Compliance Risk Concepts
Client Login
compliance risk logo-2024

SEC Recordkeeping Enforcement Continues to Result in Large Penalties for Off-Channel Communications

SEC Recordkeeping Enforcement Continues to Result in Large Penalties for Off-Channel Communications

No Comments
July 14, 2023

The list of firms that have been charged in less than 12 months with recordkeeping failures for off-channel electronic communications continues to grow. Last month, the SEC charged HSBC Securities (USA) Inc. and Scotia Capital (USA) Inc. for widespread and longstanding failures by both firms and their employees to maintain and preserve electronic communications, which resulted in multimillion dollar SEC enforcement penalties for both broker-dealers. Their employees often communicated about securities business matters on their personal devices, using messaging platforms, such as Whatsapp. Most of these messages were not preserved and involved employees at multiple levels of authority, including supervisors and executives.

The SEC’s investigation of HSBC Securities (USA) Inc. and Scotia Capital (USA) Inc., both registered broker dealers, uncovered pervasive and longstanding use of off-channel communications at both firms. Messages sent through unapproved communications methods, such as WhatsApp and those sent from unapproved applications on personal devices, were not monitored, subject to review, or archived. According to the resulting SEC orders, the firms failed to implement a system of follow-up and review to determine that supervisors were reasonably following the firms’ policies and also failed to implement sufficient monitoring to assure that its recordkeeping and communications policies were being followed.

The recent actions follow enforcement activity against several other firms for recordkeeping failures in September 2022, in which those charged firms agreed to pay combined penalties of more than one billion dollars. However, it appears that one meaningful contrast between those earlier cases and the recent actions are that the published orders in 2022 reported that it was the SEC that discovered the misconduct through its investigations, but, in the recent actions both firms self-reported after having already initiated a review of their recordkeeping failures and begun a program of remediation prior to contacting the Division of Enforcement. One may draw the conclusion that the repeated references to proactive steps by HSBC and Scotia in identifying and addressing the recordkeeping issues were a relevant consideration that may help to explain the difference in the scale of the monetary penalties when comparing the two clusters of cases. In 2022, all but one of the charged firms had penalties of at least $50 million (most were $125 million), and while still significant, HSBC and Scotia were penalized $15 million and $7.5 million respectively.

Likewise, CRC believes that the best approach to regulatory compliance is a proactive one. The SEC’s 2023 Examination Priorities report identified electronic communications as an examination focus area for both broker-dealers and registered investment advisers. Rather than scrambling to rectify issues or meet deadlines after an examination has begun, a thorough, active compliance program that considers and incorporates regulatory developments is in a better position to satisfy regulators and preserve operations so they can best serve their clients.

What can firms do?

In one of the recent orders, the SEC highlighted several remedial steps taken by the firm, which included:

  • Clarifying the application of relevant policies;
  • Enhancing training to reinforce the requirement to use authorized communications channels; and
  • Providing clear messaging to employees from senior management regarding the use of unauthorized communication channels.

In addition to these shorter-term steps, the recent firms were also required to conduct reviews or assessments of:

  • Supervisory, compliance, and other policies and procedures;
  • Training and employee certifications;
  • Surveillance program measures;
  • Technological solutions to meet record retention requirements;
  • Measures used to prevent the use of unauthorized communications methods for business communications by employees;
  • Electronic communications surveillance routines to ensure that electronic communications through approved communications methods found on personal devices are incorporated into the overall surveillance program; and
  • The framework to address instances of non-compliance by employees with the firm’s policies and procedures concerning the use of personal devices for business communications in the past.

For more information about how CRC can help your firm, please contact:

Mitch Avnet

p. (646) 346-2468

David Amster

p. (917) 568-6470

CRC is a business-focused team of senior compliance consultants and executives who furnish top-tier compliance advisory services to clients on an as-needed, project or part-time basis. We provide our clients with the critical skills and expertise required to establish, maintain and enhance a balanced and effective compliance operational risk management program. We help organizations demonstrate a commitment to a strong risk management culture. We bring a unique tailored approach to help our clients succeed in today’s challenging regulatory and economic environment, enabling and empowering our clients to manage the “cost of compliance” without sacrificing the necessary infrastructure and control environment.


Leave a Reply


Stay updated with all latest updates,upcoming events & much more.

Subscribe NowSupport
Copyright Compliance Risk Concepts | All Rights Reserved © 2023 | Privacy Policy