What can financial organizations expect of regulators’ future path based on what they’ve learnt from previous enforcement actions? How can they stay compliant when in the watchful regulatory eye’s line of vision?
In an FCPA Compliance Report podcast hosted by Tom Fox, Global Relay’s Executive Vice President of Compliance, Chip Jones, explored recordkeeping compliance for messaging applications and provided his take on recent enforcement actions.
How to avoid becoming “low-hanging fruit”
Jones remarked on the string of recordkeeping violation enforcement actions occurring over the past couple of years – one of the first was the Security and Exchange Commission’s (SEC) fine against J.P. Morgan in December 2021 (with the firm being hit with additional fines since), which has likely catalyzed enforcements against a range of additional firms, such as Wells Fargo.
The SEC wasn’t the only regulator to fine J.P. Morgan. A few months later, the Commodities Future Trading Commission (CFTC) similarly fined the firm for recordkeeping violations related to off-channel communications and supervision failures – going to show that all regulators are “getting in the game.”
In the case of Wells Fargo and other Wall Street firms, Jones identified two linked themes that lead the SEC to fine organizations for violating rules: employees communicating over unauthorized platforms, and communication records related to those platforms not being recorded. These requirements are clearly laid out in Rule 17a-4.
When employees are communicating with their coworkers or clients over personal devices, or through off-channel applications that aren’t approved by their organizations, that information is not going through electronic recordkeeping systems, marking where the issue lies. As a result, that data will be lost forever, as Jones summarizes:
“You can’t go back and recreate or capture those records because the communications weren’t done on a device that allows for the capture of those communications.”
Is there a “magic bullet” to guarantee compliance?
Organizations should be strengthening compliance operations across all fronts, especially through policies and procedures, education, and tone from the top.
Since there’s no “one size fits all” approach to ensuring compliance, you need executives and leaders to clearly state expectations, educate around how to appropriately communicate when using applications, and establish a technology solution to oversee compliant communications. Jones used an example to illustrate how easily violations can occur:
“If you’re a financial professional and a client texts you … saying they want to buy a thousand shares of Apple, it’s difficult to ignore that. You can then place a phone call and take the order, but by this time, the horse is already out of the barn because you’ve communicated and you’re having a conversation with a client regarding business on an off-channel device.”
Jones shared his interpretation of a statement from Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, which suggested that firms “self-report, cooperate, and remediate” to remain in good standing with regulators:
“Don’t wait for [regulators] to come and hit you with this sweep … Conduct your own internal investigation to determine if you have individuals who are communicating with off-channel devices … Come up with how broad you think the investigation is, tell [regulators] about it, and then determine what you, the registered firm, should do in order to avoid this.”
As regulators promise, organizations get credit for cooperation – when firms come forward admitting to noncompliance, it means regulators don’t have to utilize their resources to investigate and uncover this information. Conduct investigations at your organization regularly, and if you find suspicious activity, report to regulators: which rule was violated, how it was violated, when, the extent of the issue, and the steps in place to remedy the situation.
As part of remedial efforts, the SEC also requires that violating firms hire independent compliance consultants to assess policies and determine why compliance fell short, Jones explained. The regulator wants a “fresh set of eyes” to inspect the situation and provide an account of what happened – and how to prevent it in the future.
What lies ahead
Jones summarized the conversation by explaining that, in the past, compliantly capturing data like texts conversations or WhatsApp messages proved much more challenging. Though now, technology has caught up, and regulators expect firms to match the pace.
Organizations can streamline their compliant communication strategies by implementing compliance solutions like the Global Relay App, which allows professionals to communicate with each other and their clients on a protected platform that captures information for compliance teams to supervise.
As indicated in these enforcement actions, the SEC wants to see a shift away from solely relying on strict prohibition, which is a method firms have utilized when trying to deal with noncompliance related to the use of personal devices and off-channel conversations.
Technology and communication channels continue to evolve and have become foundational to business practices. With new technological monitoring tools available to effectively capture conversations on these platforms, the SEC wants firms to take charge of their compliance, be proactive in preparing for any situation, and act quickly if things stray off course.
Organizations should take advantage of all the compliance tools at their disposal, create policies, educate staff on these policies, and set an example of proper compliance. Regulators have demonstrated their expectations – and it is now organizations’ turn to meet them.
