The SEC And The CFTC Hit Financial Institutions With Nearly $550 Million In Fines Over Recordkeeping Failures Regarding Digital Communications. Firms That Don’t Improve Likely Will Face More Penalties.
Earlier this month, the Securities & Exchange Commission and the Commodity Futures Trading Commission fined a series of financial institutions nearly $550 million for their failure to follow proper recordkeeping requirements regarding digital communications. The sanctions come after regulators hit banks with $2 billion in penalties in September 2022 for similar violations.
The latest levies prove two things. For one, the SEC and CFTC are serious about making sure institutions live up to their responsibility to retain all internal communications, and to govern the use of channels by firms that are “off-channel” (unapproved for business use). Secondly, many firms have yet to learn this lesson.
And if the industry doesn’t begin to change its approach soon, the costs, not to mention the reputational fallout, will only worsen – especially when you consider that FINRA may soon start handing out fines.
Here’s what banks, broker-dealers, RIAs and other institutions need to keep in mind while trying to improve their oversight of digital communications.
1. More Regulatory Fines Are Coming
The SEC, CFTC and FINRA will not be gun-shy about smacking additional firms with heavy fines for failing to treat off-channel communications properly. All of which is another way of saying they expect to see progress.
As part of the settlement surrounding the latest fines, the firms involved agreed to hire compliance consultants to review policies related explicitly to capturing communications on personal devices. That’s a good start. But regulators will also want firms to self-report violations, cooperate with their staffs and focus more closely on remediation procedures. Even if regulators spot holes, firms that make every effort to stay in compliance will likely encounter better outcomes.
2. Financial Firms Must Expand Their Capture Coverage
For years, one of the worst-kept secrets in the industry was that the practice of using an unmonitored personal device for business purposes was commonplace. Everyone from bankers to analysts to advisors to managing directors to C-suite staff did it.
The industry rules and regulations were clear: Using unmonitored devices or channels for business purposes is not allowed. Many didn’t care, presumably thinking they’d never get caught or not thinking about it at all.
The same was true regarding so-called off-channel communications apps such as WhatsApp, Signal and LinkedIn Messenger. Firms prohibited their use via policy, knowing that they’d be challenging to track. No matter. People used them anyway.
Now we’re seeing the consequences. The lesson? Capture and supervise all data, no matter where and how it is transmitted. Otherwise, firms are vulnerable to serious enforcement action, because whether a device or communication channel is approved internally doesn’t matter.
3. It’s Time To Review Past Communications
Firms cited in the recent regulatory announcement admitted to using unapproved communications tools since at least 2019. That was well before the COVID-19 pandemic, which prompted a surge in digital communications, with countless workers transitioning to remote setups.
Therefore, it’s not enough for compliance teams to focus on the future. Indeed, firms must also review past digital communications oversight procedures and take the necessary corrective actions to prevent additional vulnerabilities. Did workers/management use off-channel communications? Which ones were they? And how do you prevent it from happening again?
4. Oversight & Supervision Hurdles Remain High
It is sobering to consider that the firms cited did have procedures for all personnel – including supervisors – requiring annual self-attestation of compliance. Clearly, that was not enough. Thankfully, banks, broker-dealers and RIAs with the proper software can tune their lexicon-based policies and leverage artificial intelligence-based models to detect when communications move off-channel.
This month’s fines, along with all the ones that preceded them, should make it clear to financial firms that they need to demonstrate tangible action to remediate any deficiencies in their approach to retaining digital communications. Equally important, however, is raising awareness and getting buy-in among their employees about the importance of abiding by all protocols. The regulators are only getting started.
Robert Cruz is Vice President, Regulatory and Information Governance at Smarsh.