In an August 14, 2024 press release, the Securities and Exchange Commission (SEC) announced enforcement actions against 26 broker-dealers and investment advisers for what the SEC described as “widespread and longstanding failures by the firms and their personnel to maintain and preserve electronic communications.” In separate press releases, the CFTC announced related enforcement actions. These settled actions included fines ranging from $400,000 to $75 million, as well as remedial measures like the retention of an independent compliance consultant, mandatory reporting of any disciplinary actions related to the use of personal messaging platforms, and review of employee communications as a regular internal audit item.
These settlements are the latest in the SEC’s and the CFTC’s sprawling investigation of registrant use of off-network communications, which has included enforcement actions against 56 other firms over the past 36 months. We discussed them in previous client updates on March 16, 2022, October 4, 2022, and October 12, 2023.
Key Takeaways
It starts at the top
As with prior settlements, pervasive principal and supervisor use of off-channel electronic communications was an aggravating factor. The SEC noted in its press release that the violations “involved personnel at multiple levels of authority, including supervisors and senior managers.”
SEC and CFTC reward those who self-report
Of the 26 firms that were fined, three took remedial steps in addressing violations and self-reported to the SEC. In particular, the SEC highlighted the following corrective actions, all of which began before self-reporting to the SEC:
- Issuing firm-owned devices to customer-facing or client-facing personnel.
- Strengthening self-policing procedures by making investments in new technologies to improve surveillance efforts and enhance internal certifications.
- Conducting trainings and sending firmwide reminders that emphasized the importance of complying with recordkeeping obligations.
- Taking proactive steps to onboard and preserve off-channel communications.
Similarly, the CFTC noted that registrants that self-report, cooperate, remediate, and hold themselves accountable will “benefit in the form of a substantially reduced penalty.”
Scrutiny of smaller registrants
As part of its initial sweep in September 2022, the SEC announced settlements totaling $1.1 billion against 15 large broker-dealers and one affiliated investment adviser. Since that time, the SEC and the CFTC have brought similar actions against ever smaller registrants, including, in this most recent sweep, investment advisers with less than $2 billion in assets under management. We expect the enforcement trend to continue against increasingly smaller independent investment advisers and broker-dealers.
Monitoring for the most egregious violations
In addition to paying penalties, the most significant violators in the current round of settlements have also agreed to engage, at their sole expense, independent compliance consultants to prepare a comprehensive review of firm policies, procedures, technology, and supervisory and surveillance mechanisms related to the preservation of electronic communications pursuant to Rule 17a-4(b)(4) of the Exchange Act and Rule 204-2(a)(7) of the Advisers Act (as applicable). These consultants are expected to issue a report of their findings and recommendations for changes and improvements to the firms’ policies and procedures. Bringing in independent compliance consultants was included as a settlement term even for the three firms that started a robust program of remediation before approaching the SEC and the CFTC.
Continued vigilance and self-reporting
Registered firms should anticipate continued and aggressive SEC and CFTC scrutiny of their off-channel business communication policies and should expect that such interest will be a routine feature of regulatory examinations—and, potentially, whistleblower referrals, given the size of the penalties collected by the SEC and the CFTC—moving forward. Registrants should consider the following steps:
- Review existing policy enforcement mechanisms that enable the firm to assess compliance with its policies and procedures and to provide the basis for sanctions where appropriate.
- Review employee training modules, including the assessment of whether employees understand and have attested to their understanding of firm policy.
- Test the firm’s capacity for archiving, surveilling, and complying with the stated policies and procedures.
- Review current technical solutions to confirm they are reasonable and appropriate.
- Ensure that supervisors and management lead by example and do not use or respond to off-channel business communications, even from coworkers.
- Use a risk-based approach to identify those functions or personnel whose messaging communications may present a heightened compliance risk to the enterprise and improve procedures to mitigate the risk.
- Issue firm-owned devices to customer-facing or client-facing personnel.
- Strengthen self-policing procedures by investing in new technologies to sharpen surveillance efforts and improve internal certifications.
- Conduct trainings and send firmwide reminders that emphasize the importance of complying with recordkeeping obligations.
- Take proactive steps to onboard and preserve off-channel communications.
If off-channel communications are pervasive, firms should swiftly implement remedial efforts. Given the materially lower penalties that self-reporting firms paid in fines to the SEC and CFTC, firms should consider the potential benefits of self-reporting to and proactively cooperating with these agencies to minimize regulatory exposure.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.
If you have any questions, or would like additional information, please contact one of the attorneys on our Investment Funds Team, one of the attorneys on our Privacy, Cyber & Data Strategy Team, or one of the attorneys with our White Collar, Government & Internal Investigations Team.