Firms re-evaluating supervision and technology as SEC levies over $1.1 billion in fines

Firms that rely on employee attestations, training and current methods of communications surveillance to shield them from liability for employees’ unapproved use of off-channel communications should think again. Despite having policies and procedures, collecting employee attestations, providing training, and monitoring and archiving approved forms of communication, sixteen firms (including fifteen broker-dealers and dual registrants and one investment adviser) were censured, fined and agreed to engage an independent compliance consultant, among other undertakings, for violations of recordkeeping provisions of the Securities Exchange Act of 1934 and the Investment Advisers Act of 1940 and failure to reasonably supervise with a view to detecting and preventing these violations1.

In September 2021, the Securities and Exchange Commission (SEC) launched the Broker-Dealer Off-Channel Communication Initiative to investigate the retention of business-related communications using personal devices. In an October 6, 2021 speech, “PLI Broker/Dealer Regulation and Enforcement 2021,”2 the SEC’s Division of Enforcement Director Gurbir Grewal stated, “You need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps.”

The Commission’s examinations pursuant to the Initiative revealed widespread and pervasive failures by the vast majority of sampled employees at the sixteen firms involved. These failures were committed by employees of all levels, including those in supervisory capacities, often by using texting and messaging apps on personal devices such as WhatsApp and Signal. These methods of communication were not approved for business-related communication, were not properly retained, and thus were not included in documents supplied during regulatory examinations.

In addition to a combined $1.1 billion in fines, the firms agreed to engage independent compliance consultants and conduct comprehensive reviews of their policies and procedures relating to the retention of electronic communications found on personal devices and their respective frameworks for addressing non-compliance by their employees with those policies and procedures. Of special note are the requirements to conduct reviews of the technological solutions that firms utilize to meet the record retention requirements, including an assessment of the likelihood that firm personnel will use the technological solutions and how firms will track employee usage of such technologies. Leading communications archiving vendors continuously add functionality to capture messages from new and emerging platforms and most can work with text messages, instant messages, social networks and much more. Another vendor, Telemessage, specializes in capturing WhatsApp, WeChat and Signal communications.

Firms should conduct a thorough review to ascertain the adequacy and effectiveness of current technologies being used and take immediate steps to remedy any discovered weaknesses. As Deputy Director of Enforcement Sanjay Wadhwa, warned, “These actions deliver a straightforward message to registrants: You are expected to abide by the Commission’s recordkeeping rules. The time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel. In line with this first-of-its-kind group resolution and our December 2021 settlement with J.P. Morgan Securities LLC, the staff will continue its efforts to enforce compliance with the Commission’s essential recordkeeping requirements.3