SEC’s Grewal: Expect tough penalties and continued focus on recordkeeping

The SEC brought 784 enforcement actions last year, enforcement director Grewal says the off-channel comms ones go to the heart of his agency’s ability to perform its overseer role.

In this weekend’s WSJ, Mengqi Sun spoke with Gurbir Grewal, the SEC’s enforcement division director. Director Grewal talked about his agency’s tough penalties, especially those against repeat offenders. He also specifically brought up his agency’s record fines, levied since December 2021, against 40 firms for their failures to maintain and preserve electronic communications.

Record number of penalties overall

Director Grewal said that when he joined the SEC, he had promised to increase enforcement and try to create a deterrent effect by focusing on penalties, especially those against recidivists. And he asserted that the numbers suggest that this strategy is working.

Under his leadership, the securities industry watchdog imposed financial remedies of about $5 billion through 784 enforcement actions, second only to the record set the year before at $6.44 billion in money penalties.

“There was a conscious effort over the last two years to make sure the penalties we were seeking were having that deterrent effect” he said also indicating that they needed to be more than just the cost of doing business. He stated that he wants his agency to continue shaping penalties around registered entities’ cooperation and compliance program remediation efforts.

Grewal then discussed with Ms. Sun the next stage in recordkeeping violations enforcement associated with the use of off-channel apps – an area in which over $15 billion in fines have been assessed against dozens of firms.

Retaining records, cultural issues

Speaking of these cases in which the SEC charged firms for not having properly stored records of their off-channel communications (such as those using WhatsApp and Signal), Director Grewal went back to a point he has reiterated all along. The whole reason his agency cares so much about these records is because it cannot properly do its job investigating businesses if it does not have access to the firm’s records, including these types of business-related communications.

“We went to a party in a case asking for certain documents, [and] they didn’t have the documents for us. And we went to a counterparty to deal with that broker-dealer, [and] they produced the off-channel communications,” he said.

This indicated to the SEC there was a problem with the broker-dealer firm that it had first approached in not retaining these records, and Grewal said that it “was more than a technical problem” rather it was “a cultural problem that the tone at the top was such that you had senior folks directing subordinates to deliberately move communications off-channel.”

“In those cases, the penalties may even be higher because I think now, having been on notice, you’re in a different boat.”

Gurbir Grewal, SEC Director of Enforcement

Grewal said that this has all changed as a result of the SEC’s robust actions, and he called the change “impacting positive behavior in the markets.” He assured critics of the SEC’s approach in these cases that his agency is not talking about collecting communications regarding people making lunch plans; he said they are focused on communications related to the business, the types of records that SEC rules already tell businesses they must keep.

If those records are preserved, as the rules instruct, then the agency can efficiently piece together what has happened in some matter it’s investigating, he said. And then no one can hide any malfeasance simply by using ephemeral or off-channel communication tools.

What’s next for off-channel comms enforcement?

In answer to Sun’s question about next steps, Grewal said he hopes businesses and their leaders have gotten the message, and he believes that they have, because their policies and procedures have so clearly changed. “[A]nd the tools that folks are using have changed, and there has been self-reporting. So I don’t expect [enforcement] to continue at the same pace,” he said.

“Having said that … exams have made this a priority,” he reminded readers and indicated that investigation and enforcement “will continue with respect to those businesses that have not changed their policies and procedures or otherwise addressed the issue. And in those cases, the penalties may even be higher because I think now, having been on notice, you’re in a different boat. If we go out with document requests and we see the types of gaps that we saw that precipitated all these cases, I think we would make recommendations for more severe fines and penalties.”

And what’s next with crypto?

Sun also asked Director Grewal about the SEC’s enforcement posture toward cryptocurrency as we head into the new year, and Grewal responded by saying that Chair Gary Gensler has made it clear that due to the “tremendous amount of noncompliance in this space, if folks don’t come into compliance, we’ll use all the tools that we have to make sure they’re held accountable.”

He pointed out that robust action has been evident over the last fiscal year, as the SEC brought a number of “really impactful matters in the crypto space against crypto intermediaries“.

“Crypto intermediaries – to the extent they continue to commingle these functions under one roof – remain a priority for the Commission, and you could expect to see us continue to be active in that space.”

Author’s note

In September 2022, the SEC announced the imposition of over $1.1b in penalties on over a dozen financial institutions resulting from their failure to implement and maintain proper controls over business-related communications, including those conducted over “off-channel” media. A number of cases — with a number of businesses charged at one time — followed in 2023. But the SEC was not the only concerned enforcement agency levying fines and speaking out about this issue.

It may be time to examine your corporate policies, employee practices, recordkeeping tech tools, and compliance training – and time to hold senior personnel accountable for leading by example – to help limit fines and potential liability.

That same month, Deputy Attorney General Lisa Monaco issued a directive at the US DOJ to study corporate best practices regarding the use of personal devices and third-party messaging platforms, including ephemeral and encrypted messaging. Continuing this trend — and in response to Monaco’s directive — the DOJ issued updated guidance on the evaluation of corporate compliance programs in March 2023 in which employees’ use of such electronic messaging was specifically highlighted as a factor for consideration by prosecutors.

Notably, DOJ’s new guidance specifically directs prosecutors to understand at a granular level “how does [the use of ephemeral messaging] vary by jurisdiction and business function, and why,” and what precise “preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each.”

It is worthwhile asking if the questions in the DOJ’s guidance (and the points made in the SEC’s publications and enforcement decisions on the topic) are not ones your company is equipped to answer in a timely and comprehensive way. If not, it may be time to conduct a targeted risk assessment by examining your corporate policies, employee practices, recordkeeping tech tools, and compliance training – and time to hold senior personnel accountable for leading by example – to help limit well-publicized fines and potential liability. This is true for all of the record-retention requirements of the global jurisdictions in which you operate.

And after these off-channel communications and attendant recordkeeping policies and procedures are reviewed and updated, Director Grewal has some further pointed advice, gleaned from a speech in October: “What these actions make clear is that adopting the policies is just the first step, not the last. Through leadership, training, constant oversight and the right tone at the top, you need to ensure that the policies are actually implemented and followed”.