The Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) announced fines totaling more than $1.8 billion against several firms as a result of staff discussing deals and trades on personal devices and apps.
It’s reported that a sweeping probe by the SEC and CFTC uncovered that employees of these financial institutions routinely communicated about business matters by texting on their personal devices or using messaging applications such as WhatsApp.
The SEC and Wall Street’s self-regulatory body, the Financial Industry Regulatory Authority (FINRA), require that broker-dealers and other financial institutions preserve business communications. To do this effectively, many financial firms ban the use of personal email, texts, and other social media channels for work purposes.
The probe found that the financial institutions charged did not preserve the majority of those conversations on personal devices. In addition, some firms knowingly deleted conversations on WhatsApp to evade oversight. That impedes the agencies’ ability to oversee financial markets and ensure compliance with key regulations.
Recordkeeping requirements are “sacrosanct”
In an SEC press release issued September 27, 2022, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said, “Today’s actions – both in terms of the firms involved and the size of the penalties ordered – underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened … Other broker-dealers and asset managers who are subject to similar requirements under the federal securities laws would be well-served to self-report and self-remediate any deficiencies.”
Convenience vs. Compliance
Technology has progressed and people have become so reliant on texting and instant communications in their day-to-day lives that it has become second nature at work. The challenges of the pandemic and working from home only added to this issue. As I wrote in a previous blog post, when companies embrace remote and hybrid workforces, the impact on regulatory compliance will be significant. More casual conduct increases the compliance risk, and this is exacerbated by the influx of new devices and communications channels.
Recordkeeping rules have been put in place for significant, fundamental reasons. Secure communication platforms and compliance with recordkeeping requirements are necessary to guard against wrongdoing. In some of the firms that were fined, this problem of off-channel communications was called “pervasive” and extended to the highest-level company executives. These fines send a strong message to financial firms to pay attention to these rules and enforce compliance around the storage of written communication.
The Tech Behind the Messages
According to an article in Computerworld, “Bring your own device (BYOD) policies have long been the norm among financial services firms, but data privacy laws such as SEC Rule 17a-3 & 17a-4, the Dodd-Frank Act, Sarbanes-Oxley, FINRA rules, MiFID II, CCPA, and GDPR all require regulated industries to archive business-related communications in a secure and reliable server or face significant penalties and fines – or even class action lawsuits.”
In the days when email was the primary way to communicate, the problem was less pervasive because corporate email servers could automatically store communications and archival software could provide search tools. However, using consumer messaging apps in regulated industries presents complex challenges for IT, HR, corporate governance, and compliance teams, which is a reason why many firms prohibit their use. These “shadow communications” can risk massive damage to a firm’s finances and reputation.
Michela Menting, a research director with ABI Research, comments, “It invites corruption, market manipulation, securities fraud, and other unscrupulous behavior that ultimately leads to financial crises, recessions, etc. So, regulatory bodies like the SEC and CFTC must impose very stringent regulations and compliance requirements to maintain market integrity.”
The importance of recordkeeping rules such as SEC Rule 17a-4
One of these recordkeeping requirements is SEC Rule 17a-4, which details stringent requirements on how electronic data is stored. SEC Rule 17a-4 is part of the U.S. Securities Exchange Act of 1934, which outlines requirements for data retention, indexing, and accessibility for companies that deal in the trade or brokering of financial securities, such as stocks, bonds, and futures.
Broker-dealers are required by this rule to retain a designated third party (D3P), such as NCC Group, who can access electronically stored information for the SEC’s review. This rule exists so that the SEC can rely on this designated third party for access if a broker-dealer is unwilling or unable to comply with sharing their records.
Banks, financial firms, insurance agencies, and investment advisors that are registered with the SEC or FINRA as broker-dealers must be compliant with SEC Rule 17a-4. If a broker-dealer faces an audit by FINRA, and they have proactively set up a D3P compliance service, they can easily demonstrate that they’ve met this requirement with detailed audit and test reports and a system configuration plan. While this rule is currently under review, huge fines such as these are motivation to never ignore compliance requirements.
The SEC and CFTC are serious about compliance for good reason. Recordkeeping rules have been established to ensure financial firms have oversight since bypassing these rules opens the door to wrongdoing and misconduct. Broker-dealers should be proactive in their efforts to be able to prove compliance with the required recordkeeping rules – to both avoid hefty fines and to operate in a legal and ethical manner.