Enforcement 2020: Highlights From a Regulatory Year Like No Other

Webinar Recap

January 07, 2021by Smarsh

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

This year, many organizations came to rely on collaboration and messaging tools such as Zoom, Microsoft Teams, or mobile text to conduct business virtually. The shift to remote work caused some initial disruption, but over time became the “new normal.” However, for financial services organizations, the sudden shift to primarily online business practices introduced new risks and uncertainty about regulatory obligations.

Because of the disruption, our customers have looked to us to help answer questions about regulatory expectations and how to adjust their processes to meet those obligations and manage risk. Now, as we approach a new year, we are faced with more questions about what to expect for the future of work.

We held a webinar with subject matter experts to discuss the unique regulatory environment in 2020 and what to expect in the coming year. Our presenters included:

  • Robert Cruz, Vice President of Information Governance at Smarsh, moderator of the discussion and thought leader in the areas of cloud computing, information governance, and discovery cost and risk reduction

  • Marianna Shafir, Regulatory Advisor at Smarsh, attorney, and former employee of BNY Mellon and Invesco, with expertise in the financial services industry, compliance and e-discovery

  • Brian Rubin, Partner at Eversheds Sutherland and leader of the firm’s (U.S.) litigation group and head of their Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA) and state securities enforcement practice

Their conversation touched on regulatory actions in 2020, predictions for 2021 and recommendations for being proactive and prepared for an examination in the future.

Regulators remained vigilant despite the pandemic

The SEC and FINRA did not slow down their regulatory practices in 2020. The SEC collected a record $4.7 billion in fines in their fiscal year. Of the total 405 standalone enforcement actions brought by the SEC in 2020, cases against investment advisors and investment companies represented about 21% of the total and actions against broker-dealers made up 10%.

According to numbers obtained by Eversheds Sutherland, FINRA enforcement cases increased across the board from 2019 to 2020. They issued more cases, more fines and required a higher sum of restitution money to be paid back to investors, even before the end of the fiscal year.

Throughout the year, FINRA fined brokers $5,000 to $15,000 for using their personal email accounts to conduct business. Just recently, a broker was fined $15,000 and suspended from FINRA for three months for using a personal email account to facilitate change of broker-dealer forms, when changing firms.

Personal liability for compliance officers will be a trend in 2021. This year, FINRA brought a supervision case in which a firm was fined $300,000 and the CCO was personally fined $10,000 and suspended for failure to reasonably supervise former brokers.

In the past the SEC and FINRA have brought cases for regulatory breaches, not typically for deficiencies in procedures, but 2020 was different. New areas of focus for examiners included:

  • If business operations couldn’t be performed effectively while remote
  • If a firm didn’t identify or address weaknesses in its policies or procedures
  • How firms dealt with third-party vendors and third-party providers
  • Valuation due to market volatility, for firms and investors
  • New cybersecurity issues brought on by remote work and COVID-19 related scams
  • Adherence to Regulation Best Interest (Reg BI)

In some cases, examination areas overlapped, with one presenter citing a client going through a Reg BI exam and a cybersecurity exam at the same time.

Regulators and firms continue to assess the impact of newly implemented digital communications for regulated entities and investors. The SEC and FINRA want to work with broker-dealer and investment advisor firms to be compliant so they can stay focused on their business.

Predictions for Regulation in 2021

Regulators will be focused on firms’ long-term plans for remote work
2020 centered around COVID-19 and how firms adapted to abrupt changes in their business processes. In 2021, the focus will be on how the workplace has changed for the long term. Regulators have started asking firms fundamental questions such as:

  • What modifications have you made to your policies since adjusting to a remote working environment?
  • How are you supervising your employees now?
  • How do you train your employees on new policies?

Electronic delivery of financial documents will likely become the default
The emergence of the virtual workplace may drive the SEC to update its rule and guidance for electronic delivery of financial documents, including making electronic delivery the default for all investor communications. This would shift the default delivery method from hard copies sent through the postal service to email, website, mobile applications, or text messaging, which are faster and more efficient but present new oversight and security challenges.

Supervision and recordkeeping obligations must include modern electronic communication tools
Chats, text messages, shared documents or other electronic records must be retained in compliance with applicable recordkeeping requirements. As firms have shifted to remote work and employees use various collaboration and messaging applications, this has caught the attention of regulators. They expect firms and individuals to have adjusted their policies, procedures and technology accordingly.

Artificial intelligence will go mainstream
Regulators are embracing advanced technologies like artificial intelligence to conduct exams. And while they do not require firms to use AI, they do require firms to have controls and techniques to incorporate new communications data sources. As more digital data is being generated, it becomes more difficult to rely upon lexicons or human-based systems of review. Embracing these advances in technology can have an immediate impact on compliance processes.

Policies and procedures will continue to be scrutinized
Regulators will be looking at firms’ 2021 policies and procedures versus their 2020 policies and procedures and how those policies changed in light of the pandemic and remote work. Deficiency letters or cautionary actions are likely for firms that did not update their policies when they changed the way they do business.

Recommendations for the future of work

The panelists agreed that firms should not look at where 2020 took us digitally as an anomaly, but rather as a preview of what the world will look like in the future. With this knowledge, companies should be equipped to use the communication tools that will keep them connected and productive despite major disruptions. These were some of their tips for staying proactive and ready for regulatory scrutiny in the coming year.

1. Update compliance policies. Make sure all your compliance policies and procedures are tailored to your business and allow for flexibility of workplace environment, or “work from anywhere.”

2. Update supervision policies. Supervising remote workers requires a new approach. Your documented supervision procedures must be duly updated and may require adding compliance staff.

3. Update device policies. The line between personal and business devices has blurred. Make sure you've got the appropriate policy or technology controls for mobile devices and that employees know what is allowed or prohibited.

4. Consider books and records or supervisory requirements technology-agnostic. If communications relate to your organization, it’s the content and context that are important, regardless of the communication tool that was used.

5. Plan for remote examinations. For now, examinations aren’t happening in the office. Make sure you are equipped to provide all the required communications data quickly and easily through digital means when requested.

6. Train your employees. Document and train employees on your code of conduct and communications policies on all platforms and require signed attestation once training is completed.

7. Use modern capture, archiving and supervision technology to stay agile. To maintain visibility and meet requirements, a modern communications compliance solution must enable you to capture content directly from the source and retain it with contextual details for quick search and retrieval. Your supervisory technology should help you automate policy management by precisely spotting and surfacing red flags for reviewers.

Share this post!

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.