What does the fining of a major Wall Street firm for trade surveillance failures, the holding to personal account of the CEO of a UK bank, the impact of cyber security incidents at a pair of broker dealers and another two firms being held accountable for off-channel communications all have in common? They all represent failures of one or more aspects of upstream recordkeeping with the consequent downstream inability to meet compliance obligations.
Data protection is, and will remain, a key priority for regulated firms and regulators alike and is an even greater focus in Data Privacy Week. For companies subject to multiple overlapping global privacy regimes, there is a patchwork quilt of regulation and legislation covering the demands of government regulations regarding sensitive data and data protection, such as theEU General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).
2024 isn’t even a month old and already two U.S. regulators have updated their expectations on communications compliance. Firms need to be under no illusions - recordkeeping is, and will remain, a key regulatory focus.
Against a backdrop of $2.6bn+ fines and continuing enforcement action against both firms and individuals, U.S. regulatory expectations on communications compliance are continuing to evolve. Both the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) have updated their stance, approach and expectations as to good and better practice when it comes to communications compliance. U.S. firms in all sectors of financial services would be well advised to review and consider the updated supervisory approach.
The last couple of years have been full of headlines not only of firms being fined for failing to capture digital communications but also of firms themselves taking action against employees for breaching internal policies on the use of unmonitored channels. Wall Street firms in particular are reported to have demoted and exited personnel as well as clawing back bonuses and other remuneration for failing to adhere to the required approach to recordkeeping.
The SEC exam prioritiesfor 2024 give an essential insight into likely practices, products, and services which will be the focus of the Division of Examinations in the coming year. The priorities are those that pose emerging risks to investors or the markets, as well as examinations of core and perennial risk areas. Given the now more than $2.6bn of fines imposed for recordkeeping failures, it is fair to say that unmonitored communications channels and the incomplete capture of required records will continue to be key supervisory considerations for all U.S. financial services firms.
The U.S. Securities and Exchange Commission’s Risk Alert provides additional information regarding the Division of Examination’s risk-based approach for both selecting registered investment advisers to examine and in determining the scope of risk areas to examine. It sets out the documents and information that staff will initially request as well as additional requests for information and documents from the adviser the staff may request as the examination progresses. Firms need to be aware that electronic communications–with all of the modalities such as emojis, GIFs, additions and deletions–are specifically included in the regulator’s risk-based approach.
The U.S. Securities and Exchange Commission (SEC) and the Commodity Trading Futures Commission (CFTC) have widened their investigations and fined another series of firms for recordkeeping failures. As with previous recordkeeping breaches, the firms concerned failed to stop employees, including those at senior levels, from communicating using unapproved communication methods, including messages sent via personal text and WhatsApp. The total monetary penalties imposed is now more than $2.6bn.
Co-author:Matt Lehman, Industry Principal, Financial Services, RingCentral
The UK Office of Gas and Electricity Markets (Ofgem) has, for the first time, used its powers tofine a firm over £5.4m for failure to record and retain electronic trading communications. Between January 2018 and March 2020 the firm did not record or retain the communications made by wholesale energy traders, on privately-owned phones via WhatsApp, which discussed energy market transactions. The initial fine was £7,730,213 but as the firm admitted the breach and agreed to settle the matter, the fine was discounted by 30% and, accordingly, the penalty was reduced to £5,411,149.
