SEC targets its own staff's texting, nixes WhatsApp on work phones

The U.S. Securities and Exchange Commission has blocked third-party messaging apps and texts from employees' work mobile phones, bringing its own practices closer to the standards it's enforcing for the industry.

The SEC's decision to block disappearing-messaging apps will help improve record-keeping and comes in response to possible security vulnerabilities at the agency, which saw one of its social-media accounts compromised earlier this year. It follows about $3 billion in fines imposed on financial firms to settle allegations that they failed to keep adequate records of work-related communications on mobile devices and apps such as Signal and Meta's WhatsApp.

The scrutiny prompted Wall Street to overhaul how employees discuss business matters on mobile phones. Meanwhile, the SEC took a hard look at policies covering its own staff's communications on agency-issued phones.

The agency has restricted access to third-party messaging applications, as well as SMS (short message service) and iMessage texts "to lower risk that our systems could be compromised and to enhance recordkeeping," an SEC spokeswoman said in an emailed statement.

READ MORE:
They're coming for the RIAs: Latest SEC messaging sting nabs small firm
Wells Fargo, BNP to pay millions in U.S. fines in WhatsApp probes
JPMorgan bosses addicted to WhatsApp fuel $200 million in fines
Latest WhatsApp sweep shows value of cooperating with SEC
Compliance experts look to AI, tech to help with WhatsApp violations

The agency removed third-party apps in September, and removed text message functions on most staff phones in March, she said.

Financial firms are required to monitor and save communications involving their businesses to head off improper conduct. When they don't, agencies say it's significantly harder to investigate wrongdoing.

The Commodity Futures Trading Commission is considering whether to follow suit, according to a person familiar with the matter. A CFTC spokesperson didn't respond to a request for comment.

The regulatory crackdown has extracted at least $200 million apiece from Wall Street giants such as Bank of America, JPMorgan, Citigroup and Goldman Sachs, while fining many smaller players. That's been a boon to software and compliance providers pitching systems to capture the ephemeral communications.

But it has left members of the industry's rank and file seething. Some firms privately reprimanded or disciplined staff who had used unauthorized platforms. In certain cases, banks cut bonuses or even terminated offenders.

Fake post

The SEC's cybersecurity practices have come under scrutiny in recent months. In January, the regulator's X account was compromised using a staffer's agency-issued phone, which resulted in a fake post claiming that the watchdog had approved plans for a long-awaited spot-bitcoin exchange-traded fund.

That inaccurate post fueled a brief surge in the price of the world's biggest cryptocurrency. The SEC quickly regained control of the account and deleted the post. The incident underscored how even a regulator with an assertive stance on cybersecurity requirements isn't always protected.