Theta Lake’s Marc Gilman analyzes practical ways compliance offers can avoid pitfalls of off-channel communications and recordkeeping by employees.
The Securities and Exchange Commission announced that 16 firms—comprising broker-dealers, investment advisers, and dually registered entities—were being fined over $81 million for off-channel communications compliance failures. This brings the total fines levied by the SEC and Commodity Futures Trading Commission for off-channel communications and recordkeeping issues to over $2.6 billion.
These off-channel fines are increasingly common—reminiscent of “Groundhog Day.” But unlike the 1993 Bill Murray comedy film, each iteration of the SEC’s announcements includes slight variations and offers opportunities for compliance officers to consider refinements to strategic objectives. We explore the nuances of the latest round of fines and offer practical suggestions for compliance officers.
One salient feature of this set of fines is the clear benefit of credit for cooperation and self-reporting of recordkeeping gaps. While generally the fines ranged from $8 million to $16.5 million, Huntington, the firm that self-reported compliance issues, was fined $1.25 million—a pronounced and meaningful difference in magnitude.
Two other attributes of these fines are worth highlighting as well. First, the involvement of senior staff in prohibited activity continues to draw the SEC’s ire. Additionally, several fines mentioned the use of both unapproved communications methods, or applications, as well as the use of personal devices.
Compliance officers should consider a few practical issues when navigating the risks of communications oversight.
The SEC’s focus on personal devices has been consistent throughout this era of fines. As a reminder, the SEC’s Rule 17a-4(b)(4) mandates the retention of “[o]riginals of all communications received and copies of all communications sent (and any approvals thereof) by the member, broker or dealer (including inter-office memoranda and communications) relating to its business as such.” The rule contains no carve outs for specific types of devices or communications apps. If the conversation is related to firm business, it must be captured and retained.
Compliance officers should consider all available options when addressing the challenge of capturing communications in a device-agnostic, borderless business environment. All-in-one applications that include voice, chat, and SMS capabilities from Zoom Video Communications Inc., Cisco Systems Inc., RingCentral Inc., and other providers can be deployed on corporate-issued or BYOD personal devices and integrated with modern compliance technologies to capture every aspect of conversations on these platforms (emojis, GIFs, reactions, file transfers, etc.).
In other scenarios, solutions that offer integrations into consumer applications such as WhatsApp or WeChat can be leveraged, again feeding into next-generation compliance platforms that can support the various chat, voice, and video modalities of interactions.
Given the focus on senior managers engaged in potentially problematic activities, the ability to track identities and analyze conversations across platforms is table stakes for compliance oversight. Compliance teams must be able to view a conversation between a senior manager and direct reports as they flow from email to Zoom meeting chat to Slack to Microsoft Teams in a single, consolidated screen to determine where and when a participant suggests moving the dialog off channel. Compliance platforms must provide sophisticated identity reconciliation that threads together email addresses, corporate IDs, and phone numbers to facilitate comprehensive identification and search of all message content.
From a policy perspective, strongly worded prohibitions on off-channel communications are no longer sufficient. In several of the orders, the SEC observed that employees were advised that business communications must be conducted through firm approved platforms and no personal, unapproved messaging platforms should be used. Strong, clear policy language no longer mitigates bad behavior.
Finally, as evidenced by the reduced fine of the self-reporting firm in this case and others, if a firm identifies issues related to off-channel communications, it must be proactive and inform the SEC. Note, however, that self-reporting isn’t a rote act of notification—meaningful remediation must take place in tandem with the disclosure.
The SEC noted that Huntington proactively identified key documents and facts, which assisted the commission staff in efficiently investigating the conduct. Huntington also undertook significant remedial measures relating to its recordkeeping practices, policies and procedures, and related supervisory practices, including making an on-channel texting application available.
Such concrete steps are essential for any firm seeking material reductions in potential fines.
Taken together, focus on unified, comprehensive capture; the exploration of innovative communications platforms; and proactive reporting of identified recordkeeping issues will help compliance officers avoid a Groundhog Day situation of their own.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Marc Gilman is general counsel and vice president of compliance at Theta Lake, and adjunct professor at Fordham University School of Law.
Reproduced with permission. Published March 1, 2024. Copyright 2024 Bloomberg Industry Group 800-372-1033. For further use please visit https://www.bloombergindustry.
