Advisories August 23, 2024

Investment Funds / Privacy, Cyber & Data Strategy / White Collar Advisory: SEC and CFTC Rake In $474 Million in Fines for Off-Channel Communications, Rewarding Registrants That Self-Disclosed

Executive Summary
Minute Read
Two and a half years after the first major settlement with some of the world’s largest financial institutions, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) persist in their campaign against using off-channel communications. Our Investment Funds, Privacy, Cyber & Data Strategy, and White Collar, Government & Internal Investigations Groups unpack the latest enforcement actions, including how the agencies are looking for substantial settlements from smaller registrants.
  • The current settled enforcement actions against 26 investment advisers and broker-dealers resulted in over $474 million in fines, ranging from $400,000 to $75 million
  • The SEC and CFTC rewarded those who self-reported and then cooperated
  • The SEC and CFTC are cracking down on smaller registrants, including investment advisers with less than $2 billion in assets under management
  • Firms should not expect to emerge from regulatory scrutiny without in-network communications compliance

In an August 14, 2024 press release, the Securities and Exchange Commission (SEC) announced enforcement actions against 26 broker-dealers and investment advisers for what the SEC described as “widespread and longstanding failures by the firms and their personnel to maintain and preserve electronic communications.” In separate press releases, the CFTC announced related enforcement actions. These settled actions included fines ranging from $400,000 to $75 million, as well as remedial measures like the retention of an independent compliance consultant, mandatory reporting of any disciplinary actions related to the use of personal messaging platforms, and review of employee communications as a regular internal audit item.

These settlements are the latest in the SEC’s and the CFTC’s sprawling investigation of registrant use of off-network communications, which has included enforcement actions against 56 other firms over the past 36 months. We discussed them in previous client updates on March 16, 2022, October 4, 2022, and October 12, 2023.

Key Takeaways

It starts at the top

As with prior settlements, pervasive principal and supervisor use of off-channel electronic communications was an aggravating factor.  The SEC noted in its press release that the violations “involved personnel at multiple levels of authority, including supervisors and senior managers.”

SEC and CFTC reward those who self-report

Of the 26 firms that were fined, three took remedial steps in addressing violations and self-reported to the SEC. In particular, the SEC highlighted the following corrective actions, all of which began before self-reporting to the SEC:

  • Issuing firm-owned devices to customer-facing or client-facing personnel.
  • Strengthening self-policing procedures by making investments in new technologies to improve surveillance efforts and enhance internal certifications.
  • Conducting trainings and sending firmwide reminders that emphasized the importance of complying with recordkeeping obligations.
  • Taking proactive steps to onboard and preserve off-channel communications.
These firms were able to settle for “significantly lower civil penalties than they would have otherwise,” including fines of just 10% of the monetary penalties paid by comparable firms.
Similarly, the CFTC noted that registrants that self-report, cooperate, remediate, and hold themselves accountable will “benefit in the form of a substantially reduced penalty.”

Scrutiny of smaller registrants

As part of its initial sweep in September 2022, the SEC announced settlements totaling $1.1 billion against 15 large broker-dealers and one affiliated investment adviser. Since that time, the SEC and the CFTC have brought similar actions against ever smaller registrants, including, in this most recent sweep, investment advisers with less than $2 billion in assets under management. We expect the enforcement trend to continue against increasingly smaller independent investment advisers and broker-dealers.

Monitoring for the most egregious violations

In addition to paying penalties, the most significant violators in the current round of settlements have also agreed to engage, at their sole expense, independent compliance consultants to prepare a comprehensive review of firm policies, procedures, technology, and supervisory and surveillance mechanisms related to the preservation of electronic communications pursuant to Rule 17a-4(b)(4) of the Exchange Act and Rule 204-2(a)(7) of the Advisers Act (as applicable). These consultants are expected to issue a report of their findings and recommendations for changes and improvements to the firms’ policies and procedures. Bringing in independent compliance consultants was included as a settlement term even for the three firms that started a robust program of remediation before approaching the SEC and the CFTC.

Continued vigilance and self-reporting

Registered firms should anticipate continued and aggressive SEC and CFTC scrutiny of their off-channel business communication policies and should expect that such interest will be a routine feature of regulatory examinations—and, potentially, whistleblower referrals, given the size of the penalties collected by the SEC and the CFTC—moving forward. Registrants should consider the following steps:
  • Review existing policy enforcement mechanisms that enable the firm to assess compliance with its policies and procedures and to provide the basis for sanctions where appropriate.
  • Review employee training modules, including the assessment of whether employees understand and have attested to their understanding of firm policy.
  • Test the firm’s capacity for archiving, surveilling, and complying with the stated policies and procedures.
  • Review current technical solutions to confirm they are reasonable and appropriate.
  • Ensure that supervisors and management lead by example and do not use or respond to off-channel business communications, even from coworkers.
  • Use a risk-based approach to identify those functions or personnel whose messaging communications may present a heightened compliance risk to the enterprise and improve procedures to mitigate the risk.
  • Issue firm-owned devices to customer-facing or client-facing personnel.
  • Strengthen self-policing procedures by investing in new technologies to sharpen surveillance efforts and improve internal certifications.
  • Conduct trainings and send firmwide reminders that emphasize the importance of complying with recordkeeping obligations.
  • Take proactive steps to onboard and preserve off-channel communications.

If off-channel communications are pervasive, firms should swiftly implement remedial efforts. Given the materially lower penalties that self-reporting firms paid in fines to the SEC and CFTC, firms should consider the potential benefits of self-reporting to and proactively cooperating with these agencies to minimize regulatory exposure.


You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Investment Funds Teamone of the attorneys on our Privacy, Cyber & Data Strategy Team, or one of the attorneys with our White Collar, Government & Internal Investigations Team.

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.