FINRA fines Deloitte Corporate Finance for failure to retain iMessages
Deloitte Corporate Finance, LLC has agreed to pay a fine of $200,000 as a part of a settlement with the Financial Industry Regulatory Authority (FINRA) regarding business communications.
Between July 2017 and February 2022, DCF failed to retain business-related iMessages sent and received by its representatives on 95 firm-owned Apple iPhones.
Starting in July 2017, DCF permitted firm personnel to utilize text messages for work-related purposes on firm-owned mobile phones. By default, Apple iPhones automatically create end-to-end encrypted iPhone-to-iPhone messages, called iMessages, which DCF’s third-party archiving system does not have the technological capability to capture. Given that DCF knew it could not archive iMessages, DCF sought to disable or block the iMessage function for the iPhones it had previously issued (and for those going forward) so that text messages would be sent as SMS or MMS messages, and thereafter archived by the firm’s third-party service.
In June 2018, when attempting to apply the disabling control to new employees’ iPhones, DCF personnel noticed that the disabling control was not disabling iMessages on new iPhones, possibly because of an issue with a new version of iPhone’s operating system.
In July 2018, the DCF individual who was coordinating the deployment of the iMessage disabling control left the firm and that person’s responsibilities were not fully transitioned to a new person. Accordingly, the original blocking control ceased working, or was never applied, on an increasing number of firm-owned iPhones.
In January 2022, a DCF registered representative referenced sending and receiving specific text messages that the firm could not find in its archiving system. Upon investigation, DCF learned that the referenced text messages were iMessages, not SMS or MMS messages, and thus were not being archived by the firm’s third-party system.
DCF thereafter collected firm-owned iPhones from its registered representatives and uploaded 676,000 iMessages from those iPhones into the firm’s archiving system to perform a supervisory review. Only four of the iPhones that DCF collected had the iMessage function disabled, meaning that 95 firm-owned iPhones that were collected were not compliant with DCF’s original iMessage blocking control.
While conducting the supervisory review, DCF also worked in concert with vendors to deploy a more robust blocking control to disable the iMessage feature on firm-owned iPhones. As a result of the more robust blocking control, text messages are now sent as SMS or MMS messages, which are captured by DCF’s third-party service.
Therefore, DCF violated Section 17(a) of the Exchange Act, Rule 17a-4 of the Exchange Act, and FINRA Rules 4511 and 2010.
In resolving this matter, FINRA has recognized DCF’s cooperation.