The Securities and Exchange Commission (SEC) is showing no signs of slowing down in what is becoming “super September” for enforcement activity. Off the back of $49 million in fines issued to six credit agencies for recordkeeping failures and $1.24 million in Marketing Rule fines, the commission has announced charges against 12 municipal advisors for off-channel communications failings.
The ongoing off-channel comms crusade
On September 17, the SEC announced it had settled charges against 12 municipal advisers for failures to maintain and preserve electronic communications, with these recordkeeping lapses being the result of systemic use of non-approved and unmonitored communications channels.
The firms in question agreed to pay combined penalties of over $1.3 million, acknowledged that their conduct had violated recordkeeping requirements, and have “begun implementing improvements to their compliance policies and procedures to address these violations”. The fines ranged from $324,000 at the top end to $40,000 as the smallest issued. In addition to the financial penalties, all firms have been censured and ordered to cease and desist from future violations of the recordkeeping requirements in question.
It (record)keeps happening
For those keeping up with the SEC’s ongoing crackdown on recordkeeping and off-channel communications violations, several details of these enforcements will feel very familiar:
- The firms failed to maintain and preserve records of communications sent and received by personnel relating to regulated business activity
- The failures involve personnel at multiple levels of authority, including supervisors and director-level employees
- Employees communicated via electronic communications channels that were “not subject to the firm’s compliance supervision”, both internally and externally
Through their failures to “maintain or preserve” relevant written communications as part of their books and records obligations, the 12 firms violated section 17(a) of the Exchange Act, as well as Rule 15Ba1-8. They also violated MSRB Rule G-44, requiring municipal advisors to “implement and maintain a system to supervise the municipal advisory activities of the municipal advisor and its associated persons” that achieves compliance with relevant regulatory rules.
Since the first round of high profile SEC recordkeeping fines related to off-channel communications back in 2022, we have seen many further enforcements that share very similar traits, whereby communications take place via unapproved – and unmonitored – channels, records of these communications are not kept, and staff at multiple levels of seniority are involved. This last trait is especially concerning, as supervisors “responsible for preventing this misconduct” are falling short where they should be leading by example.
Of the dozen firms involved in this enforcement, many were found to have been monitoring and archiving business communications sent via particular channels, such as email, but not monitoring or retaining the electronic and text messaging channels used non-compliantly. In all instances there were compliance policies and procedures in place – but staff continued communicating using unapproved channels.
Take our word for it …
Employees at several of the firms were made well aware of which channels were approved for use for business communications, and that they should limit communications to these channels. Firms had procedures and policies in place requiring that employees self-certify their compliance with electronic communications policies.
The SEC’s enforcement summaries outline that “all … employees that sent or received off-channel communications, including supervisors, certified that they were in compliance with the electronic communications policies yet did not follow these policies”. This highlights a potential flaw with attestation-based compliance training policies, as the firms took the word of employees that they had read, understood, and adhered to compliance policies – while they were clearly ignoring them.
The investigation identified that firms “did not have processes in place to review, test, or modify reliance on employees’ self-certifications”. Requiring employees to attest to having engaged, understood, and committed to adhering to compliance policies is undoubtedly important, but an attestation policy is only as good as a firm’s commitment to ensuring that employees’ actions mirror their words.
Clear expectations
In her summary of the enforcements, Rebecca Olsen, Deputy Chief of the SEC’s Division of Enforcement Public Finance Abuse Unit, said:
“The books and records requirements are critical to facilitating Commission inspections and examinations of municipal advisors and in evaluating a municipal advisor’s compliance with the applicable federal securities laws. Municipal advisors are encouraged to assess their recordkeeping practices relating to off-channel communications. Firms that believe their practices do not comply with the securities laws are encouraged to self-report to the SEC’s Enforcement staff.”
The final line of Olsen’s summary evokes comments by Gurbir Grewal around the importance of firms working with the SEC and other regulators, and how self-reporting violations early and working collaboratively with regulators to remediate wrongdoing can potentially result in lighter penalties.
The SEC has accompanied its ongoing crusade against off-channel communications with a shift toward greater transparency. From outlining the importance of cooperating with investigations and self-reporting, to detailing where it will act directly against Chief Compliance Officers, to explaining clearly how it makes decisions around imposing recordkeeping fines, the regulator is giving firms a considerable amount of clear information on the when, why, and how of its enforcement actions.
With so much information and insight into the SEC’s expectations available, and now over $3 billion in well-publicized cautionary tales of off-channel communications enforcement actions, it is becoming increasingly baffling to see firms continuing to repeat the same mistakes time and again – especially with tried and tested compliance technology solutions readily available.