Pain in the App: Messaging Apps Lead to Large SEC Enforcement Actions
On September 29, 2023, the U.S. Securities and Exchange Commission charged several firms with recordkeeping failures. These recordkeeping failures relate to pervasive and longstanding off-channel communications. Generally, all of these actions relate to the widespread use of various messaging apps that ultimately violate SEC requirements and circumvent internal corporate controls. These are the latest enforcement actions in a string of similar penalties by the SEC over a nearly two-year period.
In this round of actions, the SEC fined the following companies:
- Interactive Brokers Corp. and affiliate Interactive Brokers LLC (together, Interactive Brokers) agreed to pay a $35 million penalty;
- Robert W. Baird & Co. Inc. agreed to pay a $15 million penalty;
- William Blair & Company LLC and affiliate William Blair Investment Management LLC (WBIM) agreed to pay a $10 million penalty;
- Nuveen Securities LLC agreed to pay an $8.5 million penalty;
- Fifth Third Securities Inc. agreed to pay an $8 million penalty; and
- Perella Weinberg Partners LP (Perella Weinberg), together with Tudor, Pickering, Holt & Co. Securities LLC (TPH) and Perella Weinberg Partners Capital Management LP (Perella Weinberg Capital), which self-reported, agreed to pay a $2.5 million penalty.
- DBRS Inc. agreed to pay an $8 million penalty.
- Kroll Bond Rating Agency, LLC (KBRA) agreed to pay a $4 million penalty.
Ultimately, all of these firms had employees that utilized “off channel” messaging apps on their phones to discuss business matters. These communications were required to be preserved according to federal securities laws. Due to the nature of these apps, preservation did not occur and was not possible. The messaging apps at issue included WhatsApp, GroupMe, or just a personal text messaging app (e.g. Apple’s stock messenger). Considering these apps bypassed their respective firms’ recordkeeping controls, key communications were lost or deleted in violation of federal securities laws.
In 2022, during a round of actions that saw several firms each pay $125 million for similar violations, SEC Chair Gary Gensler noted that “[a]s technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.” These words continue to resonate as technology continues to evolve and the world becomes even more digital-based.
In this round of cases, firms could not simply say that these mistakes were made by junior employees that may not have known any better. Rather, it was the senior management, partners, and managing directors that were all complicit with these messaging failures. Junior employees that simply followed suit, and any existing corporate policies were simply ignored or fell by the wayside.
Even worse, in the DBRS case, the company’s compliance department ultimately approved the destruction of various records. During a 2022 rollout of new company devices, the company directed, with the approval of compliance, that several analytical employees could wipe their devices during the transition. This ultimately destroyed numerous records in violation of SEC regulations. It’s hard to imagine a compliance department making such a costly mistake, but it does happen. This should really drive home how companies should continue to hone their internal controls to ensure accidents and mishaps like these are avoided.
As part of each enforcement action, the firms are required to engage independent compliance consultants to help shore up their compliance policies and procedures. Upon engagement, the consultants will:
- Review supervisory, compliance, and other policies and procedures designed to ensure that electronic communications, even those found on personal devices, are preserved in accordance with federal securities laws.
- Review trainings conducted by the company to ensure personnel are complying with the requirements of those policies and procedures, in addition to ensuring employees are certifying that they are complying.
- Assess the surveillance program measures implemented to ensure compliance.
- Assess the technological solutions implemented and employed to ensure compliance, including an assessment of the likelihood that employees will use the solutions going forward.
- Assess the measures used to prevent the use of unauthorized methods of communications and whether those measures are effective in practice.
- Review electronic communications surveillance routines to ensure any communications made through approved methods on personal devices are incorporated into the overall surveillance program.
- Review the disciplinary framework used to address instances of non-compliance, with a focus on how these instances were identified, the corrective action carried out, and whether these penalties were consistent across the business lines and seniority levels.
Firms seeking to ensure they are not subject to similar enforcement actions should heed these requirements and consider a proactive assessment of these areas. Following these assessments, what are firms to do should they find violations? Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, put it very simply: “self-report, cooperate and remediate.”