While regulators including the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) pursuing organizations for illicit communications and recordkeeping failures is nothing new, a recent stack of civil enforcement actions against high-profile banks has shifted the tone further toward ‘zero-tolerance’.
With the SEC charging 11 Wall Street firms with widespread recordkeeping failures, levying fines totaling $289 million, and the CFTC leveling $260 million worth of penalties against four large banks for off-channel communications breaches, both regulators have highlighted that their focus has shifted towards the top-down culture enabling non-compliance.
Throwing the book at recordkeeping failures
The SEC charges identify “widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications”, and highlight “pervasive and longstanding off-channel communications” at all 11 organizations:
“From at least 2019, their employees often communicated through various messaging platforms on their personal devices, including iMessage, WhatsApp, and Signal, about the business of their employers. The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws.”
While the firms’ conduct and the SEC’s response might feel familiar, the angle that the SEC has taken indicates a shift in its expectations around recordkeeping and communications that go beyond financial repercussions alone:
- The SEC highlights that the firm’s actions “deprived the Commission of these off-channel communications”, thus limiting the regulator’s ability to do its job effectively by removing potential evidence of further wrongdoing
- The failures “involved employees at multiple levels of authority, including supervisors and senior executives”, showing a top-down disregard for compliance culture and that the people responsible for internal monitoring and compliance were part of the problem
- The firms “acknowledged that their conduct violated recordkeeping provisions”, which is not always the case with enforcement actions
- There have also been agreements that firms begin “implementing improvements to their compliance policies and procedures to address [the] violations” which include retaining independent compliance consultants to review their frameworks
By highlighting the firm’s conduct impacting regulatory effectiveness, the authority levels involved, and the need for firms to acknowledge their culpability and work to improve on compliance, the SEC has shifted the narrative away from one of financial repercussion to a more rounded and holistic view of the outcomes of non-compliance. Sanjay Wadhwa, Deputy Director of Enforcement, summarized:
“The 11 firms settling today have acknowledged that their conduct violated the law regarding these crucial requirements, and are implementing measures to prevent future similar violations. However, we know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues.”
While the SEC’s statement acknowledges a subtle shift towards a more culture-focused approach to enforcement, much like the continuing mission of the star ship Enterprise, the regulator’s work towards a truly comms-compliant future goes on.
“Pervasive and evasive bank practices”
If the statements from the SEC represented a subtle shift, comments by CFTC Commissioner Christy Goldsmith Romero in her summary of the enforcement were a veritable sledgehammer. She hails “another victory in holding banks accountable for their pervasive use of unauthorized communication methods” that led to these firms “violating the law and evading regulatory oversight requirements”.
As with the SEC’s ruling, Romero’s comments hone in on a requirement that firms ‘own it’ when it comes to accountability, and there being a wider rationale behind enforcement – public interest and market integrity:
“The CFTC is requiring an admission of wrongdoing as part of these settlements. Too often, accountability and deterrence is only discussed in terms of the size of a penalty … the Commission’s offline communication cases are not merely ‘technical’ violations, but instead go to the core of public interests in financial regulator visibility into those it regulates to protect markets and investors.”
“Zero-tolerance for keeping regulators in the dark”
The weight of public interest and the need to maintain ironclad market integrity explains why regulators are shifting towards a zero-tolerance stance that focuses in on the compliance culture behind the breaches, rather than just the ‘technical violations’ themselves. Romero highlights the consistency of enforcement action, and the joint efforts of regulators working in concert, as proof that there is now nowhere to hide for non-compliance:
“By bringing these cases, and the prior offline communication cases in parallel with the SEC, the Commission is sending a strong message to all entities that we regulate that we will not tolerate efforts that evade our regulatory oversight.”
Romero recalls a statement she made alongside the CFTC’s initial offline communications enforcement cases that “the era of evasive communications practices is over”, and the regulator’s consistent hardball stance backs this up.
In this earlier speech, Romero also set out that “change can only happen if the banks’ C-suite establishes a culture of compliance over evasion” – prophetic words considering that, just under a year later, it is once again an issue of non-compliant culture coming from the top down:
“We found that hundreds or thousands of employees used (often regularly) unauthorized communication platforms, with the knowledge and participation of senior leadership … this even included the use of encrypted messaging apps and private texts by those who should have stopped this illegal practice—senior officials and those officials responsible for compliance … it was well known within these banks that their internal policies were being flagrantly violated in practice. But no one stopped it.”
There has been growing discussion around the need for the C-suite to lead by example in creating a compliance-first culture and place emphasis on ‘doing the right thing’. When those responsible for ensuring compliance engage in off-channel comms, it sets a dangerous precedent for more junior team members.
It also rings alarm bells around proactive compliance. Romero’s statement acknowledges “adoption of new technologies and evolving means of communication” as being a means of potential evasion of regulatory scrutiny. Firms need to stay aware of (and on top of) how quickly technology can change in order to maintain sound risk posture.
Time’s up for C-suite non-compliance
Summarizing the cases, both the SEC and the CFTC have set out quite clear battle lines on how they expect firms to act going forward, and the compliance-positive cultures they expect to see fostered. The SEC’s Director, Division of Enforcement, Gurbir S. Grewal, summarized that compliance with books and records requirements is essential to protecting investors and markets:
“While some broker-dealers and investment advisers have heeded this message, self-reported violations, or improved internal policies and procedures, today’s actions remind us that many still have not. So here are three takeaways for those firms who haven’t yet done so: self-report, cooperate and remediate. If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.”
It’s clear that the SEC expects firms to be keenly aware of their compliance practice and procedures, and to self-report and work with regulators when non-compliance might occur – because proactivity will have a more positive outcome than waiting for regulators to catch up.
Romero sets out an even firmer stance from the CFTC:
“Tone at the top dictates a bank’s culture and that tone must change … the tone at the top the CFTC found was one of evasion, keeping regulators in the dark. Change can only happen if the bank’s C-suite establishes a culture of compliance over evasion. It is far past time for the C-suite to step up.”
It’s abundantly clear that regulatory patience has run out on communications compliance and recordkeeping failures. Both the SEC and CFTC have high expectations that firms maintain transparency and do not attempt to avoid (or evade) scrutiny, and there will be zero-tolerance on attempts to do so. It is also clear that regulators expect that the C-suite lead from the front on building compliance culture, as that is what they will be policed on. When it comes to this new ‘culture war’ on ensuring recordkeeping and communications compliance, the C-suite needs to make sure they get the message, loud and clear.