The U.S. Securities and Exchange Commission (SEC) and the Commodities Futures Trading Commission (CFTC) have fined three firms, two in the same group for ‘widespread and longstanding’ failures by the firms and their employees to maintain and preserve electronic communications. To settle the SEC charges, both firms acknowledged that their conduct violated recordkeeping provisions and agreed to pay penalties of $15 million and $7.5m, respectively. In related actions, the CFTC brought cases against two firms in the same group for failing to maintain, preserve, or produce records, and failing to diligently supervise matters related to their businesses. The firms were fined $15 million. The CFTC also fined a firm $30 million regarding recordkeeping and supervision failures for the widespread use of unapproved communication methods.
In addition to the monetary penalties imposed there are substantive remedial actions required by the regulators including the employment of compliance consultants to, among other things, conduct comprehensive reviews of the policies and procedures relating to the retention of electronic communications found on personal devices and the respective frameworks for addressing non-compliance by employees with those policies and procedures. The firms also agreed to extensive supervisory reporting obligations on the work undertaken to fulfill the required undertakings.
These fines add to the $2bn+ fines imposed for similar failings in 2022. A key factor in the reduced dollar value of the fines was the fact that the firms self-reported the off-channel communications before the regulators contacted the respective firms and the firms proactively began prompt remediation.
For one firm the proactive remedial actions included:
- clarifying application of relevant policies;
- enhancing training to reinforce the requirement to use authorized communications channels;
- providing clear messaging to employees from senior management regarding the use of unauthorized communication channels;
- enhancing surveillance protocols for investigating incidents of potential off-channel communications; and
- making significant investments in new technologies to facilitate compliant communications.
It is clear that the challenge of unmonitored communication channels is far from over. Firms must consider how they can open up approved platform features to increase productivity and employee satisfaction and reduce reliance on off-channel platforms. Firms would be very well advised to begin an internal review as a matter of urgency. If unmonitored or off-channel communications are found then it should be reported promptly to the relevant regulator and remedial action begun immediately.
How Theta Lake can help
Theta Lake’s multi-award winning product suite provides patented compliance and security for modern communications utilizing over 100 frictionless partner integrations that include RingCentral, Webex by Cisco, Microsoft Teams, Slack, Zoom, Movius and more. It is exactly the kind of technology investment referenced in one of the firm’s own remedial actions to facilitate compliant communications.
- Theta Lake captures and compliantly archives communications including videos, voice, chat, screen share and file transfer from mobile messaging platforms to SMS and WhatsApp to enable compliance with relevant record keeping and other requirements. It also acts as an archive connector, enabling existing archives and data storage to be utilized without disruption.
- AI-enabled automated detection of potential or actual misconduct requiring reporting to the risk committee or regulator. Identified risks are surfaced in an AI-assisted review workflow providing an efficient and effective review process for compliance teams. Theta Lake has more than 85 risk detections which are pre-trained and ready for customer use with customers able to provide feedback and training on the classifiers.
- The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to supervisors, regulators or prosecutors. For example, chat messages can be viewed in their native format over the entire history of the conversation with full context retained together with in-meeting communications and images, GIFs, emojis or reactions that change meaning and context.
- Theta Lake’s compliance suite is SOC2, Type II audited and maps controls to ISO 27001 so confidential, privileged or sensitive data can be automatically redacted to meet data privacy and other legal obligations.
Theta Lake’s regulatory and data science teams are happy to discuss any of the issues in greater detail. You can find further regulatory perspectives from Theta Lake here or you can join a weekly 30-minute demo webinar here.