Off-Channel Communications: How Financial Services Organizations Can Address Regulators’ Latest Target

Mar 27, 2025

3 min

Antonio Rega


Off-channel communications (OCC) occur when employees use unapproved and inadequately protected devices – such as personal cellphones – or applications to communicate with co-workers, counterparties and / or clients. Many financial services firms are required to maintain copies of all communications regarding their business, supervise the same, and produce them in response to regulatory requests. Firms cannot meet those compliance obligations when employees resort to unauthorized OCC for business-related matters.


In charging 15 broker-dealers and one affiliated investment advisor in September 2022 with record-keeping violations, the SEC noted that its investigation uncovered employees at all levels of these firms who routinely used text messaging apps on their personal devices to discuss business matters between January 2018 and September 2021 [1]. The firms settled the charges and agreed to pay penalties totaling more than $1.1 billion. Just as important, the firms also agreed to engage independent compliance consultants to ensure the use of OCC meets regulatory standards as part of the settlements.


In a related move [2],  the Commodity Futures Trading Commission (CFTC) ordered 11 financial institutions to pay more than $710 million for recordkeeping and supervision failures for widespread use of unapproved communication methods such as personal texts, WhatsApp, and Signal. Additionally, the Financial Industry Regulatory Authority (FINRA) has also taken action when it comes to OCC.



Antonio Rega, digital forensics, data governance, privacy, security, emerging technology, and discovery expert with J.S. Held, observes, “While the current administration has loosened certain regulatory enforcement near-term, we continue to observe requests from clients in supporting management of “off-channel” communications, with a particular focus on 3rd party chat messaging platforms on mobile devices, such as Whatsapp. These inquiries include supporting corporate stakeholders with internal auditing of their organizational platforms, policies and procedures.”


By implementing effective processes and utilizing software and outside experts to monitor and detect OCC, broker-dealers, investment advisers, and other financial institutions can reduce the risk of regulatory enforcement and penalties and ensure that they remain in compliance with regulations.



Steve Strombelline, regulatory and enterprise risk management expert with J.S. Held adds, “Although concerns typically impact broker-dealers, firms outside of financial sectors are looking closely at their messaging processes as well, which is advisable."







In addition to guaranteeing that these communications are properly documented and retained, the regulations are set up to prevent the use of OCC to manipulate securities transactions or commit fraud and to ensure that it is not used to violate any other securities laws. Firms’ supervisory procedures must be reasonably designed to detect for OCC when they monitor for such activity.


The following article discusses the risks that OCC pose for financial services firms, especially as the SEC, FINRA, and the CFTC have made it clear that they are now targeting firms throughout the industry about their OCC to see if they are recording and preserving business information according to regulations.


The piece also explains how firms, including broker-dealers of all sizes, should manage their OCC to ensure that they and their employees comply with federal securities laws and regulations.


Finally, the authors address the complexity related to the collection of OCC in response to regulatory enforcement investigative requests. As the fines and settlements between those firms and the SEC exemplify, financial services firms of all sizes need to take this regulatory focus seriously and take the proactive step of engaging an independent third-party with expertise and experience in both digital forensics and compliance issues.


To read the full article and learn more about the risk of off-channel communications and how companies should manage their OCC to remain compliant, click on the button below:



To connect with Antonio Rega simply click on his icon now.


To arrange a conversation with Steve Strombelline or any other media inquiries - contact :


Kristi L. Stathis, J.S. Held

+1 786 833 4864

Kristi.Stathis@JSHeld.com


References

[1] https://www.sec.gov/news/press-release/2022-174

[2] https://www.cftc.gov/PressRoom/PressReleases/8599-22

Connect with:
Antonio Rega

Antonio Rega

Managing Director

Head of Digital Forensics and Information Governance | E-Discovery and Regulatory Compliance Advisor | Global Investigations Leader

Regulatory ComplianceExpert Witness Testimony & Litigation SupporteDiscoveryDigital Forensics Expert WitnessData Privacy & Governance

You might also like...

Check out some other posts from J.S. Held LLC

1 min

Video Insights: Regulatory Impacts of Trump’s First 100 Days

Since taking office in January, President Trump’s administration has taken numerous actions that will impact the realm of environmental and sustainability regulations. Such rapid changes and inconsistencies are creating complications for companies accustomed to relying on clearly established legislative and regulatory road maps, but also potential opportunities that may materialize as a result. In this video, John Peiserich and Andrea Korney discuss how a surge of new legislation, resulting litigation, and factors such as changing tariffs and supply chains present both emerging risks and opportunities for stakeholders as they plan ahead past the new administration’s first 100 days. Looking to know more or connect with John Peiserich and Andrea Korney? Simply click on either expert's icon now to arrange an interview today.

1 min

Insights: Cyber Risks & Opportunities in 2025

Managing cyber risk is no longer simply a technical necessity but also a strategic imperative in global business. With companies becoming more interconnected and reliant on artificial intelligence, the Internet of Things, and the rest of the digital ecosystem, they are exposed to greater opportunity and risk. In the video below, Senior Managing Director & cybersecurity expert Denis Calderone shares topics covered in the 2025 J.S. Held Global Risk Report focused on managing cyber risk in the year ahead. To view the report and learn more about cyber risks and opportunities, click on the button below: Looking to know more or connect with Denis Calderone Simply click on his icon to arrange an interview today.

3 min

J.S. Held 2025 Global Risk Report: Navigating Cyber Risk in an Era of Evolving Technology & Regulations

Managing cyber risk is no longer a technical necessity but also a strategic imperative in global business. As companies are more interconnected and reliant on artificial intelligence (AI), the Internet of Things, and the rest of the digital ecosystem, they are exposed to greater opportunities and risks. In this video, Senior Managing Director and cybersecurity expert Denis Calderone shares topics covered in the 2025 J.S. Held Global Risk Report focused on managing cyber risk in the year ahead. The global regulatory landscape is evolving rapidly in response to the increasing severity of cyber threats. Governments and regulatory bodies, including the U.S. Securities and Exchange Commission (SEC), the European Union (EU), and the U.S. Transportation Security Administration (TSA), have introduced cybersecurity mandates that require businesses to strengthen their defenses, improve incident reporting, and ensure compliance with new industry standards. The 2025 Global Risk Report by J.S. Held provides perspectives on these regulatory shifts, helping businesses navigate the complexities of cyber risk and compliance. The growing frequency and severity of cyberattacks are reshaping how businesses approach risk management. The J.S. Held 2025 Global Risk Report explores key issues facing business today, including: Business Interruption from Cyber Incidents: High-profile cases like Change Healthcare’s 2024 breach demonstrate how cyberattacks can halt operations, lead to regulatory scrutiny, and result in massive financial losses. Reputational and Legal Fallout: Cyber incidents can trigger lawsuits and damage a company’s reputation, often leading to prolonged trust recovery periods with customers and investors. Loss of Sensitive Data: Data breaches can expose critical information, including personal, financial, and proprietary data, amplifying risks of identity theft and fraud. Tightening Regulatory Landscape: New cybersecurity laws, such as the EU’s NIS2 Directive and Cyber Resilience Act, alongside the US SEC’s disclosure rules, demand stricter compliance from businesses in key sectors. Complexities in Cyber Insurance: Many companies lack clarity on whether their policies cover ransomware or meet legal and operational needs, leaving them exposed to potential financial risks. Ransomware Dilemmas and Legal Risks: Paying a ransom may violate international sanctions, creating additional legal complications for organizations already dealing with cyberattacks. Proactive Cybersecurity Enhancements: Companies implementing advanced cybersecurity measures like MFA, EDR, and immutable backup systems improve their defenses and reduce risks of disruption. AI-Powered Threat Detection: Artificial intelligence enables companies to identify fraud and cyberattacks faster by analyzing patterns and anomalies in real time, minimizing damage, and reducing costs. Increased Demand for Cyber Insurance: As companies across industries seek better coverage, insurers have opportunities to innovate new products, though exclusionary clauses are becoming more common. Business Continuity and Resilience: Organizations with strong cyber hygiene, incident response plans, and dependency mapping are better prepared for attacks and may benefit from reduced insurance premiums. Cybersecurity risk is just one of the five key areas analyzed in the J.S. Held 2025 Global Risk Report. Other topics include sustainability, supply chain, cryptocurrency and digital assets, AI and data regulations. If you have any questions or would like to further discuss the risks and opportunities outlined in the report, email GlobalRiskReport@jsheld.com. To connect with Denis Calderone simply click on his icon now. For any other media inquiries - contact : Kristi L. Stathis, J.S. Held +1 786 833 4864 Kristi.Stathis@JSHeld.com

View all posts