Massive SEC Fines for Companies Using Text and Instant Messaging

On 27 September 2022, the US Securities and Exchange Commission (SEC) announced more than US$1.1 billion in fines for 15 dealer/brokerage firms in relation to their record-keeping. Specifically, the firms’ staff had routinely used text and instant messaging on personal devices for work purposes. Following the SEC’s lead, the UK Financial Conduct Authority last week questioned several UK banks about their staff’s use of WhatsApp and similar apps.

The SEC’s investigation relates to specific record-keeping rules for certain regulated entities (similar rules apply in New Zealand to entities holding a ‘financial advice provider’ licence by the Financial Markets Authority).

However, the same concerns also apply more broadly, given the increasing use of text and instant messaging technology in business. Start-ups and technology-focused businesses (in particular), make extensive use of instant messaging, simply because it's easy and familiar. Many of these businesses have no formal document retention policies or practices. However, they may wish to consider: (i) how widespread and necessary the use of text or instant messaging is within their business; and (ii) whether it would be useful to document a policy that clarifies the kinds of communications that ought to be in email form and/or downloaded and retained for future use.

Unfortunately, there is no one rule that defines the kind of information that businesses should retain and for how long, but there are some rules that apply to all businesses, and some guiding principles.

How long should ‘core’ records be retained?

Most business records need to be retained for seven years:

• Companies: A New Zealand company must retain certain company records (including its constitution, minutes of directors’ meetings, certificates, annual reports and financial statements) for seven years (Companies Act 1993, s 189).
• Tax: As a rule of thumb, a taxpayer must keep for seven years the documents necessary to support its tax position (s 22(2) of the Tax Administration Act 1994 (TAA)). Various other specific rules may also apply.
• Employment: Wages and time records for employees must also be maintained in respect of the preceding six years (i.e., seven years in total) (Employment Relations Act 2000, s 130).

Otherwise, unless a specific rule or regulation requires the retention of documents, a business is theoretically free to adopt whatever document retention policy best suits its needs. Businesses that collect personal information will also need to consider Privacy Principle 10 which provides that they “shall not keep that information for longer than is required for the purposes for which the information may lawfully be used”.

When should non ‘core’ documents be retained and for how long?

Almost all New Zealand businesses will have obligations to retain certain ‘core’ company and financial records for seven years, as explained above. Some of these documents could be contained in text messages. For example, there is no reason why a unanimous resolution of a company’s board of directors could not take place by exchange of text messages (so long as a “tangible” record is kept of all the messages comprising the resolution). Equally, businesses subject to specific record-keeping regulations need to ensure that the specific records are retained no matter their original format. As the SEC example shows, the move towards instant messaging is no excuse for non-compliance.

But what about other non-‘core’ documents, such as Whatsapp messages exchanged within a business or with a counterparty or customer? These documents might not fall within the category of ‘core’ company records, but they could still be critical to a business’ success or failure in the event of a dispute or regulatory investigation. For example:

• A Whatsapp message from a firm to a customer could be relied on by a customer to prove a ‘misrepresentation’ under the Fair Trading Act. If the firm does not retain its copies of the exchange, then it may be unable to defend itself.
• Instant messages between competitors could be relied on by the Commerce Commission to prove anti-competitive conduct. Furthermore, any party deleting evidence of such conduct faces the possibility that another party to that correspondence has not done so, and may provide the evidence to the regulator in exchange for leniency.
• Messages recording a taxpayer’s reasons for purchasing property might be relevant evidence in a tax dispute if the property is on-sold for a profit. If those messages are not retained, there may be a lack of corroborating evidence when seeking to prove to Inland Revenue that the property was not acquired for the purpose of re-sale.

In this respect, the limitation periods for common legal claims in New Zealand include:

• Contact or tort: The general rule is that “money claims” (i.e., most simple contract or tort claims) must be brought within six years of the date of the act or omission on which the claim is based (Limitation Act 2010, s 11(1)).
• Fair Trading Act: Orders under s 43 of the Fair Trading Act 1986 (including orders for damages) must generally be brought within three years of the date on which the loss or damage, or the likelihood of loss or damage, was discovered or ought reasonably to have been discovered.
• Tax: The Commissioner of Inland Revenue has in general four years from the date of an income tax assessment to increase the assessment (TAA, s 107A), in which case a taxpayer can initiate the tax challenge procedure in the TAA. A taxpayer has the burden of proof in challenge proceedings and therefore must itself provide any evidence it seeks to rely on.  ‍
• Other regulatory investigations: The limitation periods for regulatory prosecutions can vary greatly (up to ten years in some cases).

These examples demonstrate how retention of instant messages can be critical to a business. Clearly, not all text or instant messages need to be retained by a business. In many cases, it may be better for certain instant messages to automatically delete, or for a policy to stipulate how records should be made for particular purposes. However, it is now essential that businesses consider how to approach their retention of text and instant messages.