Compliance officers have quite the recordkeeping issue to mull over this week, now that regulators have hit 16 Wall Street banks with a collective $1.1 billion in fines for failing to preserve electronic communications employees were sending or receiving on their personal devices.
This enforcement action was no surprise. Rumors of a global settlement had been circulating since last month, and this settlement follows one that JPMorgan Chase reached with regulators at the end of last year — the first such case over employee communication apps, and one that foreshadowed the settlement we have this week.
The misconduct itself was straightforward. At banks including Morgan Stanley, Goldman Sachs, Barclays, Nomura Securities and many more, legions of employees were discovered to be talking bank business on their personal phones and on unapproved communication apps. That meant potentially important records — like, say, for government investigations — were not preserved and not available for regulators to review.
Let’s take Goldman Sachs as an example. As spelled out in the settlement order Goldman reached with the Securities and Exchange Commission, the improper messaging ran from 2018 into 2021, where employees at all levels of the bank sent countless messages through improper channels. One managing director with a global firm-wide leadership role in Goldman’s investment bank sent and received thousands of off-channel business-related messages to coworkers, clients, and contacts at other financial services firms.
All the while, Goldman also received and responded to document requests from the SEC and other regulators. Since the bank wasn’t preserving all its records, “Goldman Sachs likely deprived the Commission of these off-channel communications in various investigations” and delayed the SEC’s work. Which is a surefire way to get regulators mighty mad at you.
I haven’t read all 16 settlement orders with the Wall Street banks, but we can safely assume the broad contours of their misconduct are similar. Large numbers of employees up and down the seniority level were blithely disregarding policy and procedure to talk shop on their personal devices, and that hampered regulatory investigations.
The Big Theme: Supervisory Failures
We might as well admit now that tracking employees’ use of personal devices is enormously difficult. Yes, banks do try to surveil employee communications right down to recording their voice calls, but there will always be some way for a determined rogue to circumvent your controls.
So why did the SEC and the Commodity Futures Trading Commission bring these enforcement actions at all? Perhaps because the violations were so widespread that they were failures of corporate culture more than failures of internal control.
Go back to that Goldman Sachs managing director mentioned above. He or she acted in a supervisory capacity, supposedly modeling the behavior that other employees should follow. It must have been especially galling to the SEC to see that supervisory executive handle company communications so recklessly. Plus, that reckless behavior resulted in real harm to SEC investigations.
Or go back to that JPMorgan settlement from last year. In that case, the SEC found dozens of managing directors and senior supervisors — the very people responsible for implementing policies and procedures, and for overseeing other employees’ compliance — were themselves using unapproved apps.
Sanjay Wadhwa, the SEC’s deputy director of enforcement, said this when announcing the settlements: “These actions deliver a straightforward message to registrants: You are expected to abide by the Commission’s recordkeeping rules.” I don’t believe Wadha meant that companies must be perfect with their recordkeeping. The more important issue is that leaders of those companies take good conduct seriously, and at least strive to meet those expectations even if full compliance is impossible.
So to that extent, with so many supervisory failures among senior bank personnel, I’m not at all surprised at this enforcement action at all.
First, all banks involved in this week’s enforcement sweep did admit to the wrongdoing presented in their respective SEC settlement orders; no “neither admit nor deny” pablum this time around. Second, eight major banks and five more firms affiliated with them agreed to pay penalties of $125 million each. Two other firms agreed to penalties of $50 million each, and Cantor Fitzgerald paid only $10 million.
Moreover, each bank agreed to hire an independent compliance consultant within 30 days to review the bank’s policies, procedures, and records retention program. JPMorgan had to accept a compliance consultant as part of its settlement last year too, and that person’s duties were so wide-ranging that they needed a post all to itself to study them. The consultants coming under this new settlement seem to have the same reach and discretion.
Most notable is that the bank can’t fire the consultant without prior approval of SEC staff; and that the consultant must have unfettered access to all relevant files, books, records, and bank personnel. Then the consultant needs to undertake an extensive review of the bank’s recordkeeping efforts.
For example, the consultant for Citigroup Global Markets must look at:
- The supervisory, compliance, and other policies and procedures related to preserving the electronic communications on cell phones and personal devices;
- The training employees receive about electronic communications;
- The technology Citi uses to meet records-retention requirements, as well as any measures Citi uses to prevent unauthorized communications;
- The surveillance program Citi uses to assure compliance with its recordkeeping policies and procedures.
Then comes a report from the consultant for possible improvements, feedback from the bank, quibbling over the details — but in the final analysis, after all quibbling is done, the bank “shall adopt and implement all of the recommendations that the Compliance Consultant deems appropriate.” (Emphasis mine.)
On top of these compliance consultants, each bank also needs to conduct a separate internal audit of its recordkeeping efforts; and send reports to the SEC for two years detailing any disciplinary actions taken regarding violations of electronic communications policies.
I’m still stuck on exactly how a company can enforce communication policies vigorously, when employees can pick up a prepaid cell phone for $50 and start communicating entirely beyond the bank’s purview. Really, that’s impossible.
So the better question is how hard you try to enforce your rules, and how you document those efforts. That speaks to the culture of compliance you have around employee communications — and clearly, that’s an issue the SEC takes seriously.