Memo #
34309

SEC Charges 15 Broker-Dealers and One Related Adviser with Recordkeeping Violations Involving Communications on Personal Devices
| Print

[34309]

October 12, 2022

TO: ICI Members
Chief Compliance Officer Committee
Technology Committee SUBJECTS: Compliance
Investment Advisers
Litigation & Enforcement RE: SEC Charges 15 Broker-Dealers and One Related Adviser with Recordkeeping Violations Involving Communications on Personal Devices

 

On September 27, the SEC's Division of Enforcement announced that it had charged fifteen broker-dealers and one investment adviser associated with one of the broker-dealers[1] with "widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications."[2] Cumulatively, these actions resulted in fines in excess of $1.1 billion dollars and, in addition to these fines, these settlements involved the respondents agreeing to retain a compliance consultant. The SEC's findings against these firms and the sanctions imposed are cumulatively summarized below.

The SEC’s Findings

In settling these actions, the respondents admitted the facts set forth in these orders and acknowledged that their conduct violated the federal securities laws. The findings in each of these orders are largely identical. In each order, the respondent admits that:

  • The proceedings arise out of the widespread and longstanding failure of their employees throughout the firm, including at senior levels, to adhere to certain essential requirements of the firm's policies.
  • Using their personal devices, employees communicated both internally and externally by personal test messages or other text messaging platforms such as WhatsApp.
  • From at least January 2018 to September 2021, the firms' employees sent and received "off-channel" communications that related to the business of broker-dealers and the respondents failed to maintain these communications. These communications occurred at all seniority levels.
  • The firms' supervisors, who were responsible for preventing this misconduct among junior employees, routinely communicated off-channel using their personal devices.  These supervisors included managing directors and senior supervisors.
  • The firms failed to retain all required communications. Moreover, the firms "received and responded to Commission subpoenas for documents and records requests in numerous Commission investigations" and the firms' recordkeeping failures "likely impacted the Commission's ability to carry out its regulatory functions and investigate violations of the federal securities laws across these investigations."
  • The firms' policies and procedures advised their employees that the use of unapproved electronic communications methods, including on their personal devices, was not permitted, and they should not use personal email, chats, or text-messaging applications for business purposes nor forward work-related communications to their personal devices.
  • Messages sent through the firms' unapproved communications methods, such as WhatsApp, and those sent from unapproved applications on personal devices were not monitored, subject to review, or archived.
  • The firms had procedures for all employees, including supervisors, that required biannual self-attestation of compliance.
  • The firms failed to implement a system of follow-up and review to determine that supervisors were reasonably following the firms' policies or to monitor employees to assure that the firms' recordkeeping and communications policies were being followed.
  • Each of the firms cooperated with the investigation by gathering communications from the personal devices of a broad array of senior and other broker-dealer personnel (including, e.g., desk heads, investment bankers, and traders).
  • From at least January 2018 through September 2021, the firms failed to maintain tens of thousands of messages that were sent and received that concerned the broker-dealers' businesses, including discussions of investment banking client meetings and communications about market color, analysis, activity trends, or events.
  • This conduct violated Section 17(a) of the Securities Exchange Act and Rule 17a-4(b)(4), which requires broker-dealers to preserve for at least three years originals of all communications sent relating to its business as such. 

With respect to the order involving the investment adviser, that firm was additionally charged with failing reasonably to supervise its employees with a view to preventing or detecting certain of its employees' aiding and abetting violations of the recordkeeping requirements of Section 204 of the Advisers Act and Rule 204-2(a)(7) thereunder.

The Sanctions Imposed

As with the J.P. Morgan case, based upon the above findings and violations, each of the sixteen firms involved in these cases was censured, ordered to cease and desist from further violations, ordered to pay a civil monetary penalty, and agree to undertakings. For most of the firms, the fine was $125 million (which was the same fine paid by J.P. Morgan). The exceptions were the fines imposed on Cantor Fitzgerald ($10 million) and Jeffries and Nomura (which were each fined $50 million).[3] As regards the undertakings, as with J.P. Morgan, each of the firms agreed to:

Retain a compliance consultant for at least two years to address the issues described in the orders

Among other things, the compliance consultant must:

  • Conduct a comprehensive review of the firms' supervisory, compliance, and other policies designed to ensure all e-communications, including those on personal devices, are preserved as required by law.
  • Conduct a comprehensive review of the firms' training related to preservation of e-communications, including those on personal devices "including by ensuring that employees certify in writing on a quarterly basis that they are complying with preservation requirements."
  • Assess the firms' surveillance program to ensure compliance with requirements related to preserving e-communications, including those on personal devices.
  • Assess the technological solutions the firms use to prevent unauthorized communications methods for business communications by employees. The assessments shall include a review of the firms' policies and procedures to ascertain if they provide for any significant technology and/or behavioral restrictions that help prevent the risk of the use of unapproved communications methods on personal devices.
  • Review the firms' e-communication surveillance routines to ensure that e-communications through approved communications methods found on personal devices are incorporated into the firms' overall communications surveillance program.
  • Conduct a comprehensive review of the framework adopted by the firms to address instances of employees' non-compliance with the firms' policies and procedures regarding the use of personal devices to communicate about the firms' business. Such review must include how the firms determined which employees failed to comply with their policies and procedures, the corrective action carried out, an evaluation of who violated the policies and why, what penalties were imposed, and whether such penalties were handed out consistently across business lines and seniority levels.

Within 45 days after completing of the required review, each consultant must submit a detailed report of its findings to the firm and the SEC. With limited exceptions, the firms must adopt all recommendations in the consultants' reports within 90 days. One year following submission of the consultants' reports, the firms must require the consultants to conduct a follow-up review regarding the firms' implementation of the consultants' recommendations. 

Report to the SEC on Disciplinary Actions Taken Against Employees

In addition to the above, for two years following the orders, the firms must notify SEC staff upon the imposition of any discipline it imposes on an employee for violating the firms' policies and procedures relating to the preservation of e-communications. For purposes of this requirement, "discipline" includes, but is not limited to, written warnings, loss of any pay, bonus, or incentive compensation, or the termination of employment. 

Have Internal Audit Conduct an Audit related to Recordkeeping

The Undertakings also require each firm's Internal Audit function to conduct an audit to assess the firm's progress in the areas to be reviewed by the compliance consultant. Upon completion of the internal audit, the firm is required to ensure that Internal Audit submits a report of its findings to the firm and to the SEC staff.

Ongoing Investigation

Finally, the SEC's press release about these cases notes that, separately, the Commodity Futures Trading Commission has "announced settlements with the firms for related conduct."[4] It also states that the SEC's investigation of these recordkeeping issues is ongoing. Though not discussed in the Commission's press release or orders, we understand that, in continuing to review registrants' compliance with the federal recordkeeping requirements, Commission staff may be requesting the following information:

Policies and procedures related to:

  • The Communication Devices and/or Platforms on which Supervised Persons are or are not authorized to create and/or receive Electronic Communications;
  • The retention of Electronic Communications by Firm and/or its Supervised Persons;
  • The Communication Devices and/or Platforms (including but not limited to "bring your own device" software) provided to Supervised Persons by or at the direction of Firm for the purpose of enabling Supervised Persons to communicate in a manner that complies with the policies and procedures described above.
  • Documents sufficient to identify all persons responsible for overseeing Firm's policies and procedures described above.
  • Any records documenting Firm's annual review of the policies and procedures described above.
  • Documents sufficient to identify any monitoring, testing or reviews conducted with regard to compliance with the policies and procedures described above.
  • Documents sufficient to identify any certification process by which Supervised Persons at Firm attested to their compliance with the policies and procedures described above.
  • Documents sufficient to identify any compliance-related training mandated for Firm's Supervised Persons concerning the policies and procedures described above, as well as any policies or procedures by which participation in such trainings was monitored or enforced.
  • Documents sufficient to identify any reminders or other materials circulated to Firm's Supervised Persons concerning the policies and procedures described above.
  • Documents sufficient to identify all violations of the policies and procedures set forth above, and any disciplinary action taken against any of Firm's Supervised Persons as a consequence of such violations.

We hope you find this information helpful.

 

Tamara K. Salmon
Associate General Counsel
 

Notes

[1] The respondents in these actions are, in alphabetical order: Barclays Capital Inc.; BofA Securities Inc. together with Merrill Lynch, Pierce, Fenner & Smith, Inc.; Cantor Fitzgerald & Co.; Citigroup Global Markets Inc.; Credit Suisse Securities (USA) LLC; Deutsche Bank Securities Inc. together with DWS Distributors Inc. and DWS Investment Management Americas Inc.; Goldman Sachs & Co. LLC; Jeffries LLC; Morgan Stanley & Co. together with Morgan Stanley Smith Barney LLC; Nomura Securities International; and UBS Securities LLC together with UBS Financial Services Inc. The case involving Deutsche Bank Securities included the firm's associated investment adviser.

[2] The SEC's press release announcing these enforcement proceedings is available at https://www.sec.gov/news/press-release/2022-174. The press release includes a link to each order issued by the SEC in this matter. These actions, including the sanctions imposed, are reminiscent of the enforcement proceeding the SEC brought against J.P. Morgan Securities in December 2021 for similar violations. See In the Matter of J.P. Morgan Securities, LLC, SEC Administrative Proceeding File No. 3-20681 (December 17, 2021) (the "Order"), which is available at: https://www.sec.gov/litigation/admin/2021/34-93807.pdf?utm_medium=email&utm_source=govdelivery as well as ICI Memorandum No. 33965 (December 17, 2021), which summarized the SEC's case against J.P. Morgan, available at: https://www.ici.org/memo33965.

[3] It is not obvious from the orders why these three firms' fines were less than those imposed on the other firms.

[4] See "FTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods," CFTC Press Release No. 8599-22 (September 27, 2022), which is available at: https://www.cftc.gov/PressRoom/PressReleases/8599-22.