Another 16 Firms Fined for Recordkeeping - Key Takeaways

Written by Stacey English | Feb 20, 2024 4:30:00 PM

An investigation into the use of off-channel and unpreserved communications by the SEC has led to another 16 firms being fined for recordkeeping failures. The $81m in penalties adds to the $2.6bn already levied for failures to maintain and preserve electronic communications, serving as a stark reminder that regulators’ focus on recordkeeping isn’t going away.

Pervasive recordkeeping violations were identified

The SEC’s investigations uncovered pervasive and longstanding use of unapproved or ‘off-channel’ communication at each firm, which included five broker-dealers, seven dually registered broker-dealers and investment advisers, and four affiliated investment advisers.

The failures were widespread, involving employees of all seniority levels including supervisors and senior managers. Employees sent and received off-channel communications with colleagues, customers, and other participants in the securities industry, relating to recommendations and advice given or proposed. The issues were also longstanding, dating back to at least January 2019.

Not maintaining or preserving off-channel communications also had a direct impact on the regulator’s ability to carry out its investigations. The SEC has frequently reiterated that preserved records are the primary means by which it monitors compliance with applicable securities laws.

“.....exams have made this a priority. It’ll continue with respect to those that haven’t approved their policies and procedures and [haven’t] addressed the issue. And in those cases, the penalties may even be higher because I think now, having been on notice, you’re in a different boat.”

Gurbir Grewal, the SEC’s enforcement division chief since 2021, said higher fines are leading, in some cases, to positive changes in behavior, article in Wall Street Journal, December 29, 2023

Widespread non-compliance with firms’ own policies

The investigation also found widespread and longstanding failures in firms’ adhering to their own policies and procedures, including those that specifically prohibited unmonitored communications. Employees had been advised that the use of unapproved electronic communications methods was not permitted, and they should not use personal email, chats or text messaging applications for business purposes, or forward work-related communications to unapproved applications on their personal devices. However, systems of follow-up and review hadn’t been implemented to check that supervisors were following policies or undertaking sufficient monitoring to ensure recordkeeping and communications policies were being followed.

The steps taken to remedy non-compliance

Each firm has undertaken significant action to improve their compliance policies and procedures, including a review of recordkeeping and a program of remediation. Significant remedial action was also mandated by the regulator, bringing additional financial and operational costs including:

The appointment of an independent compliance consultant to review policies and procedures relating to the retention of electronic communications and to submit a report on findings to the regulator plus a follow-up assessment one year later.
A review of training, with staff certifying on a quarterly basis that they are complying with preservation requirements.
An assessment of the technological solutions that firms are using to meet record retention requirements, including an assessment of the likelihood that staff will use the technological solutions going forward and a review of the measures employed to track usage of new technological solutions by personnel.

Being proactive pays off

As with all enforcement actions there are lessons to be learned and the regulator gives a deliberately clear message to other firms, in-line with its previous advice. The one firm that self-reported and remediated has financially and reputationally benefited from a lower penalty, as well as being positively highlighted by the regulator.

After identifying off-channel communications, the firm conducted an internal investigation and self-reported the facts to the SEC. It also initiated a program of remediation, which included strengthening policies and procedures by making investments in new technologies to improve surveillance and retention efforts; increasing training and sending firm-wide reminders on the importance of complying with recordkeeping obligations, and making an on-channel texting platform available.

The key takeaways for financial services firms:

Being proactive pays off: Firms are much better off finding regulatory breaches for themselves, self-reporting and remediating as quickly as possible. Whilst a firm may still be fined, the penalties imposed are likely to be substantially smaller and there is far less likelihood of individual liability.
Revisit communications compliance: The regulatory scrutiny and focus on all aspects of communications compliance continues unabated and firms need to consider how to facilitate, and to be able to evidence, compliant communications. Theta Lake’s annual survey report found that the vast majority of financial services firms are revisiting their approach to communications compliance, with only 6% are confident in their approach.
Regulatory patience has run out: The background to this latest set of fines serves to reinforce the zero tolerance approach regulators are taking with regards to communications capture. Firms were found to have consistently and pervasively failed to fulfill their regulatory obligations with regard to electronic communications records capture and preservation. Equally important is the failure (with the one exception) to learn the lessons of previous enforcement and proactively consider whether they too were in breach of recordkeeping requirements.
Facilitate compliant communications: It is clear that the challenge of unmonitored communication channels is far from over. Firms must consider how they can open up approved platform features to both enable productivity and ensure employees are not driven to alternative off-channel platforms.
It’s not just a WhatsApp issue: The consequences of unmonitored communications continue to plague firms, but it’s not just unapproved channels. Regulators will be scrutinizing all communication types. Being able to capture, and provide records from, all channels, from voice to in-meeting chat, as well as the context like emojis, GIFs, reactions, deletions etc, must be a priority for firms.

In the current regulatory climate, if firms choose to do nothing and unmonitored or unsupervised communications are found by a regulatory body then significantly larger sanctions are likely. Indeed given the recent regulatory rhetoric it is entirely possible that future sanctions will include senior individual liability and accountability.

How Theta Lake can help

Backed by the investment arms of Cisco, RingCentral, Salesforce, and Zoom, Theta Lake’s multi-award winning product suite provides patented compliance and security for modern collaboration platforms, utilizing hundreds of frictionless partner integrations including RingCentral, Webex by Cisco, Microsoft 365 and Teams, Slack, Zoom, Movius, Box, Mural, Asana and more.

Theta Lake empowers organizations to safely, compliantly, and cost-effectively expand their use of unified communication platforms by enabling capture, compliant archives, and acting as an archive connector for existing archives of record across video, voice, and chat collaboration systems. Customers benefit from:

The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to supervisors and regulators. For example, chat messages can be viewed in their native format over the entire history of the conversation, with full context retained including images, GIFs, emojis and reactions.
Searching instantly across participants, all modes of unified communication and collaboration tools, meshed conversations, and timelines in an easy to navigate search system that covers and provides full replay for voice, video, chat, email, images, emojis, files, whiteboards, and more.
Patented AI & ML to detect, surface, and enable actual response for regulatory, privacy, and security risks in an AI assisted review workflow with remediation and patented UCC security control integrations for protection across what is shared, shown, spoken, and typed.
Theta Lake’s risk and compliance suite provides an advanced security and privacy architecture named STAR3 (Secure in Transit, Access, in Redaction, Remediation, and Removal), which is SOC2 Type II certified with ISO 27001 mapping, PCI DSS certified, 17a-4 and audit trail attested, BAA supported, and undergoes regular penetration testing so our customers, partners, and regulators worldwide are confident in Theta Lake’s data and system security, integrity, and privacy.

Ways to learn more

Theta Lake’s Digital Communications Governance, Compliance and Security Report 2023/24 can be downloaded here
Visit: ThetaLake.com | LinkedIn | X at @thetalake
Join a weekly 30-minute demo webinar here or request a bespoke demo today from the friendly Theta Lake team here
Keep up to date with regulatory perspectives from Theta Lake here

View full post