SEC Sends $1.1 Billion Warning to Financial Firms that Ignore Record-keeping Requirements
The historic SEC settlement of $1.1 billion in fines for communications monitoring failures at 16 financial institutions should be a wake-up call for broker-dealers and investment advisers. Although financial firms may view the SEC’s record-keeping rules as mundane and inconvenient, these settlements establish how seriously the SEC views them. The total fines imposed in these settlements are nearly as large as last year’s total fines of $1.4 billion.
These cases include some of the biggest industry players and sanctions them to account for significant books and record keeping failures. Firms consistently failed to address the substantial risk that the proliferation of unmonitored electronic communications platforms – such as WeChat and WhatsApp – create.
As these cases attest, the financial industry has been quick to adopt new ways to communicate with clients and colleagues. Conversely, firms have been slow to adopt or update technology to store and monitor mobile messaging apps.
The prevalence of these new communications apps caught the SEC’s attention, and, in October 2021, the Commission began sweep examinations to determine how many large broker-dealers were monitoring employees’ digital communications. The first blow fell in December 2021, with a large broker-dealer agreeing to pay a $125 million penalty to resolve charges that it failed to maintain appropriate books and records list includes many of the largest financial firms in the U.S. More cases followed, with the recent announcement of the 16 settlements being the biggest headline grabber.
The violations occurred at all levels, including senior executives, supervisors and front-line employees across investment banking, trading, asset management and beyond. Firm management and supervisors routinely violated firm policies and procedures by using their personal devices to communicate using unapproved and unmonitored text and messaging applications. Although firm policies and procedures forbade the use these communication applications, the SEC found little evidence that firms were actively trying to detect and prevent their use.
As noted by Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, these recent settlements “underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened.” The SEC cannot effectively protect the investing public and ensure market integrity unless firms maintain required books and records of their official business. Moreover, firms that ignore their record-keeping responsibilities might give investors the impression that they have something to hide. It could also signal larger issues with the firm’s internal compliance culture.
Follow the leader
In all these cases, firm management used unmonitored and unarchived messaging apps just like their employees. Moreover, no one appeared to be checking to confirm that employees were complying with firm policies mandating the use of only approved devices and applications for conducting firm business. Consequently, there were no penalties or sanctions for violating the policies. Supervisors need to lead by example by complying with the rules themselves, training their employees to comply, imposing meaningful sanctions for violations, and providing compliance teams with sufficient resources to monitor compliance.
Risky business
The proliferation of electronic communications platforms creates significant risk for firms, who must ensure business is only done on communications platforms that are being retained and monitored. Do not assume that the off-channel message simply disappears.
For example, a recent SEC settlement against an investment adviser arose from a whistleblower complaint, where the firm and its Chief Investment Officer were charged with violating their fiduciary duty as well as the Advisers Act books and records rules. The SEC found that the firm favored certain private fund clients during the redemption process, and the smoking gun revealing the bad behavior came from a text. Firms that turn a blind eye to employees’ using off-channel messaging run the risk of employees sending inappropriate and potentially illegal communications. If the messages are uncovered, firm management can face liability for these bad acts as well as charges of failure to supervise.
Balancing act
In the past, firms did not have sophisticated tools to capture many electronic messaging applications, including texts. Service providers, however, have rushed to fill this gap and there are options available to capture and allow for monitoring many existing electronic communication applications.
One big issue is cost. Since maintaining a firm’s books and records does not generate income, many firms balk at spending money on new technology. The incredible volume of electronic communications, however, makes use of technology essential to manage retention and supervision.
Additionally, monitoring electronic communications takes a certain level of firm knowledge, compliance expertise and industry experience. It also takes time. Based on these settlements, the SEC views supervision and compliance with record-keeping obligations as mandatory when personal devices and messaging apps for firm business. It is an essential risk management function and should receive appropriate resources.
Keeping pace with new technology
Firms will have to determine what makes sense given their business model, client base and resources when developing their electronic communication retention and supervision policies. Although technology is available to capture some of the newer electronic communication channels such as WhatsApp and iMessage, there are other channels where there are no such solutions. Firm should understand which communication channels their employees and clients are using, then decide and what they can reasonably expect to monitor and retain with the resources they have.
It is not illegal to use electronic messaging apps, but if your firm is going to use them for business, then they must be captured, retained and monitored. Additionally, the SEC settlements indicate that relying on an annual certification from employees that they are only using approved communication channels is no longer enough. Firm should consider more frequent attestations, periodic training, and monitoring use of personal devices.
Privacy protection
Aside from the cost of retaining and supervising various communication channels, there is the issue of employee privacy. On the one hand, financial regulators expect firms to use surveillance systems to detect and prevent market abuse and employee misconduct. On the other, the proliferation of data collection has triggered a push for enhanced privacy rights in the U.S. and other areas of the world. Firms need to tailor their surveillance programs to address employee privacy by collecting the minimum amount of personal data necessary to identify misconduct, and letting employees know exactly how the program works.
Firms should be clear that access to the e-communications monitoring system is tightly controlled, and only those with a “need to know” will conduct the surveillance. Finally, employees should understand the channels being monitored and the prohibited conduct firms are looking to identify.
There is more to come from the SEC on communications monitoring – investigations into investment advisers are already under way. The SEC’s sweep is focused on four key areas:
- Firm policies and procedures governing the communications devices and platforms employees are allowed to use for business communications
- Procedures for electronic communications retention and supervision
- Software and hardware used to enable employees to comply with firm policies on authorized electronic communications and retention
- Testing to determine whether employees are complying with firm policies and procedures
Aside from potential sanctions and reputation damage from an SEC settlement, SEC registered firms, wherever they are in the world, should consider the message they send to the market when they ignore their regulatory obligations. As Warren Buffet says, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
How we help
ACA can support you to take the crucial steps forward to help your firm be prepared when the regulators come knocking. Our surveillance, review, gap analysis, and training solutions are designed to help you manage firm-wide risk in a way that meets regulatory expectations and industry best practices.
If you have any questions or would like to discuss how ACA can help your firm strengthen its surveillance program, increase efficiencies through technology, and ensure that your regulatory obligations are met, please reach out to your ACA consultant or contact us here.
First published on Thomson Reuters Regulatory Intelligence on 17 October 2022.