With no end in sight to the consistent and costly enforcement, are your books and records ready to stand up to regulatory scrutiny?
“The time is now to bolster your record retention processes and to fix issues that could result in future misconduct by firm personnel.”
—Sanjay Wadhwa, SEC Deputy Director of Enforcement
Download the white paper Communications Compliance: Stay Ahead of the Curve
Sanjay Wadhwa, SEC Deputy Director of Enforcement, noted in an August 2023 release, "we know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues." Common themes across the 80+ charges the SEC handed down from December of 2021 through August 2024 include:
Read about how 2023 SEC Enforcement and 2024 Priorities Set Compliance Expectations for 2024
November 2021 - SEC proposes updates to electronic recordkeeping rules updated in 1997 to bring standards in line with technological innovation.
December 2021 - global financial institution agrees to $125 million SEC penalty for failure by the firm and its employees to maintain and preserve written communications, including use of personal devices and unapproved communication channels.
September 2022 - in the first multi-firm SEC sweep, 16 Wall Street firms were charged with widespread and longstanding failure to maintain and preserve electronic communications, including use of personal devices and unapproved communication channels, with combined penalties of over $1.1 billion.
October 2022 - SEC adopts proposed rules to modernize recordkeeping requirements to adapt to new technologies in electronic recordkeeping.
May 2023 - SEC charges two global financial institutions with widespread and longstanding failure to maintain and preserve electronic communications, with combined penalties of $22.5 million. The firms admitted that employees often communicated about matters of securities business using personal devices and off-channel communication platforms including WhatsApp.
August 2023 - SEC charges 10 broker-deals and one dually registered firm with widespread and longstanding failure to maintain and preserve electronic communications, with combined penalties of $22.5 million. The investigation uncovered pervasive use of 'off-channel' communications across the firms.
September 2023 - SEC charges two credit rating agencies for longstanding failures to preserve electronic records, including off channel communications on both personal and work-related devices. One of the firms was also charged with disclosure and internal controls violations for communication about ratings and predictive model adjustments via text message. The combined penalties across the actions were $12 million.
September 2023 - the SEC announces charges against five broker-dealers, three dually registered firms, and two affiliated investment advisers for widespread and longstanding failures to maintain and preserve electronic communications. The investigations uncovered pervasive and longstanding use of unapproved communications channels and failure to store the substantial majority of these off-channel communications.
February 2024 - the SEC announced even more penalties for record-keeping failures, with combined civil penalties of more than $81 million. Five broker-dealers, seven dually registered broker-dealers and investment advisers and four affiliated investment advisers were charged with widespread and longstanding failure by both the firms and their employees to maintain and preserve electronic communications
April 2024 - the SEC charged an advisory firm with widespread and longstanding failure to maintain and preserve electronic communications. The investigation found that employees across the firm conducted company business internally and externally using personal texting platforms and other non-approved messaging applications in violation of the firm’s policies and procedures. The firm was also changed with failure to reasonably supervise and enforce its code of ethics. The firm agreed to pay a $6.5 million penalty and to implement improvements to its compliance policies and procedures.
August 2024 - the SEC required 26 firms to pay more than a combined $390 million to settle charges of widespread recordkeeping failures. The firms admitted that employees sent and received off-channel communications and did not maintain them as required under securities laws.
September 2024 - SEC charges six credit rating agencies for significant failures by the firms and their personnel to maintain and preserve electronic communications. The combined penalties across the actions were $12 million.
September 2024 - SEC charges 12 municipal advisors for longstanding failures to preserve records of electronic communications. The firms must immediately implement improvements to their compliance policies and procedures to address these violations, including retaining a compliance consultant where required. The combined penalties across the actions were $49 million.
September 2024 - SEC charges twelve broker-dealers, RIAs and dual-registered firms for widespread and longstanding failures to preserve records of electronic communications. The firms have begun implementing improvements to their compliance policies and procedures to address the violations. The combined penalties across the actions were $88 million.
“One of the orders included in today’s announced actions is not like the others. There are real benefits to self-reporting, remediating and cooperating”
—Gurbir S. Grewal, Director of the SEC’s Division of Enforcement
In May of 2024, The Wall Street Journal reported that three large private equity firms disclosed in their quarterly filings that they have been cooperating with the SEC regarding investigations for failure to preserve and monitor employee communications and have been discussing potential resolutions.
SEC leadership has gone on record stating that proactively identifying and self-reporting violations could result in reduced penalties. Read more about how the SEC assesses penalties for off-channel communication and record keeping violations.
In the August 2024 sweep, three firms self-reported their violations and, as a result were assessed significantly lower civil penalties than they would have otherwise, a trend that was evident in other sweeps for recordkeeping failures as well.
The potential for lower fines underscores the need for proactive communications compliance. Implementing technology for surveillance and monitoring for potential violations along with effective record retention will enable firms to stay compliant with stringent recordkeeping requirements—and identify problematic issues before the regulators do.
Firms should expect the focus to continue. Are you ready to face the continued scrutiny of the SEC and other regulators worldwide?
Download the 2024 Surveillance Benchmarking Survey & Report from 1LoD and co-sponsored by MCO to see how your firm's trade and communications surveillance practices compare to those of your peers.
The CTFC ordered a global financial services firm to pay a $5.5 million penalty for violations of the recordkeeping provisions of the Commodity Exchange Act and CFTC regulations for failure to fully record and retain thousands of mobile device calls—and for failure to comply with prior orders to properly preserve the records. According to Director of Enforcement Ian McGinley, this case demonstrates that "the CFTC will continuously pursue swap dealers that fail to meet their recording obligations and there will be consequences for violating CFTC orders, including increased penalties." He highlights that firms "will be held accountable when they fail to comply with their regulatory obligations and fail to abide by obligations imposed by prior CFTC orders.”
in August of 2024, the CFTC charged three firms with failure to maintain, preserve, or produce required records and failure to diligently supervise business matters. As a result of the firms' failure to ensure that employees—including supervisors and senior-level employees—complied with the firm’s communications policies and procedures, the firms failed to maintain business-related communications made in connection with its commodities and swaps business, and therefor failed to diligently supervise their business as a CFTC registrant. Like with the related SEC action, the firm that self-reported received a substantially reduced penalty.
The August 2024 sweep was not without controversy, with a senior regulator at the CTFC noting their dissent with one of the actions.
And in another action of note, Ofgen levied a fine of £5.41m against another international financial services firm for failure to record and retain electronic communications regarding energy trades. The action marks the first time that a company was fined in Great Britain under regulatory requirements to record and retain electronic communications relating to the trading of wholesale energy products.
A Guide to Global Regulators Covering Communications Surveillance
According to SEC Chair Gary Gensler, recordkeeping rules have been an essential part of market integrity since the 1930s, and as technology rapidly evolves, it is “even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”
SEC Rule 17a-4 requires firms to maintain and preserve electronic records for three-six years depending on the type of record and communication in a non-rewriteable, non-erasable format to prevent alteration or deletion. Amendments to the rule adopted in October of 2022 provide that records can also be stored using an electronic recordkeeping system that maintains and preserves communications with a complete and demonstrable audit trail.
The regulatory focus is not unique to the United States. Chapter 10A of the FCA’s Senior Management, Arrangements, Systems and Controls Sourcebook requires firms to take reasonable steps to keep copies of electronic communications for at least five years. Firms must also take reasonable steps to prevent employees from using personal devices from which the firm cannot monitor and record communications for business purposes. In Europe, MiFID II requires covered firms to maintain records in a "durable medium" that can be easily accessed for five to seven years. And in Canada, under IIROC’s correspondence rules, firms must retain communications for five years and be readily available by the agency for inspection at all times.
Read about the elements of an effective communications compliance program
Message Sent
Regulators have sent a clear message that recordkeeping requirements and off-channel communications are continuing priorities. Firms must be preserving communications across the organization, and also be able to easily access their communications archives for both e-discovery and demonstrable proof of compliance.
“Today’s actions – both in terms of the firms involved and the size of the penalties ordered – underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened,
—Gurbir S. Grewal, Director of the SEC’s Division of Enforcement
Firms should also be monitoring the communications that employees are sending. The FCA released a Market Watch warning of “significant compliance risk” of market abuse and misconduct from the use of unmonitored communication channels. The report also expressed concerns about the use of WhatsApp by firms and individuals across the financial services industry to arrange deals and provide investment advice.
Read the white paper Compliance in the Digital Age - Addressing the Risk of Market Abuse
Even firms who have policies and procedures in place should take a hard look at them to ensure that they are keeping pace with rapidly changing communications technology. Email has long been a business standard, but communication practices have been evolving as quickly as the technology does. Texting, social media and ephemeral messaging platforms like WhatsApp are societal communication norms now and firms should expect that employees will be using them to communicate with both customers and each other. Watch an on-demand webinar on best practices for communications surveillance.
And what about emojis? 🤔🤔🤔 That was a hot topic at the 2023 FINRA Annual Conference. During a panel, FINRA head of examinations Michael Solomon stated that a top priority for the regulator this year is looking at firm procedures for monitoring off-channel communications, including the use of emojis to convey subtext. He also noted that texts are usually more condensed than emails and often include more acronyms. Maintaining a surveillance system that effectively classifies messages and identifies red flags across channels becomes more and more critical as volumes of communications and variances across mediums increase.
Regulators expect that firms will have the latest compliance technology in place to monitor and archive eComms according to the most current recordkeeping requirements. MCO can help your firm streamline communications compliance and stand up to the books and records scrutiny.
MCO's eComms Review and eComms Keep solutions enable firms to reduce the risk of non-compliant communications with comprehensive surveillance and message archiving. Contact us for a demo today to see the solutions in action!