On Sept. 27 the Securities and Exchange Commission and the Commodity Futures Trading Commission collectively announced a combined $1.8 billion in fines against more than two dozen Wall Street firms for failing to maintain and preserve electronic communications.
The charges stem from record-keeping failures and use of unapproved communication methods, including WhatsApp, to conduct business.
From a practical perspective, the actions provide a clear indication of the record-keeping and supervisory expectations of the SEC and CFTC and offer insight into how firms can improve compliance efforts.
These enforcement actions against broker-dealers, swap dealers, and futures commission merchants, combined with $200 million in fines issued in December 2021, brings the total for record-keeping lapses to more than $2 billion.
Given that prior fines for record-keeping failures were in the seven-figure range, these penalties coupled with mandatory remedial actions, including the engagement of third-party compliance consultants, reflect a new regulatory reality.
No Room for Ambiguity
The orders make clear that firms must maintain policies prohibiting the use of non-approved communications systems. Firms also need specific policies outlining how to maintain communications on mobile devices and personal phones.
The actions also show there is no room for ambiguity. Regardless of the platforms or devices used by employees, compliant capture, retention, and supervision of all business communications are an absolute requirement.
It is advisable to adopt a zero-tolerance posture for any policy violations.
Training and Technical Measures
It is no surprise that enhanced training requirements also form part of new regulatory expectations. The SEC and CFTC expect training to cover prohibitions on electronic communications on personal devices and include quarterly written certifications of compliance.
The regulators also signaled a much deeper interest in the technologies firms are deploying to manage compliance with record-keeping and supervision of electronic communications.
The SEC said it expects oversight of the tech solutions that are being implemented to meet the requirements of the federal securities laws. This includes ongoing assessments and a review of measures employed to track employees.
Firms must ensure that compliance technologies can capture and retain the full content and context from dynamic chat conversations on systems like Zoom, Slack, SMS, Microsoft Teams, WhatsApp, and Webex. This includes capturing emojis, GIFs, reactions, edits, deletes, and file transfers.
The ability for compliance, litigation, and investigation teams to supervise, search, and produce conversations with these details is essential. For example, oversight teams must be able to see and act on a chat containing “💸🤑 $AAPL,” “👎 😫 $AAPL,” or other complex, emoji-laden phrases that could be critical red flags triggering regulatory reporting obligations.
To meet SEC and CFTC requirements, firms should use modern compliance tools that provide comprehensive coverage for communications content, and not legacy tools built for the email age.
These fines are a canary in the coal mine for senior managers. It’s clear that senior firm executives were aware of, if not actively participating in, the prohibited use of unsupervised applications.
The CFTC claimed that at one firm a desk manager instructed three subordinates to delete messages and use the unapproved messaging app Signal when not on the desk. The commission noted the employees were also told to set their devices to auto-delete.
The SEC made similar charges about the participation of managing directors and senior supervisors.
These deficiencies demonstrate a priority for better cultures of compliance and clearer boundaries for senior staff. The Justice Department’s memorandum issued Sept. 15 on corporate criminal enforcement, particularly its emphasis on individual accountability, should also be considered in conjunction with these orders as another potential consequence of serious wrongdoing.
Compliance teams must strengthen the tone at the top of their organizations to ensure that senior managers are leading the way on ethical and regulatory issues. The ramifications for non-compliance, particularly when senior managers actively participate in wrongdoing, will be increasingly severe.
Finally, firms should implement ongoing reporting, supervision, and auditing controls.
Third-party compliance consultants are required to provide a one-year look-back report to the regulators about the status of any compliance initiatives. For a period of two years, firms must notify the regulators about any employee discipline related to the orders, including warnings, loss of compensation, or termination.
And each firm’s internal audit department is required to conduct a review of the effectiveness of new policies and provide the report to the regulators.
Ultimately, these orders should prompt firms to update their compliance frameworks and open up the platforms employees need for business communications by leveraging modern technologies to meet the new regulatory requirements.
Firms can achieve convenience and compliance by deploying innovative technology controls to empower employees to use their chosen communications platforms.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for Us: Author Guidelines
Marc Gilman is general counsel and vice president of compliance at Theta Lake Inc. He is also an adjunct professor at Fordham University School of Law.