SEC Chair Talks Messaging Enforcement, Misses Point

The head of the Securities and Exchange Commission said this week that the agency’s Biden-era crackdown on improper use of off-channel messaging apps was “not the way a regulator should act” and presumably won’t happen again under his watch. That’s probably music to compliance officers’ ears, but tread carefully — his words raise other, unsettling questions about regulatory enforcement, too.

SEC chairman Paul Atkins made his remarks Tuesday while speaking at the annual meeting of the Securities Industry and Financial Markets Association, a trade association for broker-dealers and other financial firms. Atkins was asked his thoughts about the crackdown, which saw scores of financial firms collectively fined more than $2.2 billion for employees’ use of unauthorized messaging apps to conduct business.

Atkins told the audience that such a crackdown is “not the way a regulator should act” and “we have to address that.” 

This should surprise nobody, because Atkins has sounded off about the off-channel messaging crackdown before. Specifically, during a speech Atkins delivered to another securities industry event earlier this month, he said this:

Resources are limited in any organization, including the SEC, so hard decisions must at times be made as to which matters merit an enforcement action. We must go after cases of genuine harm and bad acts, but we must view cases of benign or innocent actions differently. In the past, we have seen examples of enforcement actions in areas, such as retention of books and records, that consumed excessive Commission resources not commensurate with any measure of investor harm.

At first glance, Atkins’ remarks sound reasonable. Governing employees’ use of unauthorized messaging apps is hard; and in many instances their use of those apps (iMessages, WhatsApp, SnapChat, Telegram, and lots of others that evade standard records-retention policies) doesn’t result in investor harm.

Don’t fall for it. There’s a bigger picture of compliance risk here, and Atkins’ shallow analysis glides right by it.

It’s About Accountability, Not Technical Violations

If we want to understand why enforcement against off-channel messaging is more important than Atkins says, a good place to start is the first such enforcement action that the SEC imposed: against JPMorgan Chase in 2021, when the SEC and the Commodities Futures Trading Commission fined JPMorgan $200 million and required an overhaul of the bank’s recordkeeping and employee discipline programs.

The specific wrongdoing was that employees were using those off-channel messaging apps to talk business, which meant that JPMorgan couldn’t capture and preserve those business records. That’s a violation of Section 17(a) of the Exchange Act, which requires financial firms to preserve business communications for up to six years. 

Those might sound like technical violations of SEC rules, and in the narrowest sense, they are. But we could also look at JPMorgan’s misconduct another way, such as the way the SEC itself described the misconduct in the consent order with JPMorgan:

This widespread practice was not hidden within the firm. To the contrary, supervisors — i.e., the very people responsible for supervising employees to prevent this misconduct — routinely communicated using their personal devices. In fact, dozens of managing directors across the firm and senior supervisors responsible for implementing JPMorgan’s policies and procedures, and for overseeing employees’ compliance with those policies and procedures, themselves failed to comply with firm policies by communicating using non-firm approved methods on their personal devices about the firm’s securities business.

That doesn’t sound like an endless series of technical violations to me. That sounds like senior executives throughout the bank couldn’t be bothered to follow the rules because those rules were a drag. It sounds like a culture of disinterest, where the senior executives responsible for modeling compliance-aware behavior weren’t held accountable when they ignored that duty, so the SEC gave JPMorgan a kick in the corporate rear to take those duties more seriously. 

Atkins never seems to talk about that part of regulatory compliance: the culture part, where senior leaders have a duty to make sure that everyone toes a certain line. It’s always just about violations that cause harm to investors. 

Which Harm, to Which Investors?

What bugs me about Atkins’ view of enforcement is that he takes a narrow view of investors who end up harmed by corporate misconduct, and how. That’s not how it works in the real world.

Let’s stick with off-channel messaging as an example. Even if the employees engaging in that misconduct aren’t actually harming investors by chatting away on WhatApp, a firm’s failure to enforce against it sends the message that the firm doesn’t care about following the rules, and that opens the door to other employee misconduct in the future. Maybe the employees exchanging trade information on WhatsApp start trading insider information. Maybe they start violating other rules, since they’ve absorbed the message that rules aren’t enforced.

Are we really going to wait until actual investor harm happens, rather than move early to instill a culture of ethics and compliance that reduces the risk of misconduct in the first place? What compliance officer would think that’s a good approach at your own firm? None, that’s who. So why would it be good for the capital markets as a whole? 

Atkins just doesn’t seem interested in investor protection; at best, he seems tolerant of the idea that harmed investors should be made whole. Instead, he seems more captivated by the SEC’s other mission of “orderly markets,” which apparently he defines as light enforcement and low regulatory burden.

That’s not what orderly markets should be about. Orderly markets should be about keeping the markets free from fraud, flash crashes, and all the other meltdowns that have now happened numerous times over the last 15 to 20 years, with retail investors suffering the consequences. Not only does that goal require enforcement against wrongdoers; it requires imposition of standards, so that participants in the capital markets (investors, companies, and regulators alike) can all trust the larger ecosystem they share.

Financial firms need to impose those standards through corporate compliance programs. The SEC needs to impose those standards by taking action against firms that don’t. If the agency wants to go easy on sporadic technical violations by individual employees, that’s fine — but that’s not what we saw at JPMorgan or at numerous other offenders. We saw systemic disregard for compliance duties. 

If Atkins believes policing against that is a waste of SEC resources, good grief, we’re in trouble.