A man uses his phone to send unauthorized communications

SEC will reward cooperation where firms “mess up” with unauthorized communication

SEC Chair, Gary Gensler has suggested that financial institutions “did not act as if they got the message” around unauthorized communications. Is the regulator changing its approach?

17 November 2022 6 mins read
By Jennie Clarke

In brief:
– SEC Chair, Gary Gensler, has discussed the $125 million fine issued to JP Morgan, explaining the regulator’s rationale behind the sum

– Firms have been put on notice to increase scrutiny around unauthorized, unwatched, or willfully deleted communications

– Speaking at the 54th Annual Institute on Securities Regulation, Gensler has pointed to a change in approach for the SEC

– Gensler has cemented messaging regarding the importance of accountability, noting that “the tone at the top must change”

In the wake of the latest round of U.S. fines for Wall Street firms that failed to preserve business communications, Commodity Futures Trading Commission (CFTC) Commissioner Christy Goldsmith Romero said, “The era of evasive communications practices is over.”

The message rang loud and true – regulators are catching up with digital and unauthorized communications and they’re stamping out bad practice. However, this isn’t simply a story of regulator vs. the world. Fast forward two months and the Securities and Exchange Commission’s (SEC) Chair, Gary Gensler, has set out a vision for a more collaborative financial ecosystem. Collaborate, and you’ll be rewarded – he says. Fail to comply and fail to collaborate? You’ll face the wrath of the regulator.

“Market participants did not act as if they got the message”

Speaking to lawyers before the Practicing Law Institute’s 54th Annual Institute on Securities Regulation, Gensler recalled recent enforcement action against JP Morgan for its failure to monitor and manage unauthorized communications. As lawyers, he noted, there are some cases that will stand out from the rest, that they will write memos to their clients about. The $125 million fine against JP Morgan is one such case, in which “employees, supervisors, and even managing directors conducted, and failed to maintain, off channel communications through WhatsApp, text messages, and personal email accounts”.

Speaking directly to the size of the fine – a sum that left the industry nothing short of breathless – Gensler noted that this was not simply a fine for bad practice, but for continued malpractice in the face of sustained regulatory criticism. He noted that “Frankly […] some market participants did not act as if they got the message.” Because of this, JP Morgan faced a fine that was 10x anything similar that has come before. While unauthorized messages were left to run rife, regulatory messages fell on deaf ears, and so the regulator acted.

Following this mammoth action, as well concurrent action in September 2022 which saw $1.1 billion issued to 16 financial entities for similar misconduct, firms have been clearly put on notice regarding increased scrutiny around unauthorized, unwatched, or wilfully deleted communications. Gensler’s latest remarks echo those of the CFTC in a cranking of the gears – a sharpening of the axe. But they also call for collaboration in the face of non-compliance.

Cooperation around unauthorized communication may reap rewards

While Gensler’s speech cements the message that communication monitoring failures will not go unnoticed, it also marks a change of tack for the regulator. This new messaging suggests that, as well as clamping down on bad practices, there “can be cases where we reward good behavior”.

This does not mean, of course, that firms will be rewarded for simply complying. What it means is that there will be instances where firms uncover bad practice and, instead of burying heads in the sand or patching up the problem, they work directly with the regulator to resolve their compliance flaws. In one example, Gensler recalls that a company discovered material accounting errors and “promptly self-reported and cooperated with our investigation”. The firm was charged for the violation, but did not receive a penalty. Gensler is hoping to send a message of his own:

If you mess up – and people do mess up sometimes – come in and talk to us, cooperate with our investigation, and remediate your misconduct.”

Gary Gensler, Chair, Securities and Exchange Commission

Of course, self-reporting is a pipe dream for many. But this messaging does at least show a degree of leniency from the regulator – one which views failure as an opportunity for change, rather than for purely punitive measures.

“The tone at the top must change”

“Nothing motivates […] quite like accountability” says Gensler, adding that “when it comes to accountability, the details matter”.

Accountability at the very top, especially individual accountability for senior managers, is fast becoming a chief concern for firms. As well as increasing regulation for individual accountability, we’re also seeing increasing enforcement activity. Gensler highlights two such instances – the case of the SEC holding senior managers to account where Allianz admitted to wrongdoing and criminal activity, and the case of Boeing, in which the CEO was held accountable for misleading investors and making false statements about airplane safety.

Failure to successfully monitor, archive, and address gaps in communication monitoring is no longer just an issue for the compliance team. It’s an issue for the C-suite and senior managers, too. Errors can now be mapped to the roles and responsibilities of individuals. Hiding behind the corporation in the event of non-compliance is no longer an option. When individual and organization reputation is at stake, perhaps self-reporting seems like a more realistic option. In any event, regulators are looking for proactive, collaborative compliance over gap patching.

The long road to resolution

Following last years’ action against JP Morgan, rumors spread that firms were issuing widespread bans of messaging apps. Instead of weeding out the issue from the root, they were simply cutting the issue at the stem. While this option gives some short-term relief, it doesn’t look to “remediate your conduct” but instead press pause on the conduct.  

Enforcement actions bear the sharpest sting where firms have uncovered misconduct and failed to take resilient, long-lasting steps to prevent that misconduct from happening again. Instead of banning WhatsApp and other channels, firms should be enabling their use in a compliant way.

It is no secret that many firms will likely struggle in establishing compliant messaging systems. But instead of removing the functionality altogether, firms need to establish a path to resolution. If it comes to it, they should share that path with the regulator. After all, the SEC will be far more forgiving of a forward-looking plan demonstrating investment in solutions, than a plan that simply shuts the door on unauthorized communications channels.

Regulators understand that mistakes happen and, while compliance gaps are far from ideal, ignoring those gaps is worse. Where gaps arise, as Gensler suggests, own up to them and take gaps to remedy them. Action is always better than inaction.

If you’re struggling to keep up with archiving and surveillance of your communications data, Global Relay has a suite of products to help.