The Messaging Crackdown Continues
In case any compliance professionals out there assume that the crackdown on employee use of improper messaging apps is over, the Securities and Exchange Commission sanctioned two more Wall Street trading firms late last week for the same offenses, and imposed the same punishments of monetary penalties and extensive compliance reviews.
The broker-dealer firms in question are HSBC Securities and Scotia Capital, fined $15 million and $7.5 million, respectively. Those penalties are far less than the $1.1 billion collectively imposed on more than a dozen larger Wall Street banks last year, but the settlement orders still give us glimpses into exactly what business conduct failures got the firms into hot water and what remediation measures will cool things down.
At this point, the misconduct itself isn’t anything surprising. From the late 2010s into 2021, employees at both firms “sent and received off-channel communications” about official business, according to the SEC. By using those forbidden apps (the settlement orders only cite WhatsApp by name, although Snapchat, Signal, and Telegram all fit the bill too), employees were ignoring their record-keeping obligations under Section 17(a) of the Exchange Act.
The true issue here, however, is that the firms took no substantive steps to stop employees from using the off-channel apps. The messaging abuses were “firm-wide, and involved employees at all levels of authority.”
That’s not a failure of technology. That’s a failure of corporate culture.
For example, as outlined in the order against HSBC, the firm did have policies directing supervisors to train employees on HSBC’s recordkeeping requirements. It also had policies informing employees that their communications were subject to HSBC surveillance. But the firm never implemented any systems to determine whether the supervisors were actually following those policies.
Alas, the supervisors were not. For example, a managing director in the firm’s investment bank — that is, someone responsible for enforcing policy to subordinates, and who should have known better — exchanged hundreds of off-channel business-related messages with coworkers, investment banking clients, and personnel at other financial services firms.
Scotia Capital was no better. Its settlement order tells of a director in its capital markets group, who sent and received thousands of off-channel business-related messages to coworkers, clients, and contacts at other financial services firms; talking about investment strategy, client meetings, market trends, and the like.
No technology exists that can entirely stop employees from using off-channel apps to talk business, but this was a problem of corporate culture — where the firms as a corporate whole and individual leaders within the firms both failed to take their compliance obligations seriously. That’s what drew the SEC’s ire.
Messaging Compliance Reforms
The good news for HSBC and Scotia Capital is that both firms self-reported their violations and then cooperated with the ensuing SEC investigations, which goes a long way to staying in regulators’ relatively good graces. (The SEC launched its messaging crackdown in 2021, when it whacked JPMorgan with a $200 million fine and extensive compliance remediation obligations. That enforcement action prompted other Wall Street firms to see whether they had similar problems of their own, and of course most did.)
The meaty stuff for compliance officers, however, are the compliance program improvements both firms agreed to make. If you want hints about what your own compliance program should be doing to avoid an SEC enforcement action on messaging apps, this is where to look.
First, both firms agreed to hire an “independent compliance consultant” to review their compliance and surveillance programs and make recommendations. That’s not news per se; all the other Wall Street banks busted for messaging failures are doing the same. But one part of the consultants’ duties did jump out at me:
An assessment of the technological solutions that [the firms] have begun implementing to meet the record retention requirements of the federal securities laws, including an assessment of the likelihood that personnel will use the technological solutions going forward and a review of the measures employed by [the firms] to track employee usage of new technological solutions.
So as much as these enforcement actions are about poor corporate culture, technology remedies still matter too. Compliance teams will need to think about what software they might use for employee surveillance and how they would assess the effectiveness of that software.
Second, the consultants must also assess the frameworks HSBC and Scotia use to address employees’ non-compliance and assure that discipline is handed down consistently and appropriately. This provision gets to the “consequence management” that the Justice Department mentioned in its most recent update to the evaluation of corporate compliance programs. Regulators want to see effective, consistent discipline, and they want to see the proof that you know how to impose it.
Third, both firms agreed that for the next two years, they will inform SEC staff whenever they impose discipline on employees (written warnings, loss of compensation, termination, and so forth) for failing to preserve electronic communications — including business communications on personal devices. The update to SEC staff must happen within 10 days of the discipline getting doled out, or at least two days before the firms send notice to FINRA (the regulator for broker-dealers) that they’re firing a trader.
For other compliance officers, then, the question is how well your escalation and disclosure procedures work, in case the SEC ever imposes a similar duty on you. Do managers know they need to report such disciplinary actions to you? Do they have an easy procedure to do so? Do you test those procedures or consult with HR on a regular basis, to confirm that nobody is imposing discipline without telling you?
Food for thought — and if you want to share your thoughts, I’m on Signal at 1-617-642-1107.