The UK Office of Gas and Electricity Markets (Ofgem) has, for the first time, used its powers to fine a firm over £5.4m for failure to record and retain electronic trading communications. Between January 2018 and March 2020 the firm did not record or retain the communications made by wholesale energy traders, on privately-owned phones via WhatsApp, which discussed energy market transactions. The initial fine was £7,730,213 but as the firm admitted the breach and agreed to settle the matter, the fine was discounted by 30% and, accordingly, the penalty was reduced to £5,411,149.
Ofgem’s powers come from the Enforcement Regulations which provide the regulator with the powers to monitor, investigate, enforce, and sanction. Regulation 8 of the Enforcement Regulations sets out the legal requirement on market participants to record and retain records and specifically requires wholesale energy market participants to take reasonable steps to ensure that any electronic communications about trading wholesale energy products are recorded and retained, and to take reasonable steps to prevent electronic communications taking place which cannot be recorded.
The breach came to light when the regulator made information requests to which the firm was unable to respond. The subsequent investigation found that the firm had policies in place which prohibited the use of non-approved messaging systems for firm business, and that the firm ‘took some steps to try and ensure the policy was conveyed to employees.’ The measures included:
However the firm did not take sufficient reasonable steps to ensure compliance with its own policies and the requirements of the regulations. In particular the firm was found to have failed to take reasonable steps to monitor compliance with its policy on the use of non-approved messaging systems and did not assess the risks of non-compliance with its policies.
Also the firm did not find the breach itself, it was only after the regulator had identified that wholesale energy product traders had used WhatsApp to make relevant communications, that firm took steps to address it. The regulator acknowledges after this happened, the firm ‘did take the discovery of the issue seriously and took action in response’.
The steps the firm took to remedy its non-compliance included:
“This fine sends a strong message to market participants that they must comply with all REMIT rules or face enforcement action. It is unacceptable that [ the firm ] failed to prevent electronic communications which could not be recorded or retained. It risks a significant compromise of the integrity and transparency of wholesale energy markets. We welcome the steps [ the firm ] has taken to |
As with all enforcement actions there are lessons to be learned and, in this instance, a deliberately strong message to other energy market participants. There are two key aspects to the lessons to be learned.
First off it is simply not enough just to have policies in place, even if employees have signed or certified to say they will comply. Firms must also have in place systems and controls which enable the monitoring that not only policies and procedures are operating as intended but also are effective.
The other element is that of root cause analysis or reviewing to see whether a similar breach could be happening elsewhere. The enforcement notice states that the firm launched ‘an internal investigation into the use of WhatsApp and other non-approved messaging systems.’ The extent of that review is not known but two or so years after the resolution of the breaches in the UK energy trading desk, a firm in the same group was one of many fined by U.S. regulators for, again, unmonitored communications between at least January 2018 and September 2021.
Firms would be very well advised when a breach or failure has occurred to undertake the widest possible review to see if the issue could or has arisen elsewhere. Any root cause analysis review should, ideally, not be limited by geography or legal entity but rather take a stand back look at where else in a firm or group that similar misconduct could arise.
Firms are much better off finding regulatory breaches for themselves, self-reporting and remediating as quickly as possible. Whilst a firm may well still be fined, the penalties imposed are likely to be substantially smaller and there is far less likelihood of individual liability.
Theta Lake’s multi-award winning product suite provides patented compliance and security for modern communications utilizing over 100 frictionless partner integrations that include RingCentral, Webex by Cisco, Microsoft Teams, Slack, Zoom, Movius and more. In addition: