Securities regulators sanctioned another dozen Wall Street trading houses on Tuesday for employees’ usage of unauthorized messaging systems. They are the latest targets in an ongoing crackdown over the practice, and further proof that management teams need to take this issue seriously.
The Securities and Exchange Commission sanctioned 11 firms, imposing a total of $289 million in penalties. The Commodity Futures Trading Commission also sanctioned four firms, imposing $260 million in penalties. Three of the CFTC targets were also on the SEC’s latest hit list.
Combine these folks with the 16 Wall Street firms sanctioned last year by the Justice Department plus a few more errant enforcement actions since then, and that brings us to several dozen of broker-dealers, investment banks, and other players in the financial market that have run afoul of regulators over “off-channel communications” that violate the industry’s recordkeeping obligations.
“Compliance with the books and records requirements of the federal securities laws is essential to investor protection and well-functioning markets … While some broker-dealers and investment advisers have heeded this message, self-reported violations, or improved internal policies and procedures, today’s actions remind us that many still have not,” SEC enforcement chief Gurbir Grewal said in a prepared statement.
CFTC enforcement chief Ian McGinley offered his own prepared statement, declaring, “The commission’s message could not be more clear: recordkeeping and supervision requirements are fundamental, and registrants that fail to comply with these core regulatory obligations do so at their own peril.”
Today’s targets are second-tier trading houses including Wedbush Securities, Houlihan Lokey Capital, Moelis & Co., Wells Fargo Securities, and BNP Paribas Securities. The largest penalty went to three Wells Fargo businesses, which collectively agreed to pay the SEC a $125 million civil penalty. Two Wells Fargo subsidiaries also agreed to pay the CFTC another $75 million civil penalty. Tied for second place were BNP Paribas and Société Générale, which both agreed to pay $75 million to the CFTC and $35 million to the SEC.
Messaging Misconduct Redux
What messaging misconduct was happening at these firms? At this point it’s all the same stuff compliance officers have already heard about ad nauseam from earlier enforcement actions. Employees were talking about business matters on personal devices and through personal messaging apps, and not following company policies to preserve those business communications.
Let’s take Moelis & Co. as one (randomly picked) example. As described in its settlement order with the SEC, employees “throughout Moelis, including at senior levels” failed to follow the firm’s own policies for internal messaging and recordkeeping.
As usual, the involvement of senior managers — that is, people who should have known better, and were supposed to be role models for junior employees to follow the rules — was an especially sore point with the SEC. Straight from the settlement order:
Moelis’ supervisors, who were responsible for supervising junior employees, routinely communicated off-channel using their personal devices. In fact, senior executives and managing directors responsible for supervising junior employees themselves failed to comply with Moelis’ policies by communicating using non-Moelis approved methods on their personal devices about Moelis’ broker-dealer business.
Senior executives at Moelis even communicated with each other via unauthorized messaging apps about company business. Bad.
Another example comes from BNP Paribas and its settlement order with the CFTC. We had the usual “widespread use of unauthorized communication methods,” followed by this particularly painful passage: “Some of the very same supervisory personnel at BNP responsible for ensuring compliance with BNP’s policies and procedures themselves utilized unapproved methods of communication to engage in business-related communications, in violation of firm policy.” Very bad.
We could keep going with other examples, but you get the idea. Employees were ignoring internal company policies — and hey, why not? Senior managers who were supposed to set a culture of compliance at those firms were doing it too. The infractions happened at least since 2019 (and probably long before that date) until September 2021, when JPMorgan became the first bank to get sanctioned for messaging abuses and this crackdown got underway.
Extensive Compliance Reforms
In addition to the monetary penalties, all of the firms sanctioned today also promised to make extensive compliance reforms. That has been another hallmark of the messaging app settlements we’ve seen so far.
For example, the SEC required that all firms sanctioned today hire an “independent compliance consultant” to conduct extensive reviews of the firms’ compliance programs. Those reviews will consider each firm’s policies, training, surveillance programs (remember that in financial services, monitoring employee communications is a routine thing), and the technology that firms use to try to thwart off-channel messaging.
The compliance consultants will also review firms’ disciplinary measures against offenders, including whether those disciplinary measures are enforced fairly and consistently across the whole enterprise (and up and down the whole org chart).
None of that is new. JPMorgan was the first to agree to an independent compliance consultant, and we’ve seen that stipulation in every SEC enforcement action since.
The CFTC did not require its sanctioned firms to hire an independent compliance consultant, although it did require all the firms to perform their own internal reviews of all the same subjects. Then again, since most of the CFTC-sanctioned firms will be hiring consultants to satisfy their SEC settlements anyway, I’m not sure this distinction matters.
The bottom line: enforcement action over improper messaging use is not going away. Indeed, I would be surprised if we don’t eventually see this enforcement crackdown expand to other industries beyond the financial sector. Because y’all know you’re using WhatsApp and iMessages too.
Will companies ever find a technology solution to prevent employee messaging use? No. You’ll find solutions that help you reduce the risk, but it will never be eradicated fully.
The good news is that regulators know this. They are not expecting perfection. They are, however, expecting an honest effort at compliance, which includes steps such as vigorous disciplinary enforcement (I love Morgan Stanley’s approach of docking employee pay for messaging abuses) and high expectations of good conduct from senior managers.
Do all that, and you’ll be in much better shape should the regulators ever come knocking at your door.