The finance sector’s $2.5 billion communications compliance crisis

If the JPMorgan comms fine was supposed to be a wake-up call, financial services has slept through the alarm. We assess a problem that is not going away.

In December 2021, JPMorgan was fined $125m by the SEC and $75m by the CFTC for failing to maintain and preserve electronic records and for failing to reasonably supervise with a view to preventing and detecting those failures.

In September 2022, 15 Wall Street firms admitted to wrongdoing and agreed to pay penalties totaling more than $1.1b for recordkeeping failures. The recordkeeping requirements that were found to be circumscribed in these enforcement orders were described as “sacrosanct” by SEC officials in their announcement of the fines they brought – penalties they meted out along with the CFTC.

And in October 2022, the SEC issued amendments to broker-dealers’ recordkeeping requirements designed to modernize the process in the light of technological change.

More recently, in May of this year, the SEC brought charges against HSBC Securities USA Inc and Scotia Capital USA Inc for the same lapses, with the Commodity Futures Trading Commission (CFTC) bringing its own claims against the latter firm.

And in early August, US regulators announced a further $549m in penalties against 11 large financial services firms for similar offenses, bringing the total fines for communications compliance breaches issued by the SEC to $1.5 billion and the CFTC to over $1 billion. 

Action in US and UK

In the same month, in the UK, financial regulators were left looking flat-footed when energy regulator Ofgem issued the first UK fine for failing to keep records of trading communications – it imposed a £5.41m ($6.89m) penalty on Morgan Stanley.

The financial services industry is being pummelled left and right by the regulators on this one issue. If you thought it was dealing with its communications problem, you’d be wrong.

That “lessons-not-learned” aspect was on display in late August when the CFTC charged Goldman Sachs for not effectively retaining audio recordings over the course of several years, after being charged with the same rule violations in 2019.

Who has been fined and how much

Here’s a list of the institutions fined for recordkeeping failures involving at least some combination of texts, WhatsApp messages, and audio files, if not other communications formats, since the JPMorgan fine was reported as a wakeup call:

InstitutionFine ($)
Bank of America  100,000,000
Bank of America Securities  125,000,000
Bank of Montreal  35,000,000
Bank of Nova Scotia  15,000,000
Barclays  75,000,000
Barclays Capital Inc  125,000,000
BMO Capital Markets Corp  25,000,000
BNP Paribas  75,000,000
BNP Paribas Securities Corp  35,000,000
Cantor Fitzgerald  16,000,000
Citi  75,000,000
Citigroup Financial Markets  125,000,000
Credit Suisse  75,000,000
Credit Suisse Securities USA  125,000,000
Deutsche Bank  75,000,000
Deutsche Bank Securities  125,000,000
Goldman Sachs  205,500,000
Houlihan Lokey Capital  15,000,000
HSBC  75,000,000*
HSBC Securities USA  15,000,000
Jefferies  80,000,000
Mizuho Securities USA LLC  25,000,000
Moelis & Company LLC  10,000,000
Morgan Stanley  206,800,000
Nomura  50,000,000
Nomura Securities International  50,000,000
SG Americas Securities  35,000,000
SMBC Nikko Securities America  9,000,000
Scotia Capital USA  7,500,000
Société Générale  75,000,000
UBS  75,000,000
UBS Securities  125,000,000
Wedbush Securities  10,000,000
Wells Fargo  200,000,000

* Includes fines for related offences

And here’s the full list of actions brought by the SEC, CFTC and the UK’s Ofgem.

Sept 2022CFTC fines of $710m on 11 institutions
Sept 2022SEC fines of $1.1 billon on 16 institutions
May 2023CFTC fine of $15m on Bank of Nova Scotia
May 2023SEC fines of $22.5m against two firms
May 2023CFTC fine of $30m on HSBC
May 2023CFTC fine of $45m on HSBC for offences including failures around mobile device recordkeeping
August 2023SEC fines of $289m on 11 institutions
August 2023CFTC fines of $260m on four institutions
August 2023CFTC fines of $5.5m Goldman Sachs for failure to preserve audio recordings during pandemic
August 2023Ofgem fines of $6.8m on Morgan Stanley for comms recordkeeping failure

The CEO of Global Relay, Warren Roy, said this to GRIP in January: “We called it a ‘grey area’ – a strata of unregulated communications that tied together the whole financial world. We knew this chicken was coming home to roost. And it did in the shape of the JPMorgan fine.”

Regulators show angst

CFTC Commissioner Christy Goldsmith Romero did not hold back in her statement on August 8 when her agency charged four of those financial services firms for recordkeeping lapses pertaining to business-related communications that involved some senior-level executives.

CFTC Commissioner Christy Goldsmith Romero
Photo: CFTC

Romero said her agency was hereby “sending a strong message” and that “the illegality the CFTC found in all of these cases was disturbingly widespread, evasive, conducted by senior officials as well as those responsible for compliance, and a clear violation of the law and internal bank policies.”

She said that, “based on the serious threat that unauthorized communications platforms pose to market integrity, the CFTC is requiring an admission of wrongdoing as part of these settlements.” And she went on to press her view that “deterrence can be achieved from a defendant having to admit wrongdoing, combined with a penalty.”

“Wall Street institutions do not get to keep regulators in the dark while enjoying all of the benefits of being a regulated entity in US financial markets.”

Christy Goldsmith Romero, Commissioner, CFTC

Romero has had the issue in her sights for some time, saying last September: “Wall Street institutions do not get to keep regulators in the dark while enjoying all of the benefits of being a regulated entity in US financial markets.”

Will Romero’s agency and the SEC continue to compel an acceptance of wrongdoing, and is there a down side to requiring accountability in a settlement?

Janaya Moscony, president of SEC3 Compliance Consultants, says such a requirement could increase the risk of more litigation and fewer settlements. “Firms aren’t always willing to open themselves to the additional risks that come with taking accountability in a settlement and might go with the risk of being sued,” she said.

Communication platforms

To be sure, no one is questioning the use of most of these communication platforms to conduct business – certain apps notwithstanding – as they have made transacting business more expedient and efficient. If you’re over the age of 40, you will remember a time when doing business while driving in a car was not a “thing”. Today, you can do just that, work from home, work from your favourite coffee shop, all while instantly sending documents and meeting with 25 people for 10 important minutes. (Some newer car technology can also store and record data, just to make this whole discussion more complex.)

Chip Jones
Photo: GR

But every piece of technological advancement brings with it certain risks and a need for certain guardrails, even while embracing its further development.

US Securities and Exchange Commissioner Hester Peirce said in a podcast interview with GRIP in early August that technology has great promise for the financial services industry, albeit with limitations and challenges.

“What regulators are now saying is implement a solution, because at least then you are offering financial professionals a compliant alternative.”

Chip Jones, VP Compliance, Global Relay

“We’ve seen recent cases in which people are using off-channel communications in ways that were not possible before. We need to encourage them to use tools to help them do their jobs better. Part of that, when you use a new tool, is to think of its limitations and its potential challenges that you need to compensate for in some other way,” she said.

Global Relay’s executive Vice President of Compliance, Chip Jones (and former senior VP for Member Relations and Education at the Financial Industry Regulatory Authority) said there is no doubt that regulators realize this is not an easy practice to prevent. 

“What regulators are now saying is implement a solution, because at least then you are offering financial professionals a compliant alternative. Regulators also want to see firms implement educational sessions for their financial professionals around the topic,” he said.

Training may be missing link

Training could be a part of the missing link, actually. A couple of the cases noted above involved the archiving technology not working as it needed to – but, worse, people not promptly noticing it. This is something that regulators take a very dim view of, hence, for example, higher fines for infractions where it was only a regulatory investigation, rather than self-reporting, that led to remedial action.

The great thing about technology is its ability to use abundant data and allows us to do something quickly with it, which leads to gains in efficiency and productivity. The worst thing about it is its ability to use abundant data and do something quickly with it, but in a way that was not intended.

It might be that people need more training on the communication and storage tech tools – or a primer on the importance of and reasons why these recordkeeping obligations exist. Or both.

It’s up to executive leadership to appreciate the need for the education element and to prioritize compliance here, setting a tone for the rest of management to convey to the employee base.

“Firms need to specifically task personnel with responsibility for setting policy, communicate that policy to all staff, and ensure the policy is enforced.”

Howard Fischer, partner, Moses Singer

Howard Fischer, a partner at Moses Singer in New York and a former staff attorney at the SEC, agrees that businesses need to specifically plan out their approach to these communication and recordkeeping mandates and acknowledge the regulators’ lack of patience in this arena.

“To avoid being the next target, firms need to specifically task personnel with responsibility for setting policy, communicate that policy to all staff, and ensure the policy is enforced and that all relevant records are collected and preserved,” he said.

He said to criticize these settlements as a way for financial regulators to achieve public relations wins without there being evidence of fraudulent intent or harm to customers is to mischaracterize the thrust of these enforcement actions. “The cases go to the heart of the regulators’ ability to monitor financial services firms,” he said.

Personal devices, remote work, uncomfortable questions

Remember when a good number of businesses gave employees work-issued phones?

Rob Mason, Global Relay’s Regulatory Intelligence Director, wonders if the trend of having employees use their personal devices was not as well-thought-out as it could have been.

“All the banks elected to turn away from bank-issued devices (Blackberrys usually) as a reduction in cost play. This has proven to be a decision which was not thought through and the compliance implications not properly considered. Many are now needing to perform U-turns, which has obvious cost implications as well as makes the decision makers look incompetent,” he said.

The remote and hybrid work environments might be exacerbating the challenges, but they are not insurmountable.

“What devices and apps are you using with clients, how are you capturing them, and can you show me?”

Bradley Mirkin, Managing Director, Berkeley Research Group

“Right now, there is a greater onus on compliance departments to minimize the risk that they are not seeing 100% of employees’ work-related electronic communications. That takes proactive steps, and sometimes, compliance and supervisors asking unpleasant questions about the use of personal devices and apps. But that is what is needed here,” said Bradley Mirkin, managing director for Berkeley Research Group.

“Unfortunately, those are skills that are often ignored in hiring, training, reviews, and other employee evaluations,” he said. Being able to ask those compliance-related queries – “what devices and apps are you using with clients, how are you capturing them, and can you show me?” – are compliance skills that are more critical than ever.

The human dynamics here are being underappreciated, Mirkin thinks, and he advises compliance professionals to keep those aspects in mind and be proactive rather than reactive.

Prepare now

“Firms should incorporate robust policies and procedures – and implement effective compliance and technological tools – to ensure that they are capturing and retaining business communications and are otherwise satisfying their books and records obligations,” said Ghillaine Reid, co-lead of Troutman Pepper’s Securities Investigations & Enforcement Practice in New York.

It’s the responsibility of financial institutions to ensure business-related communication occurs only through approved and supervised channels and to demonstrate they continuously reminded employees of this policy, and that reviewing communications was part of their supervision protocols.

When you get right down to it, this is not some external threat to the organization that is hard to detect or foresee. It is the nuts and bolts of internal oversight and enforcement, and nothing that the regulators are saying suggests that their enforcement actions are going to get more forgiving.

With that said, regulators are willing to call out and award cooperation credit here. In the late September 2023 round-up of cases for such recordkeeping lapses, the Grewal noted about one of the six businesses being charged: “One of the orders included in today’s announced actions is not like the others. There are real benefits to self-reporting, remediating and cooperating”, he said. This was the SEC’s lowest off-channel communications civil penalty to date, $2.5m, against a family of firms that self-reported off-channel communications. Other firms in this and other orders have settled for penalties ranging from $7.5m to $125m.

Since the regulators’ disappointment with the lack of action by firms is palpable, as are their consistent approaches to bringing enforcement actions and instituting fines, businesses should preparing for a rigorous review of their recordkeeping practices.

These actions may well lead to even more robust regulatory responses – to ensure that the fines are not simply viewed as the cost of doing business by offending institutions and that these compliance procedures are ingrained in the institutions. The regulators’ disappointment with the lack of action by firms is palpable, as are their consistent approaches to bringing enforcement actions and instituting fines, businesses should prepare for a rigorous review of their recordkeeping practices.

Beyond policies and procedures, registrants should consider providing employee training on off-channel communications. This could include attestations at the commencement of employment and regularly thereafter that employees understand the business’s policies.

The SEC’s focus on “widespread failure in implementing” recordkeeping policies means that businesses should take care to ensure “individuals charged with supervising employees to prevent this misconduct” are themselves understand and are adhering to recordkeeping policies and requirements.

And any surveillance of electronic communications within the business must capture the entire universe of relevant records, so platforms used for videoconferencing or collaborative work must be closely monitored if they contain chat capabilities – which themselves should be surveilled and retained.