Failing to Preserve E-Communications? 5 Steps to Help Avoid Fines

Electronic communications are firmly in the spotlight right now, and there are $1.8 billion worth of reasons why. The SEC recently fined 16 Wall Street companies for failures in electronic communications recordkeeping, while 11 of them also received additional fines from the CFTC.
 
The penalties for the companies involved were the result of “widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications,” according to a press release from the SEC. To be clear, the regulator’s view is not to stop surreptitious communications, but rather to get access to data they should have access to by law.
 
The SEC’s recordkeeping rules were established in the 1930s, and the definition of record keeping has always been clear. However, the large penalties indicate that the SEC and CFTC are changing their expectations on how banks are complying with recordkeeping requirements with respect to mobile communications. For broker-dealers, investment advisors, asset managers, swaps dealers, merchants and other relevant businesses on Wall Street, the message couldn’t be clearer: If obligations surrounding this issue go unmet, charges are coming — and they’re coming at a cost.
 
For companies aiming to comply with regulators’ expectations, they should consider best practices to remediate their compliance programs.

 

1. Policies

• Perform a review of all policies and procedures surrounding electronic communications recordkeeping.

• Update BYOD polices so personal phones are bifurcated into a work versus personal section.

• If using personal devices for business, there should be an expectation of increased likelihood that Compliance will ask to look at it, including personal content.

• Regulators may not care about personal privacy arguments. If companies want cooperation credit, they need to answer regulators on how they’ve addressed personal communications.

• Increase the frequency of employee attestations that they are not engaged in off-channel communications and are adhering to these compliance policies from annual to quarterly.

 

2. Training

• Implement training programs that highlight proper electronic communications recordkeeping.

• Increase the frequency of employee and manager training from annual to quarterly.

• Conduct train-the-trainer courses that provide managers with a deeper level of understanding of program needs.

• Instruct managers of desks to remind their teams about these policies and implement checkpoints to ensure they are compliant.

 

3. Technology

• Through training courses, emphasize the technologies that are acceptable, and adopt a zero-tolerance policy for those violating policies.

• Adopt technologies that record and monitor communications between employees and counterparties. Consider the implications of using apps like WhatsApp and iMessage if they are not approved by the organization and determine how they are monitored.

• Set expectations that these technologies are not meant to eliminate surreptitious communications, but rather to allow employees to communicate with counterparties using preferred messaging apps while meeting compliance obligations.

 

4. Monitoring and Testing

• Once communications are recorded using technologies, companies need to implement and continuously refine the surveillance program, including adopting lexicon-based surveillance on desk channels (e.g., Bloomberg and Outlook) to look for indicators of off-channel communications (e.g., “Hit me up on WhatsApp”).

• Perform regular assessments of surveillance program measures and their effectiveness (e.g., determining how many employees have activated their licenses for new communication technologies).

• Assess measures that have been taken to prevent the use of unauthorized communication platforms and apps.

• Include testing as part of Internal Audit reviews, and quickly adapt practices when teams are not meeting compliance testing obligations.

 

5. Accountability and Discipline

• Conduct a comprehensive review of the framework adopted to address instances of noncompliance.

• Accountability is the key requirement. For companies to take accountability for their actions, they should document the steps taken to comply and hire outside parties to independently measure the program’s efficacy. Update policies such as the Employee’s Code of Conduct to explicitly describe the disciplinary actions stemming from violations related to off-channel communications, including monetary penalties and termination.

Without systems or policies in place to address the issue of noncompliance, old habits will continue, and violations may be repeated. The argument of personal privacy also isn’t one likely to satisfy regulators. For companies looking to cooperate with regulators, they need to show how they addressed personal communications.
 
That doesn’t mean that personal privacy isn’t important, but organizations need to set expectations that policies being implemented are designed to allow employees to communicate in ways that meet compliance obligations and prevent further rules violations.
 
Companies have it in their best interest and the best interest of their clients to follow best practices regarding electronic communications recordkeeping, and with the recent SEC and CTFC actions, it’s crucial to start now.

 

---