Much like the old maxim about London buses, if you wait long enough for a regulatory enforcement on recordkeeping breaches, two come along at once. On 29th August, 2023, the Securities and Exchange Commission (SEC) released details of charges against Citigroup Global Markets Inc. On the same day, the Commodity Futures Trading Commission (CFTC) announced that Goldman Sachs was to pay a $5.5million settlement. Both actions were the result of failures to keep on the right side of regulatory recordkeeping obligations.
Underwriting under the radar
The SEC’s cease-and-desist proceedings against Citigroup Global Markets Inc. (CGMI) related to the firm “wilfully violating recordkeeping requirements concerning expenses that the firm incurred in connection with its underwriting business”. The SEC’s investigation found that, from “at least” 2009 through to May 2019, CGMI used an unverified method to “calculate and record indirect expenses associated with its work as an underwriter”.
For over a decade, the firm could not explain the basis of this calculation method, and – as if to double down and compound the non-compliance – CGMI failed to conduct a review to verify that this method was compliant or reasonable.
Federal securities laws require that broker-dealers like CGMI keep current books and records, including ledgers, that reflect all assets and liabilities. By failing to do so, the CGMI violated Section 17(a) of the Exchange Act and Rule 17a-3 of the same. While CGMI did not admit to or deny the SEC findings, it consented to the cease-and-desist order, a censure, and a fine of $2.9 million.
The SEC has been steadily stepping up its focus on recordkeeping requirements, bringing its regulations into the digital age to ensure compliance is evolving in step with technology. The fact that this infraction took place over such a considerable timescale is concerning, and the summary statement from Sanjay Wadhwa, Deputy Director of the SEC’s Division of Enforcement, leaves no room for doubt as to the importance of recordkeeping to the regulatory agenda:
“Recordkeeping failures such as these, perpetuated over at least a decade, can undermine the viability of those functions. The SEC will continue to vigorously enforce the books and records provisions of the federal securities laws, which are crucial to well-functioning markets.”
Phoning in communications capture
While the SEC was tangling with Citigroup over recordkeeping, the CFTC was leveling charges against Goldman Sachs & Co. for failures of its own. The CFTC order found that Goldman Sachs “committed recordkeeping violations in connection with its failure to properly record and retain certain audio files”.
From March, 2020, Goldman employed a vendor service to record and archive calls made on mobile devices. An increase in the use of the vendor’s services coinciding with the increase of mobile device use during the pandemic led to a rise in instances of failure in the vendor’s hardware. This resulted in Goldman failing to fully record or retain data for thousands of mobile device calls – meaning regulators would have had no access to these records if required.
Also beginning in March, 2020, Goldman employed a different vendor to leverage their software to replicate a “hard-wired trading turret” (a specialized tool used to facilitate trading) digitally. Several months later, in May, 2020, Goldman discovered an issue with the software where the system failed to record audio for some calls, once again leaving the firm unable to properly record and retain thousands of calls and records. These two failures resulted in the CFTC charges and a penalty of $5.5 million.
Stuck on repeat
The CFTC action against Goldman Sachs highlights that not only did the recordkeeping failures in 2020 break regulations by themselves, the incidences also broke a previous cease and desist order issued in 2019 for – you guessed it – recordkeeping failures.
In that case it was found that Goldman “failed to record the phone lines of a trading and sales desk for 20 calendar days in January and February 2014”, due to a malfunction in recording hardware after a software update. Goldman only noticed the issue three weeks later when checking an unrelated system. In his summary of the case, then-Enforcement Director James McDonald stated:
“Registrants must comply with the Commission’s recordkeeping requirements … When they do not, we are committed to holding them accountable. This action reinforces the critical importance of recordkeeping requirements to the CFTC’s enforcement mission.”
The 2019 ruling, which resulted in a civil penalty of $1 million, included a cease and desist term that Goldman fell foul of with its infractions in 2020. With the initial recordkeeping failures taking place in 2014, it raises questions around why the firm has seemed unable to learn from it mistakes 6 years on. Ian McGinley, current CFTC Director of Enforcement, referenced Goldman’s breach of the previous cease and desist order in his comment on the most recent case, also explaining that the higher penalty was a direct result of the repeated failures:
“As this case demonstrates, the CFTC will continuously pursue swap dealers that fail to meet their recording obligations and there will be consequences for violating CFTC orders, including increased penalties. We are committed to holding swap dealers accountable when they fail to comply with their regulatory obligations and fail to abide by obligations imposed by prior CFTC orders.”
(Record)keeping it under control
The regulatory agenda around recordkeeping has been clearly set out by these cases, as well as several other recent high profile actions, such as J.P. Morgan’s deletion of 47 million communications. The SEC summary of that case states:
“Because the deleted records are unrecoverable, it is unknown – and unknowable – how the lost records may have affected the regulatory investigations.”
This is the heart of why good, compliant recordkeeping practice is so vital – regulators can’t regulate what they can’t see, and firms depriving them of records (purposefully or accidentally) limits the ability of regulators to do their jobs effectively. While even the regulators themselves don’t always get it right, with the tone becoming one of ‘zero-tolerance’ around non-compliance and the culture enabling it, firms need to ensure their recordkeeping is by the book.