The Difference Between Governance Infrastructure and Governance Theater Most organizations don’t lack governance. They ...
The TL;DR / Executive Summary
The Companies: Over a dozen of Wall Street’s biggest firms, including JPMorgan, Goldman Sachs, and Morgan Stanley.
The Penalty: Combined regulatory fines exceeding $2 billion.
The Rule Violated: SEC record-keeping rules (specifically, Rule 17a-4) require the preservation of business-related communications.
The Core Failure: A systemic breakdown where employees at all levels, including senior executives, used personal messaging apps (”shadow communications”) for official business, creating a massive supervisory blind spot that regulators could not tolerate.
The Context & The Incident
JPMorgan, Goldman Sachs, and Morgan Stanley. These are some of the biggest financial institutions in America, ones people look up to as pillars of trust and reliability.
In 2021, however, their reputations would be changed forever – all because of a few messages.
For years, the line between personal and professional blurred as executives, traders, and bankers embraced the speed and convenience of WhatsApp, Signal, and personal text messages. Deals were discussed, trades were arranged, and client advice was given—all on unmonitored, unarchived “off-channel” platforms.
In 2021, regulators at the SEC started conducting unrelated investigations and started noticing a suspicious pattern: any time they would subpoena these firms for communications records related to specific deals, they’d find incomplete conversations. They knew discussions were happening, but they had no paper trail.
This triggered one of the largest regulatory sweeps in recent memory. The SEC and CFTC launched parallel investigations, demanding that firms account for their employees’ communications. What they found was this: managing directors, heads of desks, and C-suite leaders were routinely violating their own firms’ policies. The very people responsible for setting the “tone at the top” were the worst offenders.
As SEC Chair Gary Gensler said during JPMorgan’s enforcement action: “As technology changes, it’s even more important that registrants ensure that their communications are appropriately recorded and are not conducted outside of official channels in order to avoid regulatory scrutiny.”
Tired of reminding staff to read your company policies?
DocRead makes compliance simple
The Root Cause Breakdown
What went wrong? Here are the three main answers behind this catastrophe:
A Culture of Convenience Over Compliance: The core problem was cultural. In the high-speed world of finance, closing a deal quickly definitely beat anything else that was slower and less practical. When senior leaders started using personal texts to do business, everyone else followed suit, with off-channel communication quickly becoming the norm. The annual “I have read the policy” checkbox became a meaningless ritual because everyone knew reality operated differently.According to regulators, the practice was not limited to a handful of rogue employees. Instead, it involved personnel across multiple levels of the organization, including supervisors and senior managers who regularly discussed business matters through personal text messages and messaging applications.As more employees adopted these communication channels, compliance policies increasingly existed only on paper. The convenience of sending a quick WhatsApp message or text often outweighed concerns about recordkeeping requirements. Over time, what began as an exception gradually became an accepted way of doing business.
“Paper-Only” Policies with Zero Teeth: Virtually every one of these institutions had a written policy prohibiting the use of personal devices for business communications, sure, but there weren’t any processes actually enforcing it. From passive training to a lack of discipline and supervision, it felt as if the only system being followed was the honor system.In the realm of communication, other than the occasional slap on the wrist, it seemed that it was more convenient for others to simply look the other way. The result was a significant gap between official policy and actual behavior.Firms told employees what they were not supposed to do, but many failed to consistently monitor compliance, detect violations, or escalate misconduct when it occurred. Regulators ultimately found that supervisory systems failed to prevent widespread use of unauthorized communication channels.
A BYOD Policy With No Control: The firms embraced “Bring Your Own Device” (BYOD) for its cost savings and convenience, but failed to implement the technology needed to manage the risk. They allowed employees to use personal smartphones without mandating the necessary software to block prohibited apps or capture communications for archival purposes.They essentially handed employees a tool that made rule-breaking effortless and gave themselves no technological means to police it, hence the fallout that followed.As business discussions increasingly migrated to personal devices, firms lost visibility into communications that regulators expected them to retain. When investigations later required those records, many simply did not exist, exposing massive failures in recordkeeping, supervision, and compliance.
The Fallout & Liability
A mistake that could have easily been avoided would soon cost JPMorgan alone a total of USD 200 million in penalties:
- $125 million to the U.S. Securities and Exchange Commission for recordkeeping violations
- $75 million to the Commodity Futures Trading Commission for recordkeeping and supervisory failures
This was just the beginning. Over the following years, regulators brought similar actions against numerous other banks and financial firms, and the cumulative penalties across the industry eventually exceeded USD 2 billion. JPMorgan’s settlement merely set the precedent for the wave of enforcement actions that followed.
What matters here, however, isn’t the fines, but rather the importance of personal accountability.
Regulators are no longer satisfied with just penalizing the company. As part of these settlements, the SEC demanded firms to discipline the individuals involved. This included clawing back bonuses, reducing compensation, and even terminating senior employees. Finally, CCOs and Risk Managers were able to see a direct link between their team’s texting habits and their own personal compensation. The era of plausible deniability was over.
The “Take It to Work” Checklist
Let this case be your wake-up call: Don’t assume your company is immune. Use this 4-step checklist this week to gauge your own “shadow comms” risk.
Audit From The Top: Don’t just send another all-staff memo. Sit down with your executive leadership team and review their communication practices. Ask them directly: “Are you using personal messaging apps for any substantive business talk?” If your leaders aren’t modeling perfect behavior, any policy you write is worthless.
Redefine “Business Communication” in Plain English: Make policies crystal clear, showing that any communication that discusses clients, deals, advice, or strategy – regardless of the platform used – is a business record that must be retained. Run training sessions with concrete examples: “Discussing a client meeting time on WhatsApp? Fine. Debating the terms of a deal? A violation.”
Fix Your BYOD Policy with a “No-Exceptions” Mandate: Update your BYOD policy with a clear choice: either employees install company-mandated Mobile Device Management (MDM) or communication-capture software on their personal phones, or they must carry a separate, locked-down company device. There is no third option. Make compliance the path of least resistance.
Link Compliance to Compensation Work with HR and department heads to make adherence to communication policies a specific, measurable component of performance reviews and bonus calculations. Publicize the consequences. When an employee is disciplined for a violation, anonymize the details and share the precedent with the entire firm. Nothing changes behavior faster than seeing real-world financial consequences
Are your policies read on time and by the right people?
DocRead makes compliance simple
Get your free Standard Operating Procedures guide
Creating Standard Operating Procedures for your organisation doesn't have to be complicated. This guide will introduce you to the whole lifecycle from creation to training and distribution.
You may also like:
July 3, 2026
June 19, 2026
The Difference Between Governance Infrastructure and Governance Theater Most organizations don’t lack governance. They ...
June 5, 2026
The Difference Between Governance Infrastructure and Governance Theater Most organizations don’t lack governance. They ...
May 29, 2026
The Difference Between Governance Infrastructure and Governance Theater Most organizations don’t lack governance. They ...
May 22, 2026
The Difference Between Governance Infrastructure and Governance Theater Most organizations don’t lack governance. They ...
May 15, 2026
The Difference Between Governance Infrastructure and Governance Theater Most organizations don’t lack governance. They ...

