SEC drops 42 cases after record control failures

The SEC has dismissed 42 cases under investigation after it failed to properly manage internal records access procedures and controls.

13 June 2023 5 mins read
by Jennie Clarke

In brief:

  • The SEC has dismissed 42 cases after finding that its “internal systems lacked sufficient safeguards” for certain records
  • Because of these failures, enforcement staff were given access to restricted investigation-related records, which should have been reserved for its internal legal department
  • The SEC “deeply regrets” its internal failings, and is taking steps to remedy it
  • We take a look at key takeaways from the regulator’s own non-compliant action

In 2022, the Securities and Exchange Commission (SEC) issued more than $2 billion in regulatory fines related to recordkeeping failures. The regulator will likely be adopting a ‘do as I say, not as I do’ approach, however, after it transpired that it will dismiss 42 cases after it failed to adequately manage records controls during investigations. The SEC announced on June 2, 2023, that it will be dropping the cases after it was found that enforcement staff had access to restricted materials in their investigations – materials that should have been reserved for its in-house legal division.

Within the SEC, there is – or should be – a clear divide between the records that can be accessed by its enforcement staff, and those that should be reserved for its Office of the General Counsel (OGC). However, it appears that over the course of several years, this divide had fallen away, meaning that restricted information was readily shared across departments.

The “control deficiency” was initially reported by the SEC in April 2022, which noted that “for a period of time, certain databases maintained by our Office of the Secretary” had not been properly configured to restrict employees working within enforcements from accessing materials that had been drafted by Adjudication employees sitting within its OGC. This meant that enforcement staff could access OGC documents, which were often shared among others – making them even more accessible.

On discovering the error in April 2022, the SEC immediately took remedial measures, as well as a “comprehensive internal review to assess the scope and potential impact of the control deficiency”.

In a statement issued on June 2, 2023, the SEC said in the course of its investigation it had interviewed over 250 current and former staff members, as well as considering more than 500,000 pages of emails and attachments. As a result, it found that the “databases were not configured” to ensure that the division of records was maintained. As such, it was dismissing 42 cases in which these data lines had been crossed.

Practice what you preach

In response to the findings, the SEC issued a remorseful statement in which it said:

“We deeply regret that the agency’s internal systems lacked sufficient safeguards surrounding access to Adjudication memoranda, and we are continuing our work to ensure that, going forward, work product from the Adjudication staff is appropriately safeguarded.  We take this lapse in controls very seriously and are committed to both informing the public about the scope of this issue and preventing any similar lapses in the future.”

The case is a reminder that no organization – no matter how noble – is infallible. It would appear that the SEC’s records error persisted for around 5 years without notice. If the tables were turned, there is no doubt the regulator would question how such an error was allowed to persist, unchecked, for a prolonged period of time.

Rather than dwell on the regulator’s failings, firms should instead look to learn from them. We gleaned 3 key lessons:

1. Records are still sacrosanct

The SEC has fallen on its sword by dismissing 42 cases affected by its own recordkeeping errors. In what is becoming regulatory theme of the month, the SEC did “the right thing”. The regulator will doubtless be looking to set an example – owning up to its mistakes and doing what it can to put it right.

When J.P. Morgan failed to preserve records in 2021, SEC Director of the Division of Enforcement, Gurbir Grewal, described recordkeeping as “sacrosanct”. This message continues to ring true in 2023. In light of the SEC’s failures, firms should consider whether their own recordkeeping controls are in order, and take steps to remedy them if they are not. The SEC’s own failures will have placed recordkeeping at the forefront of their minds… firms should prepare for this focus to turn outwards.

2. Technology should be tested

The SEC openly notes that the database on which it relied had not been configured correctly. This is a commonly seen failure – firms install technology to take on legwork, but fail – or forget – to test whether it is working effectively. Processes should be tested with policies and controls in mind, to ensure they are meeting the compliance and data needs of the organization. This should be done on installation, and continue periodically to ensure operational resilience.

3. Technology should be trusted

All too often, technology firms over-promise and under-deliver in the capabilities of the solutions they provide. This case highlights the importance of experience and expertise when selecting a technology vendor. The SEC undoubtedly manages vast quantities of records and data. This action suggests that, perhaps, the tools they use to preserve that data may not be able to keep up.

Global Relay delivers recordkeeping solutions that you can trust. If you’re not confident that your current recordkeeping controls would withstand regulatory scrutiny, get in touch.

 

About Article

Published 13 June 2023

About Author

Share Article