SEC Charges Wall Street Firms with Recordkeeping Failures
The SEC announced charges against fifteen broker-dealers and one investment adviser for recordkeeping violations involving the use of “off-channel” communications (e.g., WhatsApp) without properly preserving the electronic communications. According to the settled orders, the firms’ employees (including senior personnel) routinely communicated about business matters using text messaging applications on personal devices. From the Commission’s perspective, by not preserving required electronic records, the firms deprived the Commission of valuable information needed in support of the examination and enforcement mission. Each of the firms was charged with violating the Exchange Act recordkeeping provisions requiring the firms to supervise and prevent and detect violations. The Exchange Act essentially requires preserving all communications relating to the firm’s business. One firm was charged with violating an analogous provision under the Advisers Act. That provision is a bit more targeted, requiring preservation of communications relating to recommendations made or proposed to be made and any advice given or proposed to be given. Each firm agreed to pay a substantial penalty (including eight firms and their affiliates each agreeing to $125 million penalties, two agreeing to $50 million penalties, and one agreeing to a $10 million penalty), and each also agreed to hire a compliance consultant to review their policies and procedures. In a related action, the CFTC announced settlements with the same firms (with penalties ranging from $6 million to $100 million), for violating recordkeeping regulations that generally require preserving records of all transactions relating to the firm’s business of dealing in commodity interests. One firm, Bank of America, paid a larger penalty for, among other things, a supervisor that instructed his team to delete text messages and move their communications to unapproved applications. The final tally of penalties for all firms was approximately $1.8 billion.
While no firm was accused of fraud or other nefarious conduct, the regulators are sending an unmistakable message that recordkeeping is important. This is not the first time they have aired that grievance. At least as far back as 2006, Morgan Stanley (which is among the settling parties this go around) paid a $15 million penalty for failing to properly maintain back-up tapes of certain emails, and in 2021 J.P. Morgan paid a $125 million penalty for conduct that presaged the latest actions. To be sure, it is challenging to manage the flow of communications on so many different platforms, and the informal nature of many ephemeral communications – the modern-day version of chats around the water cooler – is perhaps incongruent with regulations dating to the 1930s when regulators probably did not contemplate recording for posterity every casual conversation. (In a possible case of “do as I say, not as I do,” SEC officials reportedly may use off-channel communications to circumvent their own analogous federal recordkeeping obligations.) And the fact that the failures are so widespread suggests that firms have (wrongly) considered informal chats akin to face-to-face communications that the SEC has not (yet) deigned to require be captured and recorded. Nevertheless, as regulated entities, firms must follow the rules. This means implementing technology to capture and record all relevant communications, and making clear to employees that they must follow the rules or face discipline.
For more information about these proceedings, please view materials on the SEC’s and CFTC’s websites at the following links:
SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures
CFTC Charges 11 Firms for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods
Failure to Safeguard PII in Violation of Reg S-P
Morgan Stanley Smith Barney LLC settled charges with the SEC for the firm’s failure to scrub millions of customers’ personal identifiable information (PII) from computer hardware before decommissioning the hardware. Morgan Stanley hired a moving and storage company with no expertise in data destruction services to decommission thousands of hard drives and servicers. Morgan Stanley, however, did not monitor the moving and storage company’s handling of the equipment. The equipment ended up sold around the world via an internet auction site to third parties; Morgan Stanley recovered a fraction of the devices, which contained unencrypted customer data. During a records reconciliation process, Morgan Stanley discovered that some devices had been equipped with encryption capability, but the firm failed to activate that software for several years.
The SEC order found that Morgan Stanley failed to safeguard customer PII, and Morgan Stanley agreed to pay $35 million to settle charges for violating the Safeguards and Disposal Rules of Reg. S-P.
Clients should be mindful that improper handling of client or shareholder information not only violates various regulations, but it also exposes firms to private litigation and reputational harm. Thus, firms must be vigilant to ensure proper handling, storage, and ultimately destruction of sensitive data. We recommend reviewing relevant policies and procedures and working with experienced IT consultants, and firms should consider using encryption technology to ensure that data that falls into wrong hands will be unusable.
In short, advisers should not expect a honeymoon period; the staff is gearing up for examinations as soon as the compliance deadline passes. For more information about these proceedings, please view materials on the SEC’s website at the following link:
In the Matter of Morgan Stanley Smith Barney LLC
Reg S-ID Violations
The SEC has settled enforcement actions against JP Morgan Securities, LLC; UBS Financial Services, Inc.; and TradeStation Securities, Inc. for deficiencies in their programs to prevent identity theft, in violation of Reg S-ID. Generally, all three failed to have policies and procedures reasonably designed to identify red flags, incorporate the red flags into their programs, and to update the programs periodically. The SEC also faulted JP Morgan for insufficient oversight of service provider arrangements, in particular for failing to ensure their service provider contracts had language requiring the service providers to detect identity theft red flags and either report red flags to JP Morgan or respond to the red flags themselves. The SEC also faulted UBS for not periodically reviewing new or existing account types to determine how to apply the program to them, and both UBS and TradeStation for failing to adequately involve the board of directors, an appropriate committee thereof, or a designated senior management employee in the oversight, development, and implementation of the program. The orders suggested that the entities should have periodically reviewed their respective programs and conducted risk assessments to understand the types of covered accounts and applicable red flags. The firms also were faulted for not providing the board “sufficient information addressing the effectiveness” of the program. The SEC criticized TradeStation for not specifying what steps staff should take for additional due diligence when they detected problems. All respondents were faulted for failing to adequately train their staff as well.
The SEC has been more aggressive in recent years for anti-money laundering, cybersecurity, and identity theft enforcement, so registrants should take heed. Each investment company is a financial institution subject to Reg S-ID, and funds in turn typically rely on their transfer agent to oversee the identity theft programs. Thus, we recommend reviewing contracts to ensure responsibilities are clear, reexamining identity theft procedures, and documenting the review and training.
For more information about these proceedings, please view materials on the SEC’s website at the following links:
In the Matter of J.P. Morgan Securities LLC
In the Matter of UBS Financial Services Inc.
In the Matter of TradeStation Securities, Inc.
Proxy Voting by Mutual Funds
In a recent enforcement action, the SEC challenged the practice of an investment adviser employing a standing instruction to its proxy voting service to vote all the funds’ securities in favor of proposals put forth by the issuer’s management and against shareholder proposals. The SEC criticized the adviser for failing to review each proxy to evaluate whether each management proposal was in fact consistent with the adviser’s clients’ best interests. The SEC also found that the adviser’s policies and procedures were not adequately designed to ensure the firm voted in its clients’ best interests.
There was no hint from the SEC that the adviser’s clients were harmed or that any votes should have been different. Nor does the SEC grapple with the question whether advisers and clients might agree that a standing instruction is in fact in the clients’ best interest because the expense of reviewing individual proxies may outweigh any perceived benefit. (Indeed, the adopting release to Rule 206(4)-6 expressly contemplates that there may be instances that an adviser may refrain from voting proxies if the adviser “determines that the cost of voting a proxy exceeds the expected benefit to the client.”) The message should be clear, however, that advisers must have policies consistent with exercising some judgment, rather than just reflexively voting all proxies one way or refraining from voting altogether.
For more information about this matter, please visit the SEC’s website at the following link:
In the Matter of Toews Corp.