Theta Lake Blog

Recordkeeping - Fines, Fines and More Fines - Another $555m for 11 More Institutions

Written by Susannah Hammond | Aug 11, 2023 3:22:38 PM

The U.S. regulators the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have, once again, fined a raft of firms for ‘widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications.’

Critically, the firms concerned admitted the facts and acknowledged that their conduct violated recordkeeping provisions. The SEC sanctioned 11 firms with combined penalties of $289m and the firms have already begun implementing the required improvements to their compliance policies and procedures. The CFTC sanctioned 4 firms and a separately a futures commission merchant for recordkeeping and supervision violations with combined penalties of $266m and again the firms are undertaking the specified remedial actions.

The latest round of fines means that since December 2021, the CFTC has imposed $1.091 billion in civil monetary penalties on 18 financial institutions for their use of unapproved methods of communication, in violation of CFTC recordkeeping and supervision requirements. In addition, the SEC has, to date, brought 30 enforcement actions and ordered over $1.5 billion in penalties for violation of recordkeeping provisions. The issue remains a key regulatory priority with total fines now imposed for off-channel communications sitting at over $2.5bn.


Regulatory patience has run out

The baseline facts of the enforcement actions are similar with each firm having failed for a number of years to stop its employees, at multiple levels of authority including those at senior levels, from communicating both internally and externally using unapproved communication methods, with messages sent on personal devices, including iMessage, WhatsApp, and Signal. 

Specifically, the firms did not maintain or preserve the substantial majority of these off-channel communications. Among other things, by failing to maintain and preserve required records, the firms would not have been able to provide the records promptly to the regulators when requested. 

The regulatory commentary around the recent swathe of fines shows that supervisory patience has run out. From the SEC’s perspective:

“Compliance with the books and records requirements of the federal securities laws is essential to investor protection and well-functioning markets. To date, the Commission has brought 30 enforcement actions and ordered over $1.5 billion in penalties to drive this foundational message home. And while some broker-dealers and investment advisers have heeded this message, self-reported violations, or improved internal policies and procedures, today’s actions remind us that many still have not,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “So here are three takeaways for those firms who haven’t yet done so: self-report, cooperate and remediate. If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.”

And from the CFTC - Commissioner Christy Goldsmith Romero:

“Wall Street institutions do not get to keep regulators in the dark while enjoying all of the benefits of being a regulated entity in U.S. financial markets.  Those choosing to participate in U.S. financial markets are on notice - the era of evasive communications practices is over. The CFTC will hold you accountable. It’s time for Wall Street to stop waiting for an enforcement action before it changes its practices. Tone at the top must change on Wall Street. Change can only happen if the banks’ C-suite establishes a culture of compliance over evasion.”

The point was made even more succinctly by CFTC’s Director of Enforcement Ian McGinley:

“The Commission’s message could not be more clear—recordkeeping and supervision requirements are fundamental, and registrants that fail to comply with these core regulatory obligations do so at their own peril.”

The warnings could not be clearer. If you as a firm have not already begun reviewing whether unapproved communication methods are being used in your business then you need to start as a matter of urgency.  


Proactivity pays

There are already examples of the benefits of proactively reviewing off-channel communications and the completeness of recordkeeping. In May 2023 there was a small cluster of fines with the SEC and the CFTC fining three firms, two in the same group for ‘widespread and longstanding’ failures by the firms and their employees to maintain and preserve electronic communications. To settle the SEC charges, both firms acknowledged that their conduct violated recordkeeping provisions and agreed to pay penalties of $15 million and $7.5m, respectively. In related actions, the CFTC brought cases against two firms in the same group for failing to maintain, preserve, or produce records, and failing to diligently supervise matters related to their businesses. The firms were fined $15 million. The CFTC also fined a firm $30 million regarding recordkeeping and supervision failures for the widespread use of unapproved communication methods.

A key factor in the substantially reduced dollar value of the fines was the fact that the firms self-reported the off-channel communications before being contacted by the regulators and the firms proactively began prompt remediation.

For one firm the proactive remedial actions included:  

  • clarifying application of relevant policies; 
  • enhancing training to reinforce the requirement to use authorized communications channels; 
  • providing clear messaging to employees from senior management regarding the use of unauthorized communication channels; 
  • enhancing surveillance protocols for investigating incidents of potential off-channel communications; and 
  • making significant investments in new technologies to facilitate compliant communications.

Facilitating compliant communications

It is clear that the challenge of unmonitored communication channels is far from over. Firms must consider how they can open up approved platform features to increase productivity and employee satisfaction and reduce reliance on off-channel platforms. To repeat, firms would be very well advised to begin a wide-ranging internal review as a matter of urgency. If unmonitored or off-channel communications are found then it should be reported promptly to the relevant regulator and remedial action begun immediately. If firms choose to do nothing and unmonitored communications are found by a regulatory body then significantly larger sanctions are likely.

How Theta Lake can help

Theta Lake’s multi-award winning product suite provides patented compliance and security for modern communications utilizing over 100 frictionless partner integrations that include RingCentral, Webex by Cisco, Microsoft Teams, Slack, Zoom, Movius and more. In addition:

  • Theta Lake captures and compliantly archives communications including videos, voice, chat, screen share and file transfer from mobile messaging platforms to SMS and WhatsApp to enable compliance with relevant record keeping and other requirements. It also acts as an archive connector, enabling existing archives and data storage to be utilized without disruption. 
  • AI-enabled automated detection of potential or actual misconduct requiring reporting to the risk committee or regulator. Identified risks are surfaced in an AI-assisted review workflow providing an efficient and effective review process for compliance teams. Theta Lake has more than 85 risk detections which are pre-trained and ready for customer use with customers able to provide feedback and training on the classifiers. 
  • The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to supervisors, regulators or prosecutors. For example, chat messages can be viewed in their native format over the entire history of the conversation with full context retained together with in-meeting communications and images, GIFs, emojis or reactions that change meaning and context. 
  • Theta Lake’s compliance suite is SOC2, Type II audited and maps controls to ISO 27001 so confidential, privileged or sensitive data can be automatically redacted to meet data privacy and other legal obligations. 

Ways to learn more:

  • You can find further regulatory perspectives from Theta Lake here
  • Get our guide: “Smart Compliance Capture Considerations for Unified Communications” which outlines a buyer's checklist to use when evaluating recordkeeping and capture solutions.
  • Join a weekly 30-minute demo webinar showing Theta Lake’s Smart Capture solution by registering here