At the SIFMA annual conference earlier this month in Florida, speakers addressed in a number of panels the topic of off-channel communication recordkeeping enforcement actions and general compliance challenges.
In one session billed as “Strategies and Solutions,” the panelists reminded attendees of the breadth of cases, penalties and patterns seen in them, and they said pointedly: “Anyone in the financial services business is subject to an ask about this.”
Panelists included Melissa MacGregor (SIFMA, deputy GC), Etienne Borg-Townsend (BMO, senior litigation counsel); Amy Longo (Ropes & Gray, securities litigation and enforcement partner); and Laura Magyar (Patomak Global Partners, managing director).
Business-related text messages
The first of these type of cases was in September 2020 when the SEC announced settled charges against Jones Trading Institutional Services, LLC, a registered broker-dealer based in California, for failing to preserve business-related text messages exchanged on the personal devices of several of its registered representatives.
As alleged in the order, the text messages concerned, among other things, the size of orders, the timing of trades, and the pricing of certain securities.
And even then the self-disclosure did not lead to no-penalty or a settlement on a “no admit no deny” basis; they were also required to admit to the same liability as the other firms.
The case arose from the company being unable to produce documents pursuant to a standard order in an unrelated SEC investigation, and it gave the agency some consternation about its inability to get important and relevant documents it needed to understand the business’s dealings and resolve that matter.
Since then, there have been a wave of cases involving broker-dealers, dually registered firms, and municipal advisers – over $400m in fines involving 20 firms – 40 actions overall.
The panelists highlighted some of the patterns we have seen in the enforcement actions: recordkeeping and failure to supervise violations, with entities being targeted and not individuals, unless separate fraud charges were being brought in conjunction with the case against the business.
Large fines accompany most cases, unless timely self-disclosure was given by the business. And even then the self-disclosure did not lead to no-penalty or a settlement on a “no admit no deny” basis; they were also required to admit to the same liability as the other firms, including violations of recordkeeping provisions of the Exchange Act and Advisers Act and failing to reasonably supervise employees as required under the same statutes.
The seven undertakings the SEC and CFTC have required of businesses being charged have also been consistent, they observed:
- Hiring an independent compliance consultant.
- A detailed written report of its findings after the consultant’s review.
- The compliance consultant must assess for the preservation, as required under the federal securities laws, of electronic communications, including those found on personal devices, commencing one year after submitting the report.
- The business must report any employee disciplinary measures taken in response to these violations.
- Internal audit must conduct a separate audit to assess the company’s compliance-remediation progress.
- The business must engage in recordkeeping such that it preserves (for a certain period) records of compliance with these undertakings.
- The business must submit a certification that attests to all of its compliance undertakings as noted above.
The panelists highlighted how the regulators have consistently explained the mitigation measures each company took during the investigation.
That is, the enforcement orders have normally mentioned how the business already has enhanced its policies and procedures; increased training concerning the use of approved communications methods, including on personal devices; and significantly changed the technology available to employees to assist them in complying with recordkeeping obligations going forward.
Challenges and possible solutions
The panelists wondered what lies ahead, asking about whether transfer agents and rating agencies could be targeted next.
And they reminded us that the Federal Trade Commission and Department of Justice issued updated guidance on ephemeral messaging in 2023 that should be considered, and noted that FINRA has included the topic in its 2024 Annual Regulatory Oversight Report – with FINRA mentioning it was the first time doing so.
The speakers said businesses were not prepared for how SEC Rule 17a-4 compliance would work in a remote environment during the pandemic and continue to operate in an ongoing hybrid environment. They said each firm needs to consider how it can realistically keep up in this arena, including how well your vendors do in transacting business with you.
Businesses must consider the breadth of records involved, costs and resources needed, and whether Bring-Your-Own-Device policies are still appropriate for the business.
“Be realistic about how your employees are using devices,” they kept saying. Employees will use any device they can access to complete an important deal and secure a client. They will turn to their personal devices if their employer-issued one is too hard to use because the technology on that device is cumbersome or not working.
The selection of the right technology solution and the business-wide commitment to capturing these communications to protect the business must be married together.
They also noted that using apps that other jurisdictions use more frequently than Americans do – such as WeChat – can introduce new risks that must be considered. Besides different apps, policies, usage and styles of communication can differ as between jurisdictions as well. At the end of the day, firms must remember that if they’re SEC-registered, they still need to capture these records, regardless of the rules in those locations.
“Are you looking at enough messages in your surveillance to truly know if the rules are being followed?”
Finally, your policies must include FAQs, clear examples, and information about where and how employees can get timely answers to their questions on best practices here. And the best-written policies that are not followed comprise a decent number of enforcement actions in general and with off-channel comms cases – so be mindful of practicing what you preach at every level of the organization.
Policies must be married to internal controls, well-crafted lexicons that search for specific terms and names, so you get the necessary red flags when the policy has (possibly) been violated. The speakers asked: “Are you looking at enough messages in your surveillance to truly know if the rules are being followed?”
They followed that up with this query: “Are you periodically updating those lexicons to reflect changing slang, names and titles, etc., and considering whether artificial intelligence could help you craft better ones?”
And clear escalation policies must be followed and documented. Firms should calibrate their severity to the problem and to any recidivism shown here, as disciplinary actions can send a loud message to employees and help showcase timely remedial action to regulators.
Any direct messaging from senior leadership about the importance of this issue would be helpful, so it’s not the same department or person talking about it.
Benefits to self-reporting
Of course the panelists are not going to offer advice on whether to self-report or not to a business. But they asked this: “Will the SEC finally catch everyone – such that you should self-report?”
As noted above, while the SEC has encouraged voluntary disclosure of recordkeeping requirements violations, to date, even those entities that have voluntarily self-reported violations have paid (albeit much lower) multi-million-dollar penalties and had to agree to the same significant undertakings regarding compliance consultants, also detailed above.
There are benefits to self-reporting in the form of decreased financial penalties, though, and reputational risk is always a concern, since unofficial channels may lack necessary security protocols, increasing the risk of reputationally damaging data breaches and client information leakage.
Plus, these cases continue to be the subject of significant news coverage, speeches, regulatory alerts and guidance, examination priorities and, as here, a compliance challenge mentioned multiple times at one regulatory compliance event.