooperates when they don’t comply. When the above-mentioned firm realized that it was not compliant, it took swift, decisive, and comprehensive action to fix the problem, and to retroactively comply. Ultimately, this worked in their favor. Compliance isn’t easy, and when it doesn’t work, it’s good to know that all is not always lost.
Instead of banning communication channels, Global Relay wants to empower firms to use all communications in a compliant way.