The $3.5B Wake-Up Call: What SEC Messaging Fines Tell Us About Communication Risk

Communication risk now carries a hefty price tag. More than $3.5 billion in fines have been issued due to recurring failures involving unrecorded business messages on platforms like WhatsApp and Signal. The SEC (Securities and Exchange Commission) has made its stance clear: No more do-overs. You will get penalized for using technology that bypasses regulations.

A Closer Look at the SEC Messaging Fines

Since 2021, the SEC and CFTC (Commodity Futures Trading Commission) have launched widespread investigations into financial institutions that failed to retain business-related communications conducted over unauthorized messaging platforms.

One of the earliest and most high-profile cases involved JPMorgan, which paid a $200 million fine after regulators found that employees, including senior staff, had used WhatsApp and personal devices for work-related communication. It’s important to note that nothing criminal was happening in these communications; they were simply using consumer technology incapable of retaining an audit trail, violating federal recordkeeping rules.

By 2022, enforcement actions widened. Goldman Sachs, Bank of America, Citigroup, and others faced a combined $1.8 billion in penalties for similar violations. Investigations found that employees had routinely used encrypted and auto-deleting messaging apps to communicate both internally and with clients, leaving no audit trail.

These incidents breached SEC Rule 17a-4 and CFTC Rule 1.31, which require the preservation and accessibility of business communications. Importantly, regulators are no longer focused solely on whether policies exist.

As Benesch Law explains, firms must now prove that their policies are enforced. This includes demonstrating technical controls, monitoring systems, and proactive measures to block the use of unauthorized messaging channels.

The Compliance Risk Behind Ephemeral Messaging

Applications like WhatsApp and Signal were never designed to be used for official communications that an organization is responsible for. Their design is explicitly to provide individual privacy of the communications that belong to that person. It assumes the individual is the only one who should control access to that data.

From an organization’s standpoint, this breaks the chain of accountability. Regulatory frameworks, including those from the SEC, CFTC, FINRA (Financial Industry Regulatory Authority), and others, require firms to retain communications related to business operations, decision-making, and client interaction. If those records don’t exist, it becomes nearly impossible to demonstrate adherence to internal policies or industry regulations. In many cases, the absence of records is treated as noncompliance in itself, even if there was no intent to conceal information.

Firms also lose the ability to conduct self-reviews or respond proactively to issues before regulators step in, creating an opportunity for the firm to be blindsided by a public investigation. That can lead not only to penalties but also to a loss of trust with regulators and stakeholders alike.

Why Communication Risk Isn’t Just a Financial Sector Issue

While enforcement actions have largely targeted financial institutions, the underlying communication risk spans industries. Other sectors, such as healthcare, energy, defense, and government contracting, are equally subject to oversight and just as vulnerable when messaging controls fail.

The growing use of encrypted and disappearing-message platforms presents a particular challenge. The risk with Signal or WhatsApp isn’t about security—it’s about the loss of critical records that support accountability. When official conversations occur on unmonitored tools, organizations struggle to verify decisions, trace responsibilities, or respond effectively to audits and security incidents.

It’s not just regulators who need clear communication trails. Leadership teams, legal counsel, and audit committees all depend on reliable records to make informed decisions, establish accountability, and respond promptly when something goes wrong. Without visibility, these processes start to break down.

How Organizations Can Build a Defensible Messaging Audit Trail

Banning WhatsApp or Signal across the board won’t solve the problem. When speed or accessibility becomes a barrier, employees will find other ways to communicate—sometimes outside approved systems.

A more effective approach is for every organization to clearly define which roles and situations require the improved security of end-to-end encryption these employees are often looking for with privacy apps, and provide tools that are capable of providing that E2E encryption along with governance by design. This is a process we refer to as defining your “Classified Tier.”  That includes:

• Defining those roles and scenarios that call for the improved security of E2E encryption
• Providing messaging platforms that meet those security and governance requirements
• Retaining messages and metadata in accordance with regulations
• Training personnel on authorized tool usage and responsibilities

But E2E encryption and governance features are still not enough. A tool that provides these capabilities must also feel familiar and integrate seamlessly into existing workflows.

Combining Form and Function

During sensitive situations, like a cyberbreach, internal investigation, or market-moving executive decisions, teams should be able to intuitively move off their primary networks and into a solution designed for secure out-of-band communication. A tool that provides the same experience as their day-to-day platforms reduces the impulse to turn to unauthorized apps.

The same principle holds true for external collaboration. Whether working with outside counsel, cyber threat sharing communities, or critical security vendors, these communications deserve E2E encryption-backed security while remaining auditable and easy to use.

Reducing Compliance Risk Through Secure Out-of-Band Communication

ArmorText supports organizations that need to protect their most sensitive communication without losing control over retention, access, or auditability. Its solutions are purpose-built for environments where ease of use, security backed with E2EE, and oversight all matter.

When safeguards are thoughtfully integrated into enterprise communications, compliance becomes easier to sustain and costly regulatory fines easier to avoid.

To see ArmorText in action and explore secure, compliant communication solutions, contact us today.