By ordering more than $1.1 billion in penalties against the world’s largest banks and brokerages based on admissions of willful violative conduct, the Securities and Exchange Commission (SEC) forcefully emphasized the message that neither technological evolution of electronic messaging and communication nor remote work trends in the COVID-era shall excuse any registered securities participants from the critical recordkeeping provisions of the federal securities laws.
On September 27, 2022, the SEC released eleven nearly identical orders against Deutsche Bank Securities Inc., Barclays Capital Inc., Citigroup Global Markets Inc., BofA Securities Inc., Merrill Lynch, Pierce, Fenner & Smith Incorporated, Goldman Sachs & Co. LLC, Jefferies LLC, Morgan Stanley & Co. LLC and Morgan Stanley Smith Barney LLC, Nomura Securities International Inc., Credit Suisse Securities (USA) LLC, Cantor Fitzgerald & Co., UBS Financial Services Inc. and UBS Securities LLC with findings of willful violations of the communication preservation requirements of Section 17(a) of the Exchange Act of 1934 (Exchange Act) and Rule 17a-4(b)(4) as well as violations of Section 15(b)(4)(E) for failing to reasonably supervise that arise “out of the widespread and longstanding failures” of the firms to maintain or preserve a substantial majority of brokerage related “off-channel” written communications “pervasive…at all seniority levels.”
Concurrently, each of the firms and their respective banks registered with the Commodity Futures Trading Commission (CFTC) as a Future Commission Merchant (FCM) and swap dealers, consented to orders issued by the CFTC to settle charges for related recordkeeping and supervision violations under the Commodity Exchange Act (CEA) based on generally admitting to “widespread and longstanding use of unapproved communication methods” by “employees at all levels of authority,” such as personal email, SMS, WhatsApp and Signal messages on personal devices, and acknowledged their violative conduct that failed to maintain, preserve and produce records under the CEA and CFTC recordkeeping requirements and for failure to implement a diligent supervisory system to ensure compliance with such recordkeeping requirements resulting in $711 million in penalties collectively, a cease and desist order from further violations of the recordkeeping and supervision requirements and a requirement to engage in specified remedial undertakings.
Despite noting the firms’ cooperation and prior remediation, which typically mitigate penalties, the severity of the monetary penalties, the demand for admissions to the facts and willful violations of federal securities law as a condition of settlement, and extent of the undertakings discussed below not only reflect the SEC’s long-standing view that recordkeeping provisions are critical to the implementation, enforcement and monitoring of the SEC’s investor protection function as the preserved records are the primary means of monitoring compliance with applicable securities laws.
The SEC has routinely stated that without “the proper recordkeeping and surveillance, it might be impossible for the Commission or the self-regulatory organizations to prevent or even detect the perpetration of fraud against public investors.”
In announcing the orders, SEC Chair Gary Gensler said that recordkeeping is “vital to preserve market integrity. As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”
Thus, while under the previous administration the SEC followed a standard practice of allowing respondents to settle charges without admitting liability, but agreeing not to publicly deny the allegations, under Gensler’s watch and enforcement led by Grewal, these orders are demonstrative of the SEC’s announcement that it will seek admissions of wrongdoing in cases where it deems heightened accountability and acceptance of responsibility are in the public interest. SEC Enforcement clearly sought to “deliver a straightforward message to registrants” by the “firms involved and the size of the penalties ordered” to prevent further pervasive violations of recordkeeping rules.
While the SEC orders lack significant details, the CFTC orders provide some interesting color that may shed light on the demand for accountability and the severity of penalties. For example, after the CFTC brought to Bank of America’s attention the potential use of unapproved communication methods by the head of one of its trading desks that directed traders to routinely delete business-related messages from their personal devices, the same head of the trading desk “instructed three of his subordinates to delete messages from their personal devices and to communicate via the unapproved messaging application Signal when off the Desk, and to have such communications set to auto-delete” as well as making similar requests to third-party brokers. Similarly, with Nomura and its traders aware of the CFTC investigation into unapproved communication methods, after a senior trader in Japan received a request to preserve communications on his personal device, “he deleted messages that were responsive to the preservation request,” “made false statements to the Commission about his compliance with the preservation request” and “encouraged others on the desk to delete messages.” Additionally, certain other “Nomura traders intentionally deleted certain of their personal device communications after receiving” similar preservation requests.
In addition to the steep monetary penalties, both the SEC and CFTC ordered the banks and brokerages to cease and desist from further violations of the recordkeeping and supervision requirements and required the firms to perform comprehensive reviews, assessments, reporting and adopting recommended changes in or improvements to their policies and procedures, as well as a subsequent reassessment and evaluation of the implemented changes and improvements after one year and imposition of other conditions for the next couple of years. The firms were required to engage an acceptable compliance consultant with duties and roles comparable to a public officer of the government, including that the engagement agreement must restrict the consultant from entering into any employment, attorney-client relationship or other professional relationship for two years after service – comparable to rules of professional conduct applicable to government attorneys (such as SEC enforcement staff). Further, the firm shall not have the authority to terminate or substitute the compliance consultant without prior approval by the SEC. In order to satisfy the following conditions and deadlines, the firms must cooperate fully and provide access to files, books, records, and personnel:
- Within 90 days, the compliance consultant shall conduct a comprehensive review and assessment, including: policies, procedures and training related to preservation of electronic communication, including personal, cellular phones; surveillance program measures to ensure ongoing compliance; technological solutions implemented and measures to track employee usage; and the framework adopted to address non-compliance by personnel, such as the corrective action, types of penalties and consistency of application across business lines and seniority.
- 45 days after the review, the compliance consultant shall submit a detailed written report of the finding to the SEC and the firm, including recommendations for changes in or improvements to the policies and procedures, and a plan for implementation.
- 90 days after the report, the firm shall adopt all recommendations contained in the report (or propose alternatives if considered unduly burdensome, impractical, or inappropriate), including ensuring personnel certify in writing on a quarterly basis compliance with the preservation requirements.
- After one year, an evaluation and report shall be provided to the SEC on the preservation of electronic communications and the firm’s progress.
- Each firm shall separately assess the progress under its Internal Audit function and shall report its findings to the SEC.
- For two years, the firm shall notify the SEC as to any related discipline imposed, including written warnings, loss of any pay, bonus, or incentive compensation, or the termination of employment, related to such recordkeeping policies and procedures (prior to filing any Form U-5 or otherwise within 10 days).
To some extent, the magnitude of the orders could be expected, as certain actions of the SEC have demonstrated a building trend and focus over the last several years on the use of new forms of electronic communications through applications like WhatsApp, Signal, and Telegram, which allow users to send messages using end-to-end encryption and prohibiting third parties from accessing or preserving the data, including the ability to send “self-destructing” messages.
In 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert to registered investment advisers under the Investment Advisers Act of 1940 (Advisers Act) following a similar sweep investigation in 2017 “designed to obtain an understanding of the various forms of electronic messaging used by advisers and their personnel, the risks of such use, and the challenges in complying with” the Advisers Act. Therein, the SEC staff focused on electronic communications that were not conducted through a firm’s e-mail system, including text messaging, instant messaging, personal e-mail and personal or private messaging both on the adviser’s corporate systems, third-party systems and personal devices.
Almost two years ago to the day, JonesTrading Institutional Services LLC consented to a $100,000 penalty without admitting or denying the findings, based on its registered representatives’ exchange of business-related text messages with each other, customers, and other third parties, with the knowledge of senior management, which themselves used text messaging for business.
In 2021, the SEC alerted participants of the technology trends and risks to recordkeeping in its annual examination priorities.
Finally, in December 2021, J.P. Morgan Securities LLC consented to an order, with admissions of willful violations, which resulted in similar undertakings, cease and desist orders, censure and a $125 million penalty, initially arising after the SEC noticed the firm failed to produce text messages in an ongoing matter and failed to search for records contained on personal devices in response to numerous SEC subpoenas for documents and records requests.
Based on the buildup to these orders, broker-dealers and investment advisers should not sit idly by hoping that these recent SEC and CFTC enforcement actions based on the use of unapproved personal messaging platforms for communication and the corresponding recordkeeping obligations are the end of the story.
Firms should review their compliance procedures, technology vendors, surveillance systems, training and systems of follow-up and review to determine compliance by personnel and their supervisors. Generally, firms should review in detail and consider the compliance undertakings in the SEC orders as a high-level roadmap for internal review, audit and areas of focus for necessary changes and improvements.
Finally, if the internal review uncovers significant compliance gaps and material deviations from recordkeeping requirements, after any necessary remediation efforts are underway, firms may want to discuss with counsel the potential risks and benefits of self-reporting any violations. For example, if the firm anticipates the SEC will ultimately uncover the potential wrongdoing, either by examination, investigation or by whistleblower, the firm may determine it is preferable to voluntarily self-report. In announcing the SEC orders, Enforcement stated, “other broker dealers and asset managers who are subject to similar requirements under the federal securities laws would be well-served to self-report and self-remediate any deficiencies.”
The SEC encourages cooperation and offers substantial benefits to individuals and companies choosing to pursue that path with initial factors for cooperation credit provided in the Seaboard Report from 2001. Similarly, FINRA announced a policy rewarding leniency for self-reporting in its Regulatory Notice 19-23.
Although evolving technologies will always present new challenges for compliance and supervision, proactive review and assessment, as well as timely adoption of responsive practices and procedures will mitigate the risk of enforcement.
These recent enforcement actions are likely not the end of the story, but rather a warning shot to broker-dealers and investment advisers of potential future investigations and enforcement actions.
Brett Evans, principal with Evans Law PC, delivers experience in securities, corporate, mergers and acquisitions, energy and tax law with his securities career beginning in 1995. Evans counsels various financial industry participants in securities offerings, litigation, broker-dealer and investment adviser regulation, state, federal and self-regulatory enforcement as well as a diverse range of transactional matters.
This article is intended to be informational only and does not constitute legal advice regarding any specific situation by the author or Evans Law PC. The opinions expressed herein are solely those of the author and do not necessarily reflect any opinion of The DI Wire.