U.S. capital markets regulators crack down on recordkeeping and unapproved communication methods

Mail with Security Lock

The pervasiveness of alternative modes of recorded communication has raised challenges for firms to meet their obligations to preserve and maintain employee communications as business records. Use of applications such as WhatsApp, Slack, Signal, Zoom, Microsoft Teams, SMS and Webex has become commonplace in the broker-dealer and trader communities, particularly since the onset of the COVID-19 pandemic. Use of communications applications like these has recently been front and centre in regulatory enforcement proceedings in the United States, and Canadian capital markets regulators have likely identified similar issues.

Last fall, the Securities and Exchange Commission (the SEC) voted to adopt certain electronic recordkeeping rule amendments designed to modernize recordkeeping requirements in light of technological changes over the past two decades.[1] This vote came shortly after several enforcement proceedings that resulted in notable penalties for recordkeeping failures. More specifically, more than a dozen major Wall Street firms agreed to pay U.S. federal regulators nearly $2 billion in penalties for recordkeeping failures related to their employees’ use of unauthorized messaging applications. These enforcement actions came less than a year after a broker-dealer subsidiary of a major U.S. financial institution agreed to pay $200 million for similar recordkeeping lapses.[2]

The rule amendments

On October 12, 2022, the SEC voted to adopt rule amendments to the electronic recordkeeping, prompt production of records, and third-party recordkeeping service requirements applicable to broker-dealers, security-based swap dealers and major security-based swap participants.[3] SEC Chair Gary Gensler wrote:

I am pleased to support these rule amendments because, if adopted, these updates would bring the Commission’s electronic recordkeeping requirements [for intermediaries such as broker-dealers and security-based swap dealers] in line with technological innovation… Since the 1930s, recordkeeping obligations have been vital to maintain market integrity and the Securities and Exchange Commission’s work as the cop on the beat… Today’s rule amendments would facilitate the SEC’s ability to examine and inspect records consistent with modern technology… They would enhance the Commission’s ability to preserve market integrity. That helps protect investors.[4]

The rule amendments include an audit-trail alternative to the previous requirement for firms to preserve electronic records exclusively in a non-rewriteable, non-erasable format. The audit-trail alternative will mean that firms can preserve records in a manner that permits the recreation of an original record if it is altered, overwritten or erased. This is intended to provide broker-dealers with greater flexibility in configuring their electronic recordkeeping systems while simultaneously protecting the authenticity and reliability of original records.[5] 

According to the SEC’s press release, the compliance dates for the new requirements related to the rule amendments to electronic recordkeeping will be six months after publication in the Federal Register (May 3, 2023) for broker-dealers and 12 months (November 3, 2023) in the case of security-based swap dealers and major security-based swap participants.[6] The adopting release was published in the Federal Register on November 3, 2022,[7] and amendments became effective 60 days later, on January 3, 2023.

Enforcement proceedings resulting in penalties

Following proceedings, on September 27, 2022, the SEC and the Commodity Futures Trading Commission (the CFTC) announced a combined $1.8 billion in fines settling charges against approximately a dozen Wall Street firms for failing to maintain and preserve electronic communications.[8] According to the regulators, these actions — namely, the failure to reasonably supervise their employees’ use of unauthorized messaging applications — violate U.S. federal law, which requires broker-dealers and other financial institutions to preserve business communications. According to the SEC, the “off-channel communications” dated back to at least 2018 and involved business communications that were not preserved or maintained.

Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said, “Today’s actions — both in terms of the firms involved and the size of the penalties ordered — underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened.”

“The [CFTC’s] recordkeeping and supervision requirements ensure the safety and integrity of the U.S. derivatives markets and protect customers and market participants,” said Chairman Rostin Behnam. “As demonstrated today, the Commission will vigorously pursue registrants who fail to comply with their core regulatory obligations and hold them accountable.”

According to the SEC and CFTC, in addition to payment of monetary fines, the firms agreed to engage in specified remedial undertakings, including, for example, retaining compliance consultants to conduct comprehensive reviews of their policies and procedures relating to the retention of electronic communications found on personal devices and their respective frameworks for addressing non-compliance by their employees.[9]

Key takeaways

The SEC and CFTC have made it clear that there is no ambiguity around their dedication to enforcing and prosecuting recordkeeping failures and the use of unapproved communication methods. CFTC Commissioner Kristin N. Johnson indicated in her statement on September 27, 2022, that firms must address operational challenges related to evolving technology, and that internal controls must be adopted that are consistent with the new landscape.[10]

In Ontario, the current guidance (OSC Staff Notice 15-708 Enforcement Branch Document Production Guidance [PDF], dated July 22, 2021) does not specify other messaging communications applications beyond emails and text messages.[11] It will be interesting to see how Canadian regulators respond to their American counterparts’ recent crackdown on recordkeeping failures and use of unapproved communication methods.

The rule amendments — as well as the SEC and CFTC orders — signal the importance of firms maintaining, updating or developing strong and enforceable internal policies that prohibit the use of non-approved communications systems, as well as policies and related training outlining how to maintain and preserve communications when using mobile devices and personal phones. More specifically, companies with operations in the U.S. and Canada should

  • ensure that there are policies in place related to communications, as well as procedures to ensure that all communications that must be preserved are flagged
  • be committed to ongoing reporting, supervision and auditing controls to ensure compliance with federal rules and the expectations of the SEC and CFTC
  • be aware of the amendments to the SEC’s recordkeeping rules and ensure they are compliant by the relevant dates in 2023 described above to the extent they are applicable
  • draft, revise or refine internal policies to include oversight and assessment of how new technological solutions are implemented and what communications platforms are acceptable for business communications
  • update the training provided to employees to shift away from the use of unauthorized messaging platforms
  • review and refine measures in place to track employees
  • create and maintain a culture of compliance with adoption at all levels of an organization, where senior staff lead by example

[2] J.P. Morgan agreed to pay a $125-million penalty to the SEC and $75 million to the CFTC in penalties, as well as to implement robust improvements to its compliance policies and procedures.