Sanjay Wadhwa, SEC Deputy Director of Enforcement, noted in an August 2023 release, "we know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues." Common themes across the 30+ charges the SEC handed down from December of 2021 through August 2023 include:
- Employees routinely sending communications regarding business matters using unauthorized apps and personal devices
- Firms failing to preserve communications in violation of U.S. federal securities laws
- Widespread failures to effectively enforce policies and procedures around communications compliance
- Pervasive use of off-channel communications by personnel across all levels of the organizations, from junior associates to supervisors and senior executives
- Failure of senior management to set the appropriate tone from the top to prevent misconduct
In February of 2024, the SEC announced even more penalties for record-keeping failures, with combined civil penalties of more than $81 million. Five broker-dealers, seven dually registered broker-dealers and investment advisers and four affiliated investment advisers were charged with widespread and longstanding failure by both the firms and their employees to maintain and preserve electronic communications. Firms should only expect the focus to continue.
The CTFC ordered a global financial services firm to pay a $5.5 million penalty for violations of the recordkeeping provisions of the Commodity Exchange Act and CFTC regulations for failure to fully record and retain thousands of mobile device calls—and for failure to comply with prior orders to properly preserve the records. According to Director of Enforcement Ian McGinley, this case demonstrates that "the CFTC will continuously pursue swap dealers that fail to meet their recording obligations and there will be consequences for violating CFTC orders, including increased penalties." He highlights that firms "will be held accountable when they fail to comply with their regulatory obligations and fail to abide by obligations imposed by prior CFTC orders.”
And in another action of note, Ofgen levied a fine of £5.41m against another international financial services firm for failure to record and retain electronic communications regarding energy trades. The action marks the first time that a company was fined in Great Britain under regulatory requirements to record and retain electronic communications relating to the trading of wholesale energy products.
Tone from the top and culture matter to compliance across the firm. Watch the on-demand webinar Beyond Wishful Thinking: How to Create a Thriving Culture of Compliance with Michael Rasmussen from GRC 2020 for practical guidance on implementing a best-practices framework that supports and enhances compliance.
Watch an on-demand session featuring practical guidance and insights on how to best handle Communications Compliance.
Do Not Delete
According to SEC Chair Gary Gensler, recordkeeping rules have been an essential part of market integrity since the 1930s, and as technology rapidly evolves, it is “even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”
SEC Rule 17a-4 requires firms to maintain and preserve electronic records for three-six years depending on the type of record and communication in a non-rewriteable, non-erasable format to prevent alteration or deletion. Amendments to the rule adopted in October of 2022 provide that records can also be stored using an electronic recordkeeping system that maintains and preserves communications with a complete and demonstrable audit trail.
The regulatory focus is not unique to the United States. Chapter 10A of the FCA’s Senior Management, Arrangements, Systems and Controls Sourcebook requires firms to take reasonable steps to keep copies of electronic communications for at least five years. Firms must also take reasonable steps to prevent employees from using personal devices from which the firm cannot monitor and record communications for business purposes. In Europe, MiFID II requires covered firms to maintain records in a "durable medium" that can be easily accessed for five to seven years. And in Canada, under IIROC’s correspondence rules, firms must retain communications for five years and be readily available by the agency for inspection at all times.
Regulators have sent a clear message that recordkeeping requirements and off-channel communications are continuing priorities. Firms must be preserving communications across the organization, and also be able to easily access their communications archives for both e-discovery and demonstrable proof of compliance.
“Today’s actions – both in terms of the firms involved and the size of the penalties ordered – underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened,
—Gurbir S. Grewal, Director of the SEC’s Division of Enforcement
Firms should also be monitoring the communications that employees are sending. The FCA released a Market Watch warning of “significant compliance risk” of market abuse and misconduct from the use of unmonitored communication channels. The report also expressed concerns about the use of WhatsApp by firms and individuals across the financial services industry to arrange deals and provide investment advice.
Take eComms Surveillance Beyond Email
Even firms who have policies and procedures in place should take a hard look at them to ensure that they are keeping pace with rapidly changing communications technology. Email has long been a business standard, but communication practices have been evolving as quickly as the technology does. Texting, social media and ephemeral messaging platforms like WhatsApp are societal communication norms now and firms should expect that employees will be using them to communicate with both customers and each other.
And what about emojis? 🤔🤔🤔 That was a hot topic at the 2023 FINRA Annual Conference. During a panel, FINRA head of examinations Michael Solomon stated that a top priority for the regulator this year is looking at firm procedures for monitoring off-channel communications, including the use of emojis to convey subtext. He also noted that texts are usually more condensed than emails and often include more acronyms. Maintaining a surveillance system that effectively classifies messages and identifies red flags across channels becomes more and more critical as volumes of communications and variances across mediums increase.
Regulators expect that firms will have the latest compliance technology in place to monitor and archive eComms according to the most current recordkeeping requirements. MCO can help your firm streamline communications compliance and stand up to the books and records scrutiny.
MCO's eComms Review and eComms Keep solutions enable firms to reduce the risk of non-compliant communications with comprehensive surveillance and message archiving. Contact us today to see the solutions in action!