On September 3 2024, the Securities Exchange Commission (SEC) charged six nationally recognized credit rating agencies a collective $49 million for recordkeeping failures. All six firms acknowledged and admitted their inability to maintain and preserve electronic comms, violating Section 17(a)1 of the Securities Exchange Act of 1934 and, in turn, Rule 17g-2(b)(7) which requires:
“Nationally recognized statistical ratings organization (NRSROs) and other regulated entities to make and keep for prescribed periods such records, and furnish copies thereof, as required by Commission rules.”
There is no doubt that regulatory expectation is clear however, despite fines in the billions and stringent regulatory messaging, recordkeeping failures continue to occur. In fact, this is the second enforcement action of its kind to be issued over the summer – in August 2024 the SEC issued a combined charge of $390 million against 26 firms for yet another slew of recordkeeping failures, and who is to say the fines will stop here?
The SEC strikes: six for six
The latest round of SEC fines is a familiar tale. After failing to maintain records of business communication made through texts, WhatsApp, WeChat and personal mobile devices, these credit rating agencies fell foul of recordkeeping rules and incurred a total of $49 million dollar in civil penalties. Individual fines for firms range from $100,000 to $20 million. These fines were in large part owed to senior managers communicating through channels that were not being preserved for recordkeeping purposes. This is despite repeated warnings from regulators that senior officials must set the standard of culture in an organization, as employees and personnel are more likely to then follow suit.
As part of the SEC’s off-channel comms probe, four of the fined credit agencies must retain a compliance consultant with a view to implement compliant practices into workflows. This acts as both a way to eliminate future risk, but also a deterrent for other firms who are treading the line when it comes to electronic communications capture. In addition to this, the four firms have been instructed to conduct comprehensive reviews of their existing policies and procedures around electronic comms retention, personal device use, and any other frameworks that pertain to non-compliance by personnel.
With regards to the two firms who were not required to adopt a compliance consultant, this came down to their cooperation efforts throughout the SEC’s. Echoing previous SEC messaging that cooperation is key, Sanjay Wadhwa, Deputy Director of the SEC’s Division of Enforcement, stated:
“In today’s actions, the Commission once again makes clear that there are tangible benefits to firms making significant efforts to comply and otherwise cooperate with staff’s investigations”.
Although it may prove fruitful for firms to cooperate with the regulator when investigations begin, the real issue to be addressed is that the regulator’s “zero tolerance” attitude towards evasion of compliance regulations is not being received the way they want, or having the desired outcome. Firms are still proving incapable of capturing and storing their eComms.
One year on – the message isn’t getting through
There is an almost-perfect blueprint that firms who violate SEC rules follow. They violate regulations, pay the price, and publicly take accountability for their actions. One might point to this being a type of ‘compliance cancel culture’. For example, in this case, HR Ratings stated that:
“[over the past year] it has significantly strengthened its electronic recordkeeping policies and procedures. The settlement with the SEC underscored our firm commitment to upholding regulatory standards in every jurisdiction where we operate.”
It is interesting to see these statements made time and again, especially given that regulators have delivered numerous speeches condemning firms for failures to capture and store communications and calling out senior officials for their lack of compliance.
For example, just over one year ago, following the Commodity Futures Trading Commission (CFTC) enforcement action against 11 Wall Street firms, CFTC Commissioner Christy Goldsmith Romero released a statement, saying:
“It’s time for Wall Street and large foreign banks operating in U.S. markets to stop waiting for an enforcement action before they change illegal practices. The illegality that the CFTC found in all of these cases was disturbingly widespread, evasive, conducted by senior officials as well as those responsible for compliance, and a clear violation of the law and internal bank policies.”
She added that regulators would be taking a “zero tolerance” approach. However, despite now billions in fines and strengthened regulatory messaging – there has been little change one year on. In this latest SEC action, Sanjay Wadhwa assured that the outcome of this case could lead to a culture of compliance and that firms may finally be deterred from repeating the same mistakes as a result, stating:
“In my enforcement experience, deterrence can be achieved from a defendant having to admit wrongdoing, combined with a penalty. Particularly those defendants with significant resources may view admissions to be more consequential than a penalty.”
Reinforcing this idea of ‘compliance cancel culture’, is it possible that the current approach is ineffective? Instead of seeing fines as a deterrent or a cautionary tale, firms know that the consequences of non-compliance are short-term, that reputational damage will not last, and that these fines are a drop in the ocean monetarily?
Some may ask whether the regulator should change tack, or do more in implementing greater consequences in its quest for accountability and transparency from firms. Should firms be mandated to implement technological solutions to prevent further regulatory infractions?