In 2022, the Securities and Exchange Commission (SEC) issued more than $2 billion in regulatory fines related to recordkeeping failures. The regulator will likely be adopting a ‘do as I say, not as I do’ approach, however, after it transpired that it will dismiss 42 cases after it failed to adequately manage records controls during investigations. The SEC announced on June 2, 2023, that it will be dropping the cases after it was found that enforcement staff had access to restricted materials in their investigations – materials that should have been reserved for its in-house legal division.
Within the SEC, there is – or should be – a clear divide between the records that can be accessed by its enforcement staff, and those that should be reserved for its Office of the General Counsel (OGC). However, it appears that over the course of several years, this divide had fallen away, meaning that restricted information was readily shared across departments.
The “control deficiency” was initially reported by the SEC in April 2022, which noted that “for a period of time, certain databases maintained by our Office of the Secretary” had not been properly configured to restrict employees working within enforcements from accessing materials that had been drafted by Adjudication employees sitting within its OGC. This meant that enforcement staff could access OGC documents, which were often shared among others – making them even more accessible.
On discovering the error in April 2022, the SEC immediately took remedial measures, as well as a “comprehensive internal review to assess the scope and potential impact of the control deficiency”.
In a statement issued on June 2, 2023, the SEC said in the course of its investigation it had interviewed over 250 current and former staff members, as well as considering more than 500,000 pages of emails and attachments. As a result, it found that the “databases were not configured” to ensure that the division of records was maintained. As such, it was dismissing 42 cases in which these data lines had been crossed.
Practice what you preach
In response to the findings, the SEC issued a remorseful statement in which it said:
“We deeply regret that the agency’s internal systems lacked sufficient safeguards surrounding access to Adjudication memoranda, and we are continuing our work to ensure that, going forward, work product from the Adjudication staff is appropriately safeguarded. We take this lapse in controls very seriously and are committed to both informing the public about the scope of this issue and preventing any similar lapses in the future.”
The case is a reminder that no organization – no matter how noble – is infallible. It would appear that the SEC’s records error persisted for around 5 years without notice. If the tables were turned, there is no doubt the regulator would question how such an error was allowed to persist, unchecked, for a prolonged period of time.
Rather than dwell on the regulator’s failings, firms should instead look to learn from them. We gleaned 3 key lessons:
The SEC has fallen on its sword by dismissing 42 cases affected by its own recordkeeping errors. In what is becoming regulatory theme of the month, the SEC did “the right thing”. The regulator will doubtless be looking to set an example – owning up to its mistakes and doing what it can to put it right.
When J.P. Morgan failed to preserve records in 2021, SEC Director of the Division of Enforcement, Gurbir Grewal, described recordkeeping as “sacrosanct”. This message continues to ring true in 2023. In light of the SEC’s failures, firms should consider whether their own recordkeeping controls are in order, and take steps to remedy them if they are not. The SEC’s own failures will have placed recordkeeping at the forefront of their minds… firms should prepare for this focus to turn outwards.
The SEC openly notes that the database on which it relied had not been configured correctly. This is a commonly seen failure – firms install technology to take on legwork, but fail – or forget – to test whether it is working effectively. Processes should be tested with policies and controls in mind, to ensure they are meeting the compliance and data needs of the organization. This should be done on installation, and continue periodically to ensure operational resilience.
All too often, technology firms over-promise and under-deliver in the capabilities of the solutions they provide. This case highlights the importance of experience and expertise when selecting a technology vendor. The SEC undoubtedly manages vast quantities of records and data. This action suggests that, perhaps, the tools they use to preserve that data may not be able to keep up.