Regulatory Updates For 2Q23: Benefits of Self-Reporting for Firms and Individuals
In this regulatory roundup, we focus heavily on self-reporting and how financial firms that voluntarily report electronic communications and recordkeeping violations may receive favorable fines from regulatory bodies such as the SEC.
Self-remediating and self-reporting
The SEC fined a large firm $15 million for widespread and longstanding failures by the firm and its employees to maintain and preserve electronic communications. This proceeding involves the failure of employees, including senior-level staff, to comply with essential requirements and the firm's own policies. Employees used personal devices to engage in off-channel communications, such as personal text messages and messaging platforms like WhatsApp. The SEC found that these off-channel communications related to the broker-dealer business operated by the firm — but it had failed to maintain or preserve the majority of these communications. The failure to implement policies and procedures prohibiting such communications resulted in a lack of reasonable supervision of employees.
In addition, the CFTC fined the firm $45 million for manipulative and deceptive trading related to swaps with bond issuers, spoofing and supervision, and mobile device recordkeeping failures. While discussions about the manipulative trading were openly held on the firm’s electronic communication systems and recorded phone lines, they were not flagged by any type of surveillance system and were therefore not supervised. Since the SEC has been clear that self-reporting and cooperation will be favorable to offenders, the firm self-reported off-channel communications related to the business and proactively began remediation.
"Today’s actions should not only remind firms of the importance of following SEC recordkeeping requirements, but also the value of disclosing violations when they do occur. Both [firms] self-reported and self-remediated their recordkeeping violations, and the reduced penalties in these cases reflect their efforts and cooperation. As we continue our efforts to ensure compliance with the Commission’s essential recordkeeping requirements, we encourage other firms to take note and likewise self-report."
Initiating a review before self-reporting
In similar news, the SEC fined another large firm $7.5 million for widespread and longstanding failures by the firm and its employees to maintain and preserve electronic communications. This proceeding also involved senior-level staff and their failure to comply with essential requirements and firm policies by using personal devices to engage in off-channel communications related to the firm’s business, while not maintaining or preserving the majority of those written communications. Unlike the first case, this firm discovered these off-channel communications and initiated a review of its recordkeeping failures and a remediation program before self-reporting the issue to the Division of Enforcement.
In addition, the CFTC fined the firm $15 million for failing to maintain, preserve, or produce records that were required to be kept under CFTC recordkeeping requirements, and failing to diligently supervise matters related to their businesses as CFTC registrants.
Self-reporting the deletion of communications records
The SEC handed a large firm a $4 million fine for accidentally deleting approximately 47 million electronic communications from around 8,700 electronic mailboxes. The firm self-reported the deletion event after discovering that many of the records were required business records under regulations 17a-3 and 17a-4.
Firm employees were given deletion tasks as part of a project to remove older communications and documents, but they experienced glitches which deleted unintended documents. This deletion had significant consequences as the firm was unable to retrieve or produce these deleted communications in response to subpoenas and document requests from at least twelve civil securities-related regulatory investigations. The firm has since implemented its own retention coding and strengthened approval processes for data disposition to prevent similar incidents from occurring in the future.
Other firm fines
Failing to supervise a registered representative
FINRA fined a firm $180,000 for failing to reasonably supervise a registered representative and his assistant’s firm email accounts. It was found that the firm should have detected the representative was using firm resources to sell over $7 million in outside securities to its customers and other investors. Additionally, the firm failed to reasonably supervise these activities according to their Outside Business Activities (OBA) policies and procedures.
Restitution and interest
FINRA has imposed a fine of over $637,000 in restitution and interest on a firm for multiple violations. These include:
- Failure to implement a proper supervisory system to ensure compliance with FINRA suitability requirements for variable annuity recommendations
- Inadequate response to red flags indicating unsuitable recommendations
- Lack of effective supervision over the use of an unapproved email address for transmitting securities-related documents to customers
- Failure to retain business-related email communications
Additionally, the firm neglected to establish and enforce written procedures for reviewing electronic correspondence and documenting such reviews. Notably, a representative of the firm and their support staff utilized external email accounts for business purposes, engaging in communication with customers and forwarding incomplete or blank documents for signing.
Individuals fined
An individual was fined $10,000 and issued a 30-day suspension for the improper use of WhatsApp. This individual was using WhatsApp to communicate with customers; however, WhatsApp was not an approved communication channel according to the firm’s established policies and the firm did not preserve the individual’s WhatsApp communications as required by regulations, leading to incomplete recordkeeping on the part of the firm.
In 2020, the firm discovered the individual’s use of WhatsApp and subsequently issued the individual a Letter of Education reminding him of the firm's explicit prohibition against using unapproved electronic messaging platforms. Despite receiving and acknowledging the letter and its terms, the individual persisted in their use of WhatsApp for another 19 months to communicate with firm customers about securities-related matters.
Another individual has been sanctioned by FINRA with a fine of $15,000 and a 15-month suspension due to the use of a personal cell phone to transmit unauthorized text messages containing client documents. Because of this behavior, the individual's firm failed to uphold the required preservation of business-related text messages. Additionally, the individual provided false information to her firm by falsely asserting that she did not utilize text messaging for business purposes and provided misleading statements to FINRA by denying the transmission of client documents through text messaging.
The takeaway
With the regulatory landscape evolving and fines growing in size and trickling down from firms to individuals, it’s time to embrace compliance failures and limit their impact on your firm. It pays to be proactive and transparent by self-reporting, but the next step is fortifying your communications compliance for the future.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US