- Headspace
- Posts
- Surveying the Waves
Surveying the Waves
A Data-Oriented Study of the SEC’s Electronic Communications Recordkeeping Enforcement Actions
Paul Felsch
September 29, 2024
EXECUTIVE SUMMARY
Notwithstanding persistent consternation in our industry over the SEC’s electronic communication recordkeeping enforcement actions, data shows that fine amounts have trended downward overall from when the SEC first began its sweeps in September of 2022. Maximum fines have trended downward 72% overall, and the average fine amount has trended downward 91.2% overall.
The size and complexity of the registrants in the earlier enforcement waves have generally been greater than those of registrants in subsequent waves, which is likely a contributing factor to the lowering of fine amounts. However, other data and information embedded within these enforcement actions suggests that registrant size and complexity is not the only factor that has contributed to seeing less severe outcomes.
Other factors – such as the egregiousness of the conduct and deficiencies involved, as well as the timing of when an action was brought – appear impactful as well. For example, in over 80% of its enforcement Orders, the SEC cites examples of problematic practices and conduct that predate December 2021, which was when the first of these enforcement actions was issued. This suggests the SEC may be finding fewer issues with registrants as time goes on.
Based upon this data and information, it appears possible for registrants to design and implement electronic communications recordkeeping practices that can result in improved regulatory outcomes, at least on a go-forward basis. Registrants should consider addressing the following elements in their electronic communications recordkeeping programs: approved electronic communications platforms, corporate issued devices, quarterly compliance self-attestations, surveillance & monitoring, disciplinary frameworks, Compliance oversight & testing, internal audit testing, third-party assessments, and policies & procedures.
INTRODUCTION
Sheer curiosity sparked this month’s essay. Last month, as all of you are aware, the SEC announced and settled more charges against 26 investment firms amounting to more than $390 million in combined fines for failing to adequately preserve electronic communications. The August ’24 wave of actions represented the then fifth and then-most recent wave of the SEC’s sweep and initiative to hold firms accountable for failing to preserve electronic communications pertaining to their business. This effort dates back to December 2021 and has consisted of six waves since (September ‘22, August ’23, September ’23, February ’24, August ’24, and September ’24). As of the August ’24 wave, the SEC’s efforts had resulted in approximately $2.1 billion in fines covering 80 investment firms. Then, just this past week, the sixth wave arrived wherein the SEC invited 11 more reluctant guests to the electronic communications enforcement “party.” This September ’24 wave brought the current grand total to 91 registrants impacted, with total fines amounting to just shy of $3 billion since 2021. In response to these enforcement waves, industry colleagues and certain SEC Commissioners alike appear exasperated. Many have begun wondering whether it will ever be possible to get things right, or whether this will always be a sore spot and topic we see consistent and widespread fines on as a matter of course. Some even maintain that once the SEC begins examining a registrant with this topic in focus, a fine is inevitable.
Over the past several weeks, I decided to explore all of the actions (62 in total) comprising these waves. I sought to understand whether it’s possible for registrants to achieve improved regulatory outcomes on this topic, and if so, the contributing factors. As part of this undertaking, I employed the following approaches:
Reviewing the data regarding fine amounts generally over the several waves of these actions to identify any notable trends
Reviewing the particulars of each enforcement action in all of the waves to discern what factors most likely impact fine amounts
Reviewing the particulars of each action to elucidate common deficiencies and emerging regulatory expectations
Based upon the aforementioned research and reviews, it does appear possible for registrants to realize improved regulatory outcomes relative to what has occurred in the industry to-date. With the adoption of certain practices and also simply the passage of time, the odds of registrants’ electronic communications recordkeeping programs passing regulatory muster will likely increase, notwithstanding inevitable imperfections in the application and execution of those programs by registrants’ personnel.
THE MACRO DATA
Across the six enforcement waves, the data suggests that with respect to fine amounts being levied in each enforcement action, regulatory outcomes appear to be improving. Fine levels have generally trended downward since the first wave of such actions in September ’22.
The below table illustrates the trends of fines over the course of the six enforcement waves across the following vantage points: minimum fine, maximum fine, median fine, and average fine.
Electronic communications recordkeeping SEC enforcement statistics
Although there are nuances embedded within this data that will be addressed in the sections that follows, this macro-level view of the enforcement waves is worth a few moments. As the above table illustrates, overall, the fine amounts in enforcement actions seem to be tempering. The median fine for registrants in each wave has seen a 98.99% decrease overall (with median fine for the September ’22 enforcement wave being $125 million, and the median fine for the September ’24 enforcement wave being $1.38 million). Similarly, the average fine has seen a 91.2% overall decrease (with the average fine for the September ’22 enforcement wave being $100 million, and the average fine for the September ’24 enforcement wave being $8.8 million). Maximum fines have also trended downward, down 72% overall since September ’22, and recognizing as much as an 86.8% decrease in the February wave earlier this year. Last, unlike the maximum fines (which experienced an uptick in the August ’24 wave and which now seem to be trending back downward), minimum fines have consistently trended downward during each enforcement wave, experiencing a modest but consistent decrease of 100% (with the minimum fine for the September ’22 wave being $10 million, and the minimum fine for the September ’24 enforcement wave being $0). This macro data suggests that, although all but one registrant complex ensnared in these enforcement waves received a fine, fines themselves appear to be decreasing, which would seem to constitute an improved outcome type.
CONTRIBUTING FACTORS
Recognizably, certain factors appear to be contributing to fine amounts that are beyond the control of registrants (such as the size and complexity of the registrant that is subject to an action). However, when closely examining the particulars of these actions, other factors emerge that appear within the control of registrants, suggesting registrants are better positioned to improve regulatory outcomes going forward.
Deterrence
Without question, the need to deter future violations appears to be a factor in why we see an overall downward trend in fine amounts since the first wave of these actions in 2022. From the perspective of deterrence, certainly the SEC is going to want to calibrate its level of fine commensurate with the size of a registrant involved. After all, if a registrant doesn’t “feel it,” what deterrence will come of it? The fine data seems to suggest the downward trend is attributable in part to this factor, and that smaller firms simply do not require the same fine amounts as larger peers to be deterred effectively. For example, large firms like UBS, Credit Suisse, and Wells Fargo (among other) each received a $125 million fine, whereas mid-large firms such as LPL, Ameriprise, and Raymond James each received a $50 million fine, and even less large firms such as Cambridge, Key Investment Services, and William Blair each received a $10 million fine.
In addition to deterrence, however, the particulars of the actions suggest there are two other factors that account for decreased fines: egregiousness and time.
Egregiousness
In all of the actions, the SEC consistently cites examples of the conduct and deficiencies it observed for the applicable registrant. A comparison between the types of conduct and deficiencies observed in the top fining actions compared to actions involving lower fines is informative. For example, in one action involving a $125 million fine, the SEC notes that for 30 personnel sampled at the registrant, such personnel sent and received tens of thousands of off channel communications. Within this registrant, one Managing Director alone sent thousands of messages off-channel. By comparison, in one action involving a $25 million fine, the SEC notes as one example for such registrant that a Managing Director exchanged hundreds of text messages or WhatsApp messages. By way of one final comparison involving a $9 million fine, the SEC notes as one example that a senior leader exchanged simply “numerous” off-channel business communications with other employees during period of review. In each of these actions, the egregiousness of the exemplary conduct – marked by what the SEC observed from singular individuals at each firm – seems to correlate directly to the size of the fines involved.
In terms of the conditions that allowed this type of conduct to persist, the below represents problem themes that appear to have served as fertile ground for such violations. Additionally, in Appendix A, I have provided a table that more specifically identifies not just all of the registrant complexes who have been ensnared in these actions and their corresponding fine amounts, but also includes the examples of the conduct the SEC calls out specifically in the Order for the corresponding registrant. My hope is that this information is also useful and allows you to assess actions against your peers as you as you think about where risks may lie in your own organization.
Problem Themes
Messages being sent through unapproved communication methods, such as text messaging, and those sent from unapproved applications on personal devices, not being monitored, subject to review, or archived
Failure to implement a system of follow-up and review reasonably expected to determine that all personnel were following firm policies
Failure to have policies & procedures
Failure to follow stated policies & procedures
Self-attestations of compliance that occur less frequently than quarterly
Lack of employment action/discipline for policy violations
Senior personnel engaging in problematic communication practices that entangled junior personnel that reported to them
Failure to preserve off-channel communications
Temporality
In addition to egregiousness, a slightly closer look at one aspect of these actions suggests one more factor that likely accounts for the downward fine trend: time. When reviewing the particulars of the various Orders, one notices that registrants are primarily being held to account for deficiencies that pre-dated the SEC’s inaugural enforcement action on this topic against JP Morgan in December 2021. Indeed, within the terms of the Orders for the 62 enforcement actions that comprise the above table, the SEC provides examples in each Order of the nature of each registrant’s deficiencies, including the time period for each example. For all of the examples cited, in only 11 out the 62 actions does the SEC include deficiencies that occurred since December 2021. In other words, over 80% of the time the SEC is citing as examples deficiencies and conduct that predated the learnings the industry began gleaning from the SEC’s first enforcement Order in this realm with JP Morgan. Moreover, due to the Advisers Act’s relatively standard five-year retention period for most records, a greater proportion of registrants’ electronic communications have creation dates after December 2021 and have had the opportunity to be subject to retention practices adopted in light of the inaugural JP Morgan action. Viewed through this lens, the overall lowering of fine amounts suggests registrants may well be improving and learning. Otherwise, we would see the SEC citing examples of problematic conduct and practices that existed with registrants post-December 2021.
FROM WAVES TO CALMER WATERS
While one can never have a crystal ball when it comes to the SEC, between the themes mentioned above and looking at examples of conduct cited by the SEC, it does seem that the contours of a reasonably designed Compliance program that could withstand SEC muster have begun to emerge. While one cannot necessarily account for what’s happened in the past, it seems as if there may be hope for mitigating the risk of egregious electronic recordkeeping violations and corresponding regulatory actions going forward.
The following table is meant to illustrate those practices and elements of an electronic communication recordkeeping program that registrants should consider adopting in some shape or form. Such elements will likely increase the chances of achieving improved outcomes with regulators compared to registrants who have been subject to fines thus far.
TABLE 1: ELECTRONIC COMMUNICATIONS RECORDKEEPING PROGRAM BLUEPRINT
Electronic Communications Platforms | → Introducing proprietary or other third-party on-channel texting platforms, both amongst supervised persons and between supervised persons and clients who enroll in such applications |
Corporate Devices | → Issuing corporate devices to firm personnel with approved communication methods to facilitate firm business communications |
Compliance Attestations | → Quarterly (not annual) self-attestation of compliance by employees |
Surveillance & Monitoring | → Measures to monitor, review, and archive communications sent on approved platforms → Implementation of surveillance programs designed to prevent and detect whether employees are communicating off-channel (e.g. key word or phrase searches in on-channel platforms that may suggest off-channel communications may be occurring) → Processes for curing breaches and bringing off-channel communications on-channel |
Disciplinary Framework | → The establishment of a disciplinary framework to handle instances of non-compliance, including financial penalties for employees and standards designed to ensure discipline and penalties are administered consistently |
Training | → Training for firm personnel on electronic communication recordkeeping obligations |
Compliance Oversight | → Periodically and systematically assessing the design and operating effectiveness of the above |
Internal Audit | → Electronic communication recordkeeping practices monitored periodically by internal audit, including formal inclusion in annual audit planning |
3rd Party Assessments | → Electronic communication recordkeeping practices periodically assessed by an independent consultant |
Policies & Procedures | → Policies & procedures addressing the above → Policies & procedures that state use of unapproved electronic communication methods are prohibited, and which also identify prohibited uses → Policies & procedures that clearly state the types of information that constitutes a regulatorily required record and therefore must adhere to approved electronic communication methods |
PARTING THOUGHTS
Admittedly, one could spend the better part of a year analyzing the more microscopic nature of all of these Orders, and also look at it from different angles than what I have done. Additionally, as with any set of data, there are outliers in what I’ve examined that serve as counterpoints to the general themes and trends I’ve noted, or that at least continue to confound and puzzle. Last, I think the SEC itself has not yet decided on what would be a reasonable approach they want to regulate to, but which I think will emerge after they have had the chance to digest the information received from all of the independent consultants who will be required to be engaged in the vast majority of these actions. However, notwithstanding how there are still many variables and even some unknowns to a degree, the types of practices and conduct the SEC identified as problematic in these Orders, as well as the types of practices it gave credit for and acknowledged, are relatively consistent throughout all of the waves. Given that fine levels overall appear to be trending downward, it would appear industry participants are learning from the past, even if there are wrinkles and things that may puzzle us here and there. While I don’t know that firms are out of the woods yet, I do think the amount of bramble and thorns are lessening overall, and that, with the right practices, we will see – or perhaps hear about – more firms emerging from SEC inquiries on this topic unscathed.
Thanks for reading.
RESOURCES
|
