Off-Channel Enforcement Update: The Value of Self-Reporting Becomes Clearer
The SEC continues its mission to change behaviors in financial services regarding the use of unapproved communications tools.
Last week, the regulatory agency announced its most recent enforcement actions and recordkeeping violations settlements: $81 million in total penalties across 16 financial services firms. The firms admitted that they failed to retain electronic communications on personal devices over a period from at least 2019-2020, violating federal securities laws recordkeeping requirements.
While most of the language within the settlements mirrored previous actions (e.g. “widespread and pervasive,” “failure to follow-up on red flags,” and “failures to preserve records”), the announcement does raise a few questions that we’ll address here.
Are regulators finished with off-channel enforcements?
Not yet. It is not surprising that this will continue to be a top priority for the SEC, as well as CFTC and FINRA (along with the Department of Justice given their communications about compliance programs). Ultimately this topic is about impacting a behavioral change, unwinding a long history for many firms. Pulled by client demand or improvements in technology, new communications tools wind up in employee hands before compliance controls can be implemented.
Is enforcement working?
According to SEC Enforcement Head Gurbir Grewal, enforcement is working. As we’ve previously noted, executive teams are now fully aware of the issue. They are adjusting policies and procedures and are updating training programs.
“That was a conscious effort over the last two years to make sure penalties were having that deterrent effect,” noted Grewal, and he believes that is happening. Enforcement will remain a priority, and those that haven’t gotten the message by this point could be seeing stiffer fines and penalties.
It’s also worth noting that this only reflects the priorities of the SEC. It doesn’t reflect any change in tone from the CFTC, DOJ or regulators internationally.
What’s the value of self-reporting and cooperation?
One firm was a noticeable outlier in this latest enforcement batch, resulting in an agreement to pay a penalty of only $1.25M. Compare this to the other fines ranging from $8M to $16.5M.
The SEC highlighted the firms “identification and self-reporting” of widespread use of unapproved text messaging across the firm, including at senior levels. Amongst the actions noted in the settlement, the SEC emphasized several remedial measures taken by the firm related to recordkeeping, policies and procedure updates, and supervisory practices.
These included making an on-channel text messaging application available that enabled preservation. These steps were reported to the SEC after completing an internal investigation and continued in cooperation with the SEC.
This firm’s actions serve as a good outline of ‘reasonable steps’ expected by regulators to proactively address the issue.
Are regulators still as concerned about WhatsApp?
The issue never was about WhatsApp. It’s about a firms’ visibility into misbehavior and ability to conduct investigations into those activities. In fact, the major theme in this latest series of actions is on the use of text messaging.
What’s critical to note is the fact that this is not a new issue. WhatsApp continues to be a challenge for many firms but be prepared for scrutiny to shift toward other tools that are preferred by clients or enable employees to be more productive. The target will continue to move.
What is FINRA’s role in enforcement?
Based upon FINRA’s recently published Annual Regulatory Overview report, off-channel related activities cuts across multiple focus areas, including books and records, communications with the public, as well as outside business activities.
It is also worth noting FINRA’s focus on how firms are using artificial intelligence, which can ultimately be yet another unapproved communication or ‘chat’ feature embedded into existing applications. These also need to adhere to existing broker-dealer requirements. As far as concrete guidance, FINRA notes that it will adhere to a ‘risk-based’ approach will engage with the industry in surfacing and sharing best practices with industry firms.
What’s the $81M lesson?
We continue to add more business justification for taking proactive steps to prepare for potential engagement with regulators and earn the “cooperation credits” as seen in the recent self-reporting settlement. By continuing to explore technologies to improve visibility into patterns of misbehavior, firms can move past the lower hanging fruit of policy and training adjustments into a stronger position to impact the behavior and culture of their businesses.
Share this post!
Robert Cruz
Latest posts by Robert Cruz (see all)
- Smarsh Connect 24: Stronger, Faster and Smarter - April 24, 2024
- The Big Question at SIFMA C&L Orlando: “Can We Just Be Done with Off-Channel Enforcement Now?” - March 25, 2024
- Off-Channel Enforcement Update: The Value of Self-Reporting Becomes Clearer - February 15, 2024
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US