The current hot streak of enforcement activity for recordkeeping failures relating to off-channel communications continues, as the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have issued fines to firms with a combined total of over $118 million – although in two instances firms that cooperated with the regulator managed to avoid penalties completely.
Here we go again …
On 24 September, 2024, the SEC announced charges against 12 firms including broker-dealers and investment advisors for “widespread and longstanding failures” to “maintain and preserve electronic communications” which involved personnel “at multiple levels of authority, including supervisors and senior managers” sending and receiving off-channel communications.
It’s been a busy month for the SEC, with the regulator having already hit six credit agencies and 12 municipal advisors with fines for recordkeeping violations related to off-channel communications. In the commission’s summary of the latest case, it highlighted that “pervasive and longstanding use of unapproved communication methods” included “records required to be maintained under securities laws”, and that the failure to capture, maintain, and preserve these records “deprives the SEC of these communications in [its] investigations.”
The firms admitted to the facts outlined in their respective orders, acknowledged their conduct violated recordkeeping provisions, and agreed to pay combined penalties of $88,225,000. Ten of the firms also agreed to retain compliance consultants to “conduct comprehensive reviews of their policies and procedures relating to the retention of electronic communications found on personal devices.”
Responding to the action, Gurbir Grewal, Director of the SEC’s Division of Enforcement, said:
“Widespread and longstanding failures, including where those failures potentially hinder the Commission’s investor protection function by compromising a firm’s response to SEC subpoenas, may result in robust civil penalties.”
Grewal’s statement also included a topic he’s emphasized the importance of before: firms working with the regulator by promptly self-reporting and sharing information of noncompliance:
“On the other hand, firms that self-report and otherwise cooperate with the SEC’s investigations may receive significantly reduced penalties.”
This brings us to the case against Qatalyst Partners LP.
Cooperation, cooperation, cooperation
Out of the twelve firms charged, Qatalyst Partners LP was the sole organization to escape without having to pay a penalty. Although the SEC investigation uncovered that Qatalyst personnel “at various levels of authority” sent and received off channel communications that were not maintained or preserved, because the firm “self-reported its violations, cooperated with the staff’s investigation, and demonstrated substantial efforts at compliance with the recordkeeping requirements,” the firm would not be required to pay a fine. Grewal’s case summary highlighted this:
“Firms that self-report and otherwise cooperate with the SEC’s investigations may receive significantly reduced penalties. Here, despite recordkeeping failures that involved communications by senior leadership and persisted after our first recordkeeping matters were announced in 2021, Qatalyst took substantial steps to comply, self-reported, and remediated and, therefore, received a no-penalty resolution.”
Qatalyst isn’t the only firm too have avoided paying an SEC fine because of “substantial cooperation” in the last month. On 23rd September, the SEC announced charges against Atom Investors LP for similar recordkeeping and off-channel communications – but also that the firm would pay no penalty.
The enforcement against Atom for “its failure to maintain and preserve off-channel communications” resulted from an SEC-issued subpoena in 2021. The commission requested that Atom share “documents in connection with an investigation into a third party.” However, when Atom tried to source these documents, it discovered that “over a more than three-year period, it had failed to preserve records subject to the recordkeeping requirements of the federal securities laws” – including “communications by personnel at senior levels of the firm.”
Interestingly, the SEC chose not to impose a penalty “because Atom investors self-reported the conduct, promptly remediated the violations, and provided substantial cooperation to Commission staff in an investigation of another entity.” While this is further evidence that cooperation and self-reporting are regarded positively by the SEC, it is worth noting that Atom wasn’t the primary focus of the SEC’s investigation here, and the off-channel communications breaches were discovered as a by-product of that case – perhaps pointing to the outcome of that wider case, and Atom’s assistance in it, being a key mitigating factor.
Grewal’s summary of the enforcement once again highlighted the benefits of firms being proactive in self-reporting breaches and working with the regulator, and how other firms should take note:
“This resolution shows that the full benefits of cooperation are available in recordkeeping matters. Atom Investor’s self-reporting and prompt remedial efforts weighed heavily in the Enforcement Division’s decision to recommend that the Commission not impose a penalty. This resolution should serve as a model for other investment advisors that are not currently in compliance with federal recordkeeping requirements.”
Monkey CFTC, monkey do …
The SEC isn’t the only regulator getting in on the off-channel comms enforcement action. Also on September 24, the CFTC issued an order filing and settling charges against swap dealer Canadian Imperial Bank of Commerce (CIBC) for “failing to maintain and preserve records that were required to be kept under recordkeeping requirements.”
The CFTC’s investigation found that “from at least September 2018 to the present, CIBC failed to stop employees, including those at senior levels, from communicating using unapproved communication methods, including messages sent via personal text.” The senior staff involved also included “personnel responsible for ensuring compliance with CIBC’s policies and procedures,” which “generally prohibited” the use of unapproved communications channels.
The regulator found that “these written communications generally were not maintained and preserved by CIBC, and CIBC generally would not have been able to provide them promptly to the CFTC if and when requested.”
These failures resulted in a $30 million civil penalty, and CIBC being ordered to cease and desist from any future violations of recordkeeping and supervision requirements.
More to come?
The tempo of recordkeeping enforcement activity has substantially increased in a matter of weeks. While we could speculate on the reasoning behind this, with factors perhaps including a dip in activity over the summer months and staff having returned to cases post-vacation, and even enforcement teams wanting to close as many cases as possible before November’s looming election, the simple fact is this: regulatory focus on off-channel communications and recordkeeping violations isn’t going anywhere.
The rationale behind this now feels well-worn, but these cases feel like a timely reminder to firms that:
- Regulators expect that business communications across every channel are captured and retained – without exception
- The consequences of being unable to provide regulators with complete records are steep – and instances where regulators don’t issue penalties are the exception, not the rule
- Regulators take a dim view of firms being unable to provide complete records because it prevents them from doing their job and reviewing records for non-compliance. Even if firms might have had nothing to hide, recordkeeping failures make it impossible to prove this
- We’ve seen time and again that senior personnel and those in supervision and compliance functions are taking part in off-channel communications themselves, which falls far short of the ‘tone from the top’ that regulators expect them to set
With signs pointing to regulators in jurisdictions outside the U.S. beginning to focus on off-channel communications and recordkeeping breaches, firms had better learn the lessons from this latest influx of cautionary tales – and learn them fast.