In December 2021, JPMorgan was fined $125m by the SEC and $75m by the CFTC for failing to maintain and preserve electronic records and for failing to reasonably supervise with a view to preventing and detecting those failures.
In September 2022, 15 Wall Street firms admitted to wrongdoing and agreed to pay penalties totaling more than $1.1b for recordkeeping failures. The recordkeeping requirements that were found to be circumscribed in these enforcement orders were described as “sacrosanct” by SEC officials in their announcement of the fines they brought – penalties they meted out along with the CFTC.
And in October 2022, the SEC issued amendments to broker-dealers’ recordkeeping requirements designed to modernize the process in the light of technological change.
More recently, in May of this year, the SEC brought charges against HSBC Securities USA Inc and Scotia Capital USA Inc for the same lapses, with the Commodity Futures Trading Commission (CFTC) bringing its own claims against the latter firm.
And in early August, US regulators announced a further $549m in penalties against 11 large financial services firms for similar offenses, bringing the total fines for communications compliance breaches issued by the SEC to $1.5 billion and the CFTC to over $1 billion.
Action in US and UK
In the same month, in the UK, financial regulators were left looking flat-footed when energy regulator Ofgem issued the first UK fine for failing to keep records of trading communications – it imposed a £5.41m ($6.89m) penalty on Morgan Stanley.
The financial services industry is being pummelled left and right by the regulators on this one issue. If you thought it was dealing with its communications problem, you’d be wrong.
That “lessons-not-learned” aspect was on display in late August when the CFTC charged Goldman Sachs for not effectively retaining audio recordings over the course of several years, after being charged with the same rule violations in 2019.
Who has been fined and how much
Here’s a list of the institutions fined for recordkeeping failures involving at least some combination of texts, WhatsApp messages, and audio files, if not other communications formats, since the JPMorgan fine was reported as a wakeup call:
| Institution | Fine ($) |
|---|---|
| Bank of America | 100,000,000 |
| Bank of America Securities | 125,000,000 |
| Bank of Montreal | 35,000,000 |
| Bank of Nova Scotia | 15,000,000 |
| Barclays | 75,000,000 |
| Barclays Capital Inc | 125,000,000 |
| BMO Capital Markets Corp | 25,000,000 |
| BNP Paribas | 75,000,000 |
| BNP Paribas Securities Corp | 35,000,000 |
| Cantor Fitzgerald | 16,000,000 |
| Citi | 75,000,000 |
| Citigroup Financial Markets | 125,000,000 |
| Credit Suisse | 75,000,000 |
| Credit Suisse Securities USA | 125,000,000 |
| Deutsche Bank | 75,000,000 |
| Deutsche Bank Securities | 125,000,000 |
| Goldman Sachs | 205,500,000 |
| Houlihan Lokey Capital | 15,000,000 |
| HSBC | 75,000,000* |
| HSBC Securities USA | 15,000,000 |
| Jefferies | 80,000,000 |
| Mizuho Securities USA LLC | 25,000,000 |
| Moelis & Company LLC | 10,000,000 |
| Morgan Stanley | 206,800,000 |
| Nomura | 50,000,000 |
| Nomura Securities International | 50,000,000 |
| SG Americas Securities | 35,000,000 |
| SMBC Nikko Securities America | 9,000,000 |
| Scotia Capital USA | 7,500,000 |
| Société Générale | 75,000,000 |
| UBS | 75,000,000 |
| UBS Securities | 125,000,000 |
| Wedbush Securities | 10,000,000 |
| Wells Fargo | 200,000,000 |
* Includes fines for related offences
And here’s the full list of actions brought by the SEC, CFTC and the UK’s Ofgem.
The CEO of Global Relay, Warren Roy, said this to GRIP in January: “We called it a ‘grey area’ – a strata of unregulated communications that tied together the whole financial world. We knew this chicken was coming home to roost. And it did in the shape of the JPMorgan fine.”
Regulators show angst
CFTC Commissioner Christy Goldsmith Romero did not hold back in her statement on August 8 when her agency charged four of those financial services firms for recordkeeping lapses pertaining to business-related communications that involved some senior-level executives.
Romero said her agency was hereby “sending a strong message” and that “the illegality the CFTC found in all of these cases was disturbingly widespread, evasive, conducted by senior officials as well as those responsible for compliance, and a clear violation of the law and internal bank policies.”
She said that, “based on the serious threat that unauthorized communications platforms pose to market integrity, the CFTC is requiring an admission of wrongdoing as part of these settlements.” And she went on to press her view that “deterrence can be achieved from a defendant having to admit wrongdoing, combined with a penalty.”
“Wall Street institutions do not get to keep regulators in the dark while enjoying all of the benefits of being a regulated entity in US financial markets.”
Christy Goldsmith Romero, Commissioner, CFTC
Romero has had the issue in her sights for some time, saying last September: “Wall Street institutions do not get to keep regulators in the dark while enjoying all of the benefits of being a regulated entity in US financial markets.”
Will Romero’s agency and the SEC continue to compel an acceptance of wrongdoing, and is there a down side to requiring accountability in a settlement?
Janaya Moscony, president of SEC3 Compliance Consultants, says such a requirement could increase the risk of more litigation and fewer settlements. “Firms aren’t always willing to open themselves to the additional risks that come with taking accountability in a settlement and might go with the risk of being sued,” she said.
Communication platforms
To be sure, no one is questioning the use of most of these communication platforms to conduct business – certain apps notwithstanding – as they have made transacting business more expedient and efficient. If you’re over the age of 40, you will remember a time when doing business while driving in a car was not a “thing”. Today, you can do just that, work from home, work from your favourite coffee shop, all while instantly sending documents and meeting with 25 people for 10 important minutes. (Some newer car technology can also store and record data, just to make this whole discussion more complex.)
But every piece of technological advancement brings with it certain risks and a need for certain guardrails, even while embracing its further development.
US Securities and Exchange Commissioner Hester Peirce said in a podcast interview with GRIP in early August that technology has great promise for the financial services industry, albeit with limitations and challenges.
“What regulators are now saying is implement a solution, because at least then you are offering financial professionals a compliant alternative.”
Chip Jones, VP Compliance, Global Relay
“We’ve seen recent cases in which people are using off-channel communications in ways that were not possible before. We need to encourage them to use tools to help them do their jobs better. Part of that, when you use a new tool, is to think of its limitations and its potential challenges that you need to compensate for in some other way,” she said.
Global Relay’s executive Vice President of Compliance, Chip Jones (and former senior VP for Member Relations and Education at the Financial Industry Regulatory Authority) said there is no doubt that regulators realize this is not an easy practice to prevent.
“What regulators are now saying is implement a solution, because at least then you are offering financial professionals a compliant alternative. Regulators also want to see firms implement educational sessions for their financial professionals around the topic,” he said.
Training may be missing link
Training could be a part of the missing link, actually. A couple of the cases noted above involved the archiving technology not working as it needed to – but, worse, people not promptly noticing it. This is something that regulators take a very dim view of, hence, for example, higher fines for infractions where it was only a regulatory investigation, rather than self-reporting, that led to remedial action.
The great thing about technology is its ability to use abundant data and allows us to do something quickly with it, which leads to gains in efficiency and productivity. The worst thing about it is its ability to use abundant data and do something quickly with it, but in a way that was not intended.
It might be that people need more training on the communication and storage tech tools – or a primer on the importance of and reasons why these recordkeeping obligations exist. Or both.
It’s up to executive leadership to appreciate the need for the education element and to prioritize compliance here, setting a tone for the rest of management to convey to the employee base.
“Firms need to specifically task personnel with responsibility for setting policy, communicate that policy to all staff, and ensure the policy is enforced.”
Howard Fischer, partner, Moses Singer
Howard Fischer, a partner at Moses Singer in New York and a former staff attorney at the SEC, agrees that businesses need to specifically plan out their approach to these communication and recordkeeping mandates and acknowledge the regulators’ lack of patience in this arena.
“To avoid being the next target, firms need to specifically task personnel with responsibility for setting policy, communicate that policy to all staff, and ensure the policy is enforced and that all relevant records are collected and preserved,” he said.
He said to criticize these settlements as a way for financial regulators to achieve public relations wins without there being evidence of fraudulent intent or harm to customers is to mischaracterize the thrust of these enforcement actions. “The cases go to the heart of the regulators’ ability to monitor financial services firms,” he said.
Personal devices, remote work, uncomfortable questions
Remember when a good number of businesses gave employees work-issued phones?
Rob Mason, Global Relay’s Regulatory Intelligence Director, wonders if the trend of having employees use their personal devices was not as well-thought-out as it could have been.
“All the banks elected to turn away from bank-issued devices (Blackberrys usually) as a reduction in cost play. This has proven to be a decision which was not thought through and the compliance implications not properly considered. Many are now needing to perform U-turns, which has obvious cost implications as well as makes the decision makers look incompetent,” he said.
The remote and hybrid work environments might be exacerbating the challenges, but they are not insurmountable.
“What devices and apps are you using with clients, how are you capturing them, and can you show me?”
Bradley Mirkin, Managing Director, Berkeley Research Group
“Right now, there is a greater onus on compliance departments to minimize the risk that they are not seeing 100% of employees’ work-related electronic communications. That takes proactive steps, and sometimes, compliance and supervisors asking unpleasant questions about the use of personal devices and apps. But that is what is needed here,” said Bradley Mirkin, managing director for Berkeley Research Group.
“Unfortunately, those are skills that are often ignored in hiring, training, reviews, and other employee evaluations,” he said. Being able to ask those compliance-related queries – “what devices and apps are you using with clients, how are you capturing them, and can you show me?” – are compliance skills that are more critical than ever.
The human dynamics here are being underappreciated, Mirkin thinks, and he advises compliance professionals to keep those aspects in mind and be proactive rather than reactive.
Prepare now
“Firms should incorporate robust policies and procedures – and implement effective compliance and technological tools – to ensure that they are capturing and retaining business communications and are otherwise satisfying their books and records obligations,” said Ghillaine Reid, co-lead of Troutman Pepper’s Securities Investigations & Enforcement Practice in New York.
It’s the responsibility of financial institutions to ensure business-related communication occurs only through approved and supervised channels and to demonstrate they continuously reminded employees of this policy, and that reviewing communications was part of their supervision protocols.
When you get right down to it, this is not some external threat to the organization that is hard to detect or foresee. It is the nuts and bolts of internal oversight and enforcement, and nothing that the regulators are saying suggests that their enforcement actions are going to get more forgiving.
With that said, regulators are willing to call out and award cooperation credit here. In the late September 2023 round-up of cases for such recordkeeping lapses, the Grewal noted about one of the six businesses being charged: “One of the orders included in today’s announced actions is not like the others. There are real benefits to self-reporting, remediating and cooperating”, he said. This was the SEC’s lowest off-channel communications civil penalty to date, $2.5m, against a family of firms that self-reported off-channel communications. Other firms in this and other orders have settled for penalties ranging from $7.5m to $125m.
Since the regulators’ disappointment with the lack of action by firms is palpable, as are their consistent approaches to bringing enforcement actions and instituting fines, businesses should preparing for a rigorous review of their recordkeeping practices.
These actions may well lead to even more robust regulatory responses – to ensure that the fines are not simply viewed as the cost of doing business by offending institutions and that these compliance procedures are ingrained in the institutions. The regulators’ disappointment with the lack of action by firms is palpable, as are their consistent approaches to bringing enforcement actions and instituting fines, businesses should prepare for a rigorous review of their recordkeeping practices.
Beyond policies and procedures, registrants should consider providing employee training on off-channel communications. This could include attestations at the commencement of employment and regularly thereafter that employees understand the business’s policies.
The SEC’s focus on “widespread failure in implementing” recordkeeping policies means that businesses should take care to ensure “individuals charged with supervising employees to prevent this misconduct” are themselves understand and are adhering to recordkeeping policies and requirements.
And any surveillance of electronic communications within the business must capture the entire universe of relevant records, so platforms used for videoconferencing or collaborative work must be closely monitored if they contain chat capabilities – which themselves should be surveilled and retained.
