What does the fining of a major Wall Street firm for trade surveillance failures, the holding to personal account of the CEO of a UK bank, the impact of cyber security incidents at a pair of broker dealers and another two firms being held accountable for off-channel communications all have in common? They all represent failures of one or more aspects of upstream recordkeeping with the consequent downstream inability to meet compliance obligations.
Recordkeeping is a core competency for financial services firms. It encompasses a firm knowing what data or records it has, why it has them and where they are. It also covers keeping those records secure and unaltered. Without a comprehensive and robust approach to recordkeeping and the associated data governance, firms will simply not be able to either fulfill or evidence compliance obligations. Firms are utterly reliant on their records to be able to act on everything from responding to regulators requests for information, meeting reporting requirements (internally as well as externally), investigating a complaint, being able to keep sensitive customer information secure to undertaking supervision and surveillance.
Trade surveillance failures
In March 2024, the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board fined a firm a combined total of $348.2m for ‘deficiencies in its trade surveillance program’ and ‘an inadequate program to monitor firm and client trading activities for market misconduct’.
The OCC civil monetary penalty and the cease and desist order highlight that the firm’s trade surveillance program was found to have operated with ‘gaps in venue coverage and without adequate data controls required to maintain an effective program.’ As a result the firm failed to surveil billions of instances of trading activity on at least 30 global trading venues.
As part of the findings, the OCC made a key point of the need for robust data governance to be implemented as part of swathe of required corrective actions. Critically the firm will not be able to on-board new trading venues unless or until the examiner-in-charge provides the firm with a prior written determination of no supervisory objection.
Other corrective actions include the need to form a Compliance Committee to project manage the corrective actions, a ‘look back’ review of the data deficiencies and the board of the firm has a series of specific responsibilities imposed for the oversight of the remediation.
As a root cause, the trade surveillance failures were due to a lack of upstream recordkeeping and data capture. Without the source records, the firm was incapable of undertaking the required trade surveillance.
Personal liability for bank CEO
In January 2024 the Prudential Regulation Authority fined the former CEO of a bank £118,808 for breaching three PRA Conduct Rules between March 2016 and May 2020. It was found that the former CEO failed both to act with due skill, care and diligence, and to take reasonable steps to ensure that the bank had adequate systems and controls in relation to the large exposures regime and PRA recordkeeping requirements. As part of the settlement, the former CEO has given an undertaking to the PRA that he will not in the future apply for or perform any function in relation to any regulated activity carried on by any authorized person, exempt person or exempt professional firm.
The personal liability enforcement action follows the PRA’s sanction imposed on the bank concerned which was, in April 2023, censured for wide-ranging significant regulatory failings, which spanned breaches relating to large exposure limits, capital reporting, governance and risk controls and PRA Own Initiative Requirements (OIREQs) and, for the first time, failure to capture and retain WhatsApp messages. The seriousness of the breaches justified a fine of £8,515,000, however, since the bank is in wind-down the PRA imposed a public censure as a warning shot to the industry more broadly.
The importance of recordkeeping was reiterated with the regulator making plain that inadequate recordkeeping hinders a firm‘s ability to prudently manage risk, and also hinders the PRA’s ability to investigate that firm. Specifically, the bank was found to have not adopted or implemented any policies and procedures in relation to the retention of business related correspondence and records. It consequently had no formal recordkeeping policies or procedures in place to manage or retain electronic messages such as WhatsApp messages or iMessages. The PRA was clear that a CEO has a ‘crucial role’ to play in ensuring their firm meets the standards expected of it and requires the relevant individual to exercise sound judgment. The standard required of the CEO as Senior Management Function 1 ‘was consequently more exacting than for the Firm’s other SMFs and Employees.’
Cybersecurity incidents
In March 2024, the Financial Industry Regulatory Authority (FINRA) fined a pair of broker-dealers in the same group $150,000 each for failing to establish and maintain a supervisory system, including written supervisory procedures, reasonably designed to safeguard customer records and information.
The two firms self-reported cybersecurity incidents which occurred at branch offices of each firm. Both firms were on notice from prior FINRA examinations that they lacked reasonable cybersecurity controls at branch offices with each firm having experienced numerous cyber intrusions. The intrusions allowed unauthorized third parties to gain access to customers’ nonpublic personal information including, among other things, social security number, dates of birth, bank account numbers, and drivers’ license information. In total 24 cyber intrusions exposed the non-public personal information of more than 30,000 customers.
Broker-dealers are required to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” Such written policies and procedures must be reasonably designed to:
- insure the security and confidentiality of customer records and information;
- protect against any anticipated threats or hazards to security or integrity of customer records and information; and
- protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The capability to keep records and data secure and unaltered is another aspect of recordkeeping and one which firms need to ensure is fully embedded in all of its business activities.
Yet more off-channel communications
In March 2024, the Commodity Futures Trading Commission (CFTC) fined another two firms for off-channel communications. A swap dealer was fined $6m and an introducing broker was fined $1m for failing to maintain and preserve records. The orders found that from at least 2019 to the present, both firms failed to stop employees, including those at senior levels, from communicating using unapproved communication methods, including messages sent via personal text.
Each order further finds the firm-wide use of unapproved communication methods violated each firm’s internal policies and procedures, which generally prohibited business-related communication via unapproved methods. Further, some of the supervisory personnel responsible for ensuring compliance with the firm’s policies and procedures also used unapproved communication methods to engage in business-related communications, in violation of firm policy.
Both firms were included in the 16 recently fined by the Securities and Exchange Commission for, again, the use of off-channel and unpreserved communications. The additional penalties add to the $2.6bn already levied for failures to maintain and preserve electronic communications - another crystal clear reminder of the continuing regulatory focus on recordkeeping.
Recordkeeping as core competency
All aspects of recordkeeping are an expected core competency for financial services firms. It is only with a complete, native context, secure but accessible data set can firms begin to not only fulfill all relevant compliance obligations but also to have insightful strategic management information. Recordkeeping and the associated required data governance can only begin with the upstream capture and retention of all relevant records and data points. With the embedding of workplace unified communication and collaboration tools firms are fully aware of the need to enhance the ability to retain a wider range of modalities and capture the context of the likes of emojis, gifs and reactions. Indeed UC providers themselves are feeling the need from customers and prioritizing helping by providing more ways to solve recordkeeping and supervision needs - the recent news from Zoom on its approach serves as a positive example on what firms can expect from their communication and collaboration providers. Only with recordkeeping robustly in place up front, can downstream activities be effective with proactive compliance and security able to be comprehensively assured.
How Theta Lake can help
Backed by the investment arms of Cisco, RingCentral, Salesforce, and Zoom, Theta Lake is a recognized leader in Digital Communications Governance and it’s multi-award winning product suite provides patented compliance and security for modern collaboration platforms, utilizing hundreds of frictionless partner integrations including RingCentral, Webex by Cisco, Microsoft 365 and Teams, Slack, Zoom, Movius, Box, Mural, Asana and more.
Theta Lake empowers organizations to safely, compliantly, and cost-effectively expand their use of unified communication platforms by enabling capture, compliant archives, and acting as an archive connector for existing archives of record across video, voice, and chat collaboration systems. Customers benefit from:
- The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to supervisors and regulators. For example, chat messages can be viewed in their native format over the entire history of the conversation, with full context retained including images, GIFs, emojis and reactions.
- Searching instantly across participants, all modes of unified communication and collaboration tools, meshed conversations, and timelines in an easy to navigate search system that covers and provides full replay for voice, video, chat, email, images, emojis, files, whiteboards, and more.
- Patented AI & ML to detect, surface, and enable actual response for regulatory, privacy, and security risks in an AI assisted review workflow with remediation and patented UCC security control integrations for protection across what is shared, shown, spoken, and typed.
- Theta Lake’s risk and compliance suite provides an advanced security and privacy architecture named STAR3 (Secure in Transit, Access, in Redaction, Remediation, and Removal), which is SOC2 Type II certified with ISO 27001 mapping, PCI DSS certified, 17a-4 and audit trail attested, BAA supported, and undergoes regular penetration testing so our customers, partners, and regulators worldwide are confident in That Lake’s data and system security, integrity, and privacy.
Ways to learn more
- Theta Lake’s Digital Communications Governance, Compliance and Security Report 2023/24 can be downloaded here
- Visit: ThetaLake.com | LinkedIn | X at @thetalake
- Join a bi-weekly 30-minute demo webinar here or request a bespoke demo today from the friendly Theta Lake team here
- Keep up to date with regulatory perspectives from Theta Lake here