The SEC’s $63 Million Reminder: Recordkeeping Failures Are Still Widespread

In January 2025, the U.S. Securities and Exchange Commission announced another sweeping set of enforcement actions targeting “off-channel” business communications.
Twelve major financial institutions — nine investment advisers and three broker-dealers — agreed to pay a combined $63.1 million in civil penalties¹ to settle charges that they failed to maintain and preserve electronic communications as required under federal securities laws.

The SEC’s press release (No. 2025-6) and accompanying administrative orders mark the latest chapter in the Commission’s multi-year campaign to crack down on the persistent use of personal devices and unapproved messaging apps for conducting firm business.

This wave follows similar enforcement rounds in 2021, 2022, 2023, and 2024 that collectively have imposed over $2 billion in penalties across the industry.

What the SEC Found

According to the SEC’s orders, the sanctioned firms allowed personnel — including senior management — to conduct firm business using unapproved, unarchived communication methods, such as personal text messages, WhatsApp, LinkedIn, and Facebook Messenger.

These were not isolated lapses. The failures were pervasive, firm-wide, and systemic. In several cases, the very supervisors and compliance officers responsible for oversight were among the violators.

The SEC noted that in many instances, the firms failed to maintain or preserve a “substantial majority” of these communications, directly violating

• Section 204 of the Investment Advisers Act and
• Rule 17a-4 under the Exchange Act²,

which require regulated entities to maintain and preserve business-related communications.

By losing these records, the firms impaired the SEC’s ability to perform core regulatory functions — including investigating potential fraud, insider trading, and other violations.

The Nature of the Prohibited Business Communications

The SEC’s findings make clear that the off-channel communications were not casual or incidental. They involved substantive, material business discussions that regulators explicitly require to be retained.

Investment Advice and Recommendations

At multiple advisers, senior partners and managing directors used off-channel messages to discuss investment recommendations and trading strategies, including:

• Proposals and advice given to clients about specific investments.
• The price at which a firm should bid for a client to participate in a transaction.
• Whether a private fund should invest in a junior tranche of a deal.
• A proposed recommendation to increase a client’s position in a security.
• A proposed investment by a client fund in a target company, discussed across firms and with third-party advisers.

These are exactly the types of communications the SEC expects to see in an adviser’s retained records, as they go to the heart of fiduciary and supervisory obligations.

Trading and Execution

At other firms, employees used unauthorized platforms to discuss execution details and trading decisions, such as:

• Placing and executing orders to purchase or sell securities.
• Discussing terms and execution of securities transactions for clients.
• Exchanging messages about potential trades on behalf of client funds.
• Direct coordination around trade placement without compliance oversight.

Such communications would typically be subject to surveillance, trade blotter reconciliation, and audit — none of which were possible here.

Fund Performance, Disbursements, and Client Communications

The off-channel communications also included matters relating to fund performance, fund flows, and client relations, including:

• Performance and rate-of-return discussions for managed accounts.
• Messages about receipts, disbursements, or delivery of funds or securities.
• Direct client engagement: a managing director at one broker-dealer used LinkedIn to send business messages to more than a dozen clients and investors.

In some cases, these communications related to actual money movement, such as a managing director who texted an insurance company about the disbursement of funds related to a transaction.

Failures in Supervision and Compliance

Perhaps most striking, the SEC found that supervisors were among the offenders.

• At one firm, a senior executive exchanged off-channel messages with several department heads — the very individuals they were tasked with supervising.
• At another, a partner messaged over a dozen subordinates and 30 clients using personal devices.
• A senior managing director at a third firm used unauthorized platforms to message at least 10 colleagues (five of whom they directly supervised) and seven customers.

In one particularly illustrative case, a compliance officer discovered a partner’s WhatsApp use and conducted an internal meeting about it — yet the firm failed to preserve the messages or follow up in writing. The partner continued to use the app for business, sending a “significant number” of additional off-channel messages.

Even firms that attempted remediation were criticized. One self-reporting adviser admitted it was aware of the SEC’s ongoing sweep, and despite enhancing its compliance program, failed to eliminate off-channel messaging among its staff.

Legal Violations

All twelve firms were found to have willfully violated recordkeeping provisions of federal securities laws, including:

• Advisers Act Section 204(a) and Rule 204-2(a)(7) — requiring investment advisers to maintain and preserve records of communications relating to their advisory business.
• Exchange Act Section 17(a) and Rule 17a-4(b)(4) — requiring broker-dealers to preserve originals of all communications related to their business as such.
• Supervisory Failures — Each firm also violated Section 206(4) and Rule 206(4)-7, failing to adopt and implement reasonable written policies and procedures to prevent such violations.

The orders specifically note that these failures undermined the SEC’s oversight and enforcement functions by depriving the agency of contemporaneous records needed to reconstruct decision-making and advice to clients.

Penalties and Remediation

The SEC imposed civil penalties totaling $63.1 million, distributed across the 12 firms.
Each agreed to admit the facts, cease and desist from future violations, and undertake significant compliance enhancements, including:

1. Independent Compliance Reviews: Conduct internal audits to assess the effectiveness of their communication monitoring programs.
2. Technology Assessments: Evaluate and upgrade systems to ensure all business communications are captured and retained.
3. Policy and Training Overhaul: Retrain all employees — including executives — on approved communication channels.
4. Certification to the SEC: Within 60 days of remediation, each firm must certify completion and compliance improvements.

The SEC also credited one of the firms for self-reporting, resulting in the smallest penalty of the group.

A Broader Enforcement Pattern

The 2025 orders mirror the SEC’s 2022–2024 messaging sweeps against bulge-bracket banks. But the agency has now extended scrutiny into private-fund advisers and mid-sized broker-dealers, signaling that no segment of the market is exempt.

SEC Enforcement Director Gurbir Grewal summarized the agency’s philosophy³:

“Compliance with the books and records requirements of the federal securities laws is essential to investor protection and well-functioning markets. ”

The SEC continues to stress that recordkeeping is not merely a paperwork rule — it underpins the entire audit and examination process. When examiners cannot reconstruct decisions, communications, or orders, investor protection collapses.

Culture, Not Just Technology

A recurring theme in the orders is leadership participation. In nearly every case, the Commission found that managing directors, partners, or portfolio heads themselves engaged in unapproved messaging.
That conduct made enforcement unavoidable, because it demonstrated a culture of tolerance rather than control.

The SEC’s focus has therefore shifted from “did you have an archiving tool?” to “did your leadership actually use it?”

Modern compliance programs must blend technical controls (device management, capture integration, searchability) with behavioral accountability (attestations, random audits, visible consequences for violations).

Key Takeaways for Compliance Officers

These enforcement actions are a clear warning that firms must adapt their compliance and technology to the reality of modern communication. The SEC’s orders are prescriptive, requiring each firm to undertake a near-identical set of remediation measures.

To avoid similar penalties, firms should proactively adopt the SEC’s required undertakings as a roadmap for compliance.

1. Conduct a Comprehensive Audit: Firms must initiate a comprehensive review of all supervisory, compliance, and other policies related to electronic communications. This audit must specifically focus on communications on personal devices (“BYOD”) and identify gaps in current procedures.
2. Implement and Mandate Approved Technology: Policies prohibiting off-channel use are failing. Firms must assess and implement technological solutions that meet record-retention requirements (e.g., applications that capture messages on personal devices). Crucially, the SEC also requires firms to track personnel usage of these new solutions to ensure they are being adopted.
3. Enhance Surveillance: Firms must assess and improve their surveillance programs to ensure they are effectively monitoring for off-channel communications and other violations. This includes ensuring that any new, approved communication methods are fully incorporated into the firm’s surveillance routines.
4. Reinforce Policy with Training and Attestation: Review and enhance all training on communication policies. Firms must also require personnel to certify in writing on a periodic basis (e.g., quarterly or annually) that they are complying with the firm’s preservation requirements.
5. Create a Consistent Disciplinary Framework: The SEC is focused on accountability. Firms must review their framework for addressing non-compliance. This review must evaluate why personnel violated the policies and determine if penalties were handed out consistently across all business lines and, most importantly, all seniority levels.

Implications for the Industry

These cases make clear that the SEC’s “off-channel communications” initiative is not winding down. Instead, it’s expanding beyond Wall Street’s largest banks into the private-fund ecosystem.

Advisers that manage alternative credit, private equity, or real estate funds — sectors historically less examined for recordkeeping — are now front and center.

The practical implication is that communication-archiving and supervision systems must evolve:
hybrid work, mobile collaboration, and AI-driven chat tools all create new channels that must be recorded under the same rules as email or Bloomberg Chat.

Final Thoughts

The January 2025 enforcement actions reinforce a simple truth:
recordkeeping is the foundation of market integrity.

The SEC’s message is blunt — failure to capture and preserve business communications isn’t a technical glitch; it’s a compliance breakdown that erodes transparency, supervision, and investor protection.

Firms that treat recordkeeping as a back-office chore will continue to write eight-figure checks.
Those that treat it as a core compliance and cultural priority can avoid the next headline.

References

1. SEC: Twelve Firms to Pay More Than $63 Million Combined to Settle SEC’s Charges for Recordkeeping Failures ↩︎
2. FINRA: https://www.finra.org/rules-guidance/guidance/interpretations-financial-operational-rules/sea-rule-17a-4-and-related-interpretations ↩︎
3. SEC: SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures ↩︎

On this page

↑ Back to top