Welcome to the website of Ruddy Gregory, PLLC

ENFORCEMENT—SEC, CFTC again crack down on widespread failures to keep records of electronic comms - 09 August 2023

The agencies are hammering home the point that unapproved business communications on personal devices are recordkeeping failures that can impede investigations.

Over a dozen firms have settled SEC and CFTC charges for pervasive failures to keep records of "off channel" communications. The SEC ordered civil penalties totaling $289 million against 11 firms, and the CFTC $260 million against four financial institutions, for longstanding and widespread recordkeeping failures associated with employees' use of unapproved electronic communication methods. Both agencies noted that these actions underscore the importance of recordkeeping and supervision requirements. Gurbir S. Grewal, the SEC's Enforcement head, warned that many firms are still not in compliance: instead of waiting for regulators to catch you, it's better to "self-report, cooperate and remediate."

Off-channel communications. Both the SEC and CFTC brought charges arising from the same type of conduct. In each case, during an investigation, agency personnel discovered employee use of unapproved communications methods to discuss firm business. For several years—since at least 2019 in the case of the firms sanctioned by the SEC—employees used various messaging platforms, such as iMessage and WhatsApp, on their personal devices to communicate about their employers' business matters. Unless an individual employee took steps to comply, messages sent on personal devices were not monitored, subject to review, or archived. Employees at multiple levels of authority were involved in these failures, including supervisors and senior executives.

Failure by the firms to maintain or preserve most of these off-channel communications was not only a violation of the agencies' recordkeeping requirements, but also a violation of firm policies against the use of personal devices and concerning the retention of records. The use of unapproved communications channels also creates cybersecurity and privacy risks to customers.

Above all, both agencies stressed that the recordkeeping failures impacted their ability to carry out investigations. "Recordkeeping failures such as those here undermine our ability to exercise effective regulatory oversight, often at the expense of investors," said Sanjay Wadhwa, the SEC's Deputy Director of Enforcement. CFTC Commissioner Kristin Johnson suggested that the uncovered violations are "the proverbial tip of the iceberg," adding that firms must "inculcate a culture of compliance at all levels of their organization to mitigate the risks posed by unauthorized use of chat and text platforms."

Sanctions. The CFTC found that the respondents violated CEA provisions and Commission regulations covering recordkeeping and supervision requirements. The SEC charged the broker-dealer respondents with violating certain recordkeeping provisions of the Exchange Act and with failing to reasonably supervise. Wedbush Securities Inc., a dually registered broker-dealer and investment adviser, was additionally charged with violating certain recordkeeping and supervisory provisions of the Investment Advisers Act. The respondents are:

Wells Fargo Securities, LLC, Wells Fargo Clearing Services, LLC, and Wells Fargo Advisors Financial Network, LLC—SEC: $125 million penalty;
BNP Paribas Securities Corp.—SEC: $35 million
SG Americas Securities, LLC—SEC: $35 million
BMO Capital Markets Corp.—SEC: $25 million
Mizuho Securities USA LLC—SEC: $25 million
Houlihan Lokey Capital, Inc.—SEC: $15 million
Moelis & Company LLC—SEC: $10 million
Wedbush Securities Inc.—SEC: $10 million
SMBC Nikko Securities America, Inc.—SEC: $9 million
BNP Paribas S.A. and BNP Paribas Securities Corp.—CFTC: $75 million
Société Générale SA and SG Americas Securities, LLC—CFTC: $75 million
Wells Fargo Bank NA and Wells Fargo Securities LLC—CFTC: $75 million
Bank of Montreal—CFTC: $35 million

An ongoing issue. To date, the SEC has brought 30 enforcement actions and ordered over $1.5 billion in penalties, while the CFTC has brought 18 actions and imposed over $1 billion in penalties. In September 2022, for example, the SEC and CFTC ordered penalties of approximately $1.8 billion against 11 financial groups. As with the above violations, the orders involved unapproved and unrecorded communications using off-channel methods.

CFTC Commissioner Christy Goldsmith Romero said that both agencies' enforcement actions concerning offline communications should send "a zero tolerance message to those who seek to evade regulatory oversight. She observed that the illegal practices were widespread and evasive and well-known to firm personnel: but no one stopped it. She said: "It's time for Wall Street and large foreign banks operating in U.S. markets to stop waiting for an enforcement action before they change illegal practices."

Commissioner Johnson supported the CFTC's requirement that the respondents review, evaluate, and remediate their supervisory and compliance controls and procedures on electronic communications. Remediation, for example, will not only reduce the likelihood of future violations, but will also "refine and strengthen the gold standard for the entire industry." She hopes that these actions will send a "strong message to the industry." SEC Deputy Director Wadha echoed this sentiment: "The 11 firms settling today have acknowledged that their conduct violated the law regarding these crucial requirements, and are implementing measures to prevent future similar violations. However, we know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues."

MainStory: TopStory BrokerDealers CommodityFutures CyberPrivacyFeed DataSecurity Derivatives Enforcement ExchangesMarketRegulation FinancialIntermediaries GCNNews InvestmentAdvisers