Financial firms should see enforcement actions as learning opportunities. The Securities and Exchange Commission (SEC) and other regulatory bodies enforce steep fines and penalties to send a clear message and deter future violations. As a result? They expect firms within the industry to pay attention and adapt their compliance programs accordingly.
With that in mind, we’re continuing our blog series, “what went wrong” in which we’ll cover recent enforcement actions and what your firm can do to avoid the same mistakes.
In our previous enforcement action blog post, we talked about an insider trading violation involving a chief compliance officer (CCO). Today, we’re focusing on the recent slew of charges the SEC filed against eleven financial firms for allegedly violating the SEC’s recordkeeping requirements and what firms can learn from these charges.
The case: Violations of the SEC’s recordkeeping requirements
On Aug. 8, 2023, the SEC charged 11 firms for violating the SEC’s recordkeeping requirements. The charges were made against ten firms in their capacity as broker-dealers and another firm that operated dually as a registered broker-dealer and an investment adviser. The SEC alleges that these firms committed widespread and longstanding failures to maintain and preserve electronic communications.
According to the SEC:
- The Commission’s investigation uncovered pervasive and longstanding “off-channel” communications at all 11 firms.
- The firms admitted that since 2019 at least, their employees often communicated through various messaging platforms on their personal devices, including iMessage, WhatsApp and Signal, about the business of their employers.
- The firms did not maintain or preserve the substantial majority of these off-channel communications.
- By failing to maintain and preserve required records, these firms likely deprived the SEC of these off-channel communications in various SEC investigations that might have been necessary to perform a thorough exam.
- These failures involved employees at multiple levels of authority, including supervisors and senior executives.
The firms acknowledged that their conduct violated recordkeeping provisions of the federal securities laws, admitted the facts set forth in their respective SEC orders, agreed to pay $289 million in combined penalties and have begun implementing improvements to their compliance policies and procedures to address these violations.
In addition to the significant financial penalties, each firm was ordered to cease and desist from future violations of the relevant recordkeeping provisions and was censured. The firms also agreed to retain independent compliance consultants to, among other things, conduct comprehensive reviews of their policies and procedures relating to the retention of electronic communications found on personal devices and their respective frameworks for addressing non-compliance by their employees with those policies and procedures.
What can your investment firm do to avoid violating the SEC’s recordkeeping rule?
Director of the SEC’s Division of Enforcement Gurbir S. Grewal said, “Compliance with the books and records requirements of the federal securities laws is essential to investor protection and well-functioning markets. To date, the Commission has brought 30 enforcement actions and ordered over $1.5 billion in penalties to drive this foundational message home. And while some broker-dealers and investment advisers have heeded this message, self-reported violations or improved internal policies and procedures, today’s actions remind us that many still have not. So here are three takeaways for those firms who haven’t yet done so: self-report, cooperate and remediate. If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.”
Here are some steps your firm can take:
- Establish comprehensive and clear policies outlining recordkeeping requirements for electronic communications and personal devices.
- Provide ongoing training to employees about recordkeeping obligations and the proper use of communication platforms.
- Establish strong supervision mechanisms to monitor and review employee communications, especially those occurring on personal devices.
- Invest in advanced technology solutions that enable the capture, retention and archiving of electronic communications across various platforms. This technology should also monitor communications and flag any potential violations to ensure timely intervention.
- Explicitly specify within your firm’s policies and procedures and during training which communication platforms are prohibited for discussing business matters, especially those on personal devices.
- Develop and enforce policies that address the use of personal devices for business communications and ensure compliance.
- Conduct regular audits of communication practices and recordkeeping procedures to identify and rectify any potential issues.
- Hold employees accountable for adhering to recordkeeping policies, with consequences for violations.
Complying with COMPLY
COMPLY offers regulatory compliance solutions to help firms like yours avoid recordkeeping violations. From consulting to technology solutions, COMPLY provides firms with a comprehensive suite of solutions to help your firm proactively identify and mitigate compliance risks.
Considering regulators’ intensity toward rule violations, now is the time to lean into your resources and away from potential violations. Learn more about the COMPLY consulting services and solutions and how we can help your firm avoid violations, prepare for regulatory changes, update your policies and procedures and more!