HSBC and Scotia Capital charged for off-channel comms recordkeeping failures

SEC and CFTC charge HSBC and Scotia Capital with recordkeeping failures using off-channel comms.

The SEC yesterday charged HSBC Securities USA Inc and Scotia Capital USA Inc for failures by both firms and their employees to maintain and preserve electronic communications, including failing to reasonably supervise with a view to preventing and detecting those failures.

The Commodity Futures Trading Commission (CFTC) also charged The Bank of Nova Scotia (BNS), a provisionally registered swap dealer and Scotia Capital, a futures commission merchant, with violations of CFTC recordkeeping requirements and for failing to supervise matters related to their businesses as CFTC registrants.

To settle the charges, HSBC and Scotia acknowledged that their conduct violated recordkeeping provisions of the federal securities laws and agreed to pay penalties of $15m and $7.5m, respectively, to satisfy both agency’s orders, plus agreed to undertake specific remedial policy and procedure measures, including retaining a compliance consultant.

“We encourage other firms to take note and likewise self-report.”

Gurbir S Grewal, Director, SEC Division of Enforcement

Both HSBC and Scotia Capital self-reported and self-remediated their recordkeeping violations and received cooperation credit and reduced penalties to reflect their efforts in assisting both US agencies.

“As we continue our efforts to ensure compliance with the Commission’s essential recordkeeping requirements, we encourage other firms to take note and likewise self-report,” said Gurbir S Grewal, Director of the SEC’s Division of Enforcement.

Findings from the SEC’s investigation

As described in the SEC’s orders, the firms admitted that their employees often communicated “off-channel” about securities business matters on their personal devices, using messaging platforms, such as WhatsApp. Neither firm maintained or preserved the substantial majority of these communications, in violation of the federal securities laws. The failings involved employees at multiple levels of authority, including supervisors and senior executives, and the persons involved did not follow the firms’ own policies on these matters.

The employees’ internally approved communications methods were subject to review and, when appropriate, archived. The messages that were sent via personal devices, such as personal emails, texts and chats for business purposes (using so-called “off-channel communication” methods) were not permitted under both businesses’ policies and were not monitored, subject to review, or archived.

Both firms were charged with violating the recordkeeping provisions of the Securities Exchange Act of 1934, notably Section 17(a) and Rule 17a-4(b)(4), which authorize the SEC to issue rules requiring broker-dealers to make and keep records for prescribed periods and specifically require broker-dealers to preserve originals of all communications received and copies of all communications sent relating to the firm’s business in an easily accessible place. Such records should be able to be produced promptly to agency representatives, as needed.

Compliance program enhancements, other undertakings

The firms agreed to retain compliance consultants to, among other things, conduct comprehensive reviews of their policies and procedures relating to the retention of electronic communications found on personal devices and their respective frameworks for addressing non-compliance by their employees with those policies and procedures.

The consultant at HSBC Securities and Scotia Capital must assess the technological solutions that the business has already begun implementing for their effectiveness in meeting regulatory obligations and the likelihood the employees at these businesses will use the technological solutions going forward.

Both businesses must also have their internal audit teams conduct a separate audit of certain portions of the undertakings mandated by the agencies, plus certify their compliance with the undertakings set forth in the SEC’s and CFTC’s orders.

Companies charged in 2022 for such failures

In September 2022, the SEC announced $1.1bn in fines and the CFTC disclosed $710m in penalties against firms including Bank of America Corp., Citigroup Inc., Goldman Sachs Group Inc. — and assessed $200m in penalties from JPMorgan Chase & Co. in December 2021 — for the same type of recordkeeping and supervision lapses. 

“As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications,” SEC Chair Gary Gensler said in the agency’s statement in September.