The $1.8 billion in fines levied against 16 financial institutions for failing to capture,retain and supervise communications underlines regulators’ growing determination to crack down on compliance and security failings in the modern workplace. The latest penalties issued in 2022 by the U.S. Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CTFC) for unmonitored use of SMS, chat, mobile messaging and WhatsApp, are in addition to another collective $200 million fine in December 2021, bringing the total so far to more than $2 billion. This failure to retain, monitor and produce records of business communications creates fundamental compliance issues. It impedes the ability of regulators to supervise and enforce rules to protect investors and maintain market integrity. It prevents firms from having oversight of employee conduct, or responding to any complaints, audits or data requests under privacy laws such as the EU General Data Protection Regulation (GDPR). It hinders firms’ ability to access cooperation credit when under criminal investigation by the U.S. Department of Justice (DoJ), and there are also significantly heightened security and data privacy risks.
The compliance breaches
Unsurprisingly, regulators have lost patience. Despite numerous regulatory warnings about the importance of maintaining records of communications, the failings uncovered in the investigations were both systemic and widespread throughout all levels of seniority. They involved vast numbers of managing directors, executive directors, trading desk heads, control functions and industry group heads. In many cases there had been tens of thousands of unmonitored messages involving staff and other participants in the securities industry. Firms’ own internal policies and procedures, which prohibited any business communications through unapproved methods, were also breached. Even the supervisory staff responsible for ensuring compliance with internal policies and procedures were found to have violated the firm’s policies themselves.
The remedial action and lessons to learn
The enforcement actions serve as a reminder that obligations to retain, supervise and protect data apply equally to today’s modern messaging and communications tools. The financial and operational implications of failing to do so extend far beyond the fines. The need to appoint and pay for compliance consultants to oversee significant remedial programmes to assess, improve and implement controls is central to the extensive corrective action that has been mandated. With retention, retrieval and supervision of communication a priority for regulators worldwide, there are 10 takeaways for regulated institutions to consider to ensure they are not similarly exposed:
1. Establish a culture of compliance and tone from the top
The widespread involvement of senior management and those responsible for overseeing compliance with policies reiterates the need to reinforce compliance practices from the top of organisations. “Tone at the top must change on Wall Street. Change can only happen if the bank’s C-suite establishes a culture of compliance over evasion,” said Christy Goldsmith Romero, CFTC commissioner.
2. Review and remediate gaps in record keeping or supervision
Firms are required to undertake a comprehensive review to ensure that all electronic communications, including those on personal and mobile devices, are preserved. Firms should check that there are no gaps in capturing or retaining communications across any of the SMS, collaboration or chat tools in place such as Slack, Zoom, Microsoft Teams and Webex by Cisco, as well as consumer apps such as WhatsApp. Remedial efforts must include ensuring that in-meeting communications as well as images, GIFs, emojis or reactions that change meaning and context are captured in context and retained appropriately.
3. Review and improve the effectiveness of existing compliance technology
A (re)assessment of the technological solutions implemented by firms to meet record retention requirements is an essential part of the remedial action, to be carried out by an independent compliance assessor. As an immediate and incremental step, firms can plug any gaps in existing infrastructure with solutions designed to capture chat and messaging and send them to legacy archives without disrupting any compliance processes.
4. Implement solutions built for modern communication tools
“Relevant technologies are evolving quickly … [so] internal compliance programs must adopt internal controls consistent with this new landscape,” said Kristin N Johnson, CFTC commissioner. Firms should consider adopting tools specifically built for rich, dynamic communications. Using artificial intelligence and machine learning will enable them to comprehensively capture, supervise and detect risks across the vast volumes of communications, from complaints and data leakage to failures to provide transparent and suitable investment advice. Tools that enable firms to compliantly and securely unlock the communication channels staff and customers want to use will be more effective than trying to ban or block usage.
5. Ensure records can be retrieved
The lack of records was a central impediment to the regulators’ investigations. It is essential to be able not only to capture but also to quickly search and retrieve all relevant communications for regulators, prosecutors and auditors in a reviewable format. For example, ensuring that chat messages can be viewed in their native format over the entire history of the conversation with full context retained.
6. Review and update training
Firms have been instructed to undertake a comprehensive review of training to ensure staff at all levels of the firm are complying with the requirements regarding the preservation of electronic communications. As part of these efforts, firms must adopt a “zero tolerance” approach to policy violations to strengthen cultures of compliance.
7. Implement a system to monitor adherence to internal policies
While firms generally had internal record keeping and communications policies in place, they failed to implement sufficient monitoring and review to ensure they were being followed. Part of the remedial actions has been a new requirement for staff to certify, in writing, on a quarterly basis that they are complying with records preservation requirements.
8. Ensure accountability and action where breaches are identified
Regulators are requiring firms to report violations of any policies or procedures concerning electronic communications preservation for two years. That includes written warnings, loss of any pay, bonus, or incentive compensation, or the termination of employment. Some need to carry out a comprehensive review of their framework for addressing non-compliance, including how non-compliant employees were identified. Recent bonus cuts taken by board members is one example of demonstrable accountability.
9. Include communications compliance and retention in the internal audit plan
In many of the firms fined, the internal audit function has been required to undertake a review to assess progress with remedial action, assess the quality of controls and technology implemented, and adherence to policies.
10. Address security and privacy risks
Data security risks need to be on firms’ risk radars and managed comprehensively across all modern communications. Firms should be under no illusions about just how easily chats laden with files and data, with no limits on size, can be shared — creating significant data loss risks, whether accidental or deliberate. The need for meticulous record keeping is not new, and is not limited to the United States.
Firms around the world would be well advised to undertake a board-sponsored wide-ranging review of record keeping at all levels, with a particular focus on highlighting any gaps and prioritising the implementation of remedial action. That should be undertaken without delay. “The time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel,” said Sanjay Wadhwa, deputy director of enforcement at the SEC.
Stacey English, director of regulatory intelligence, Theta Lake.
Produced by Thomson Reuters Accelus Regulatory Intelligence.