Roundup: SEC’s off-channel communication enforcement continues

By Eric Beck, Managing Director and Jennifer Dickinson, Senior Managing Director, U.S.

Since launching its sweep in 2021, the U.S. Securities and Exchange Commission (SEC) has been vigorously enforcing the recordkeeping rules for broker-dealers (BDs) and registered investment advisers (RIAs).  In this article we summarize those original cases and will share takeaways from the most recent ones.

Where we’ve been

This long string of enforcement actions highlights the SEC’s increased scrutiny on firms that fail to maintain proper records of business-related communications. Since December 2021, over 100 firms have been fined over $2.2 billion for failures related to off-channel communications.  Many of these cases did not involve any other substantive violations, highlighting the importance of recordkeeping in two ways:

1. The SEC and FINRA depend on firms to maintain all required records so they can conduct meaningful examinations and protect the investing public
2. Firms should consider thorough recordkeeping an opportunity to demonstrate their commitment to a culture of compliance and prove to regulators that they are following their policies and applicable laws and rules.

To illustrate the importance of compliance, we encourage firms revisit these cases and share them with their teams:

• JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges – December 17, 2021
• SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures (penalties totaling $1.1 billion) – September 27, 2022
• SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures (penalties totaling $289 million) – August 8, 2023
• SEC Charges 10 Firms with Widespread Recordkeeping Failures (penalties totaling $79 million) – September 29, 2023
• Sixteen Firms to Pay More Than $81 Million Combined to Settle Charges for Widespread Recordkeeping Failures – February 9, 2024
• Twenty-Six Firms to Pay More Than $390 Million Combined to Settle SEC’s Charges for Widespread Recordkeeping Failures – August 14, 2024
• Eleven Firms to Pay More Than $88 Million Combined to Settle SEC’s Charges for Widespread Recordkeeping Failures – September 24, 2024
• Twelve Firms to Pay More Than $63 Million Combined to Settle SEC’s Charges for Recordkeeping Failures – January 13, 2025
• Two Robinhood Broker-Dealers to Pay $45 Million in Combined Penalties for Violating More Than 10 Separate Securities Law Provisions – January 13, 2025

Some common threads in all of the cases include:

1. Violations occurred at all levels of firms, including supervisors and management
2. Some employees went to significant lengths to circumvent the firms’ archives, including using device settings to automatically delete communications
3. Messaging apps included text messaging, personal email accounts, WhatsApp, LinkedIn Messaging and WeChat
4. Communications typically involved internal investment decision-making, providing advice to clients and interacting with counterparties and other market participants
5. The SEC encouraged self-reporting and remediation by consistently reducing, or in a few cases, waiving entirely, penalties for the violations.

Where we’re headed

These cases against nine standalone RIAs and three BDs are very similar.  All of the RIA cases had virtually the same fact pattern. Investment professionals were using unarchived tools (text, WhatsApp, Facebook Messenger and LinkedIn, among others) to:

• Discuss investment decisions or advice, including whether to move ahead with deals and valuations on deals. One example included an internal conversation about the price the firm should include in its bid for a client to participate in a transaction. These communications included both internal colleagues as well as third parties, one example being WhatsApp messages between a partner at the firm and an executive at a company about a potential deal
• Place trade orders on behalf of clients or otherwise discuss trades, execution and position sizes
• Communicate financial information, including performance data, and manage the disbursement of funds from client transactions.

Even though investment decisions are likely recorded in other ways, e.g. through investment committee meetings or memoranda, it seems the SEC took issue even with these interim communications not being archived.  Penalties for the advisers ranged between $4 million and $8.5 million.  However, one firm’s penalties – for the same basic facts – was $11 million. The only distinguishing facts mentioned in this order were that, while the employees who were caught at that firm were counseled about the violations, a partner who’d also been caught did not also receive a written reminder of the firm’s policies.  Following the partner’s meeting with the compliance officer, he or she continued to use off-channel communications for substantive firm business.

The three BD cases similarly involved internal communications, as well as external interactions involving clients and other market participants.  These orders indicated that many of the employees who violated the firms’ policies were themselves supervisors and responsible for the compliance of their teams.

All of the firms had attempted to comply and/or remediate to varying degrees, including taking the following measures, albeit with mixed success:

• Repeated training and reminders
• Monitoring approved communications channels
• Requiring employees to send their off-channel communications to their business emails so they could be archived
• Implementing keyword searches in the communications archive to detect possible off-channel usage
• Requiring employees to attest to the firms’ communications policies
• Issuing mobile devices to certain employees, with the text feature blocked. Employees wanting to use texting for business purposes had to seek pre-approval, at which point the text feature would be enabled and archived.

However, all of the orders stated that the SEC found the procedures implemented at these firms insufficient to ensure recordkeeping policies were being followed.  In the last example, the phone service provider erroneously enabled texting on approximately 1,700 phones that were not approved by the firm, resulting in some 330,000 messages not being archived.  Unfortunately, the firm had not conducted testing to assess whether the pre-approval mechanism and subsequent archiving was functioning as intended.

Separately, the SEC announced a record number of enforcement actions for its first quarter of 2025 (October-December 2024) alone, specifically highlighting the importance of remediation, cooperation and the potential benefits of self-reporting, many of which have been recurring themes in the off-channel communications cases as well.

What to do

The most recent cases show that having policies, conducting training, monitoring archived communications, issuing reminders, and requiring attestations to policies are not enough.  All of these are good tools and should be implemented.  These orders, however, call upon firms to do more than that.  For example, firms using technological solutions such as issuing their own mobile devices that archive texts should have review and testing procedures to make sure texting is not enabled on unapproved devices.  If the issue had been caught sooner, perhaps fewer communications would have been lost, potentially limiting the firm’s exposure.

Whether the enforcement effort continues remains to be seen.  In routine examinations, we are seeing examiners ask about and request documentation of firms’ policies and procedures relating to electronic communications; firms should expect those inquiries to continue and consider ways in which they can enhance their compliance programs in this area.

At IQ-EQ, our compliance consultants have the experience to handle all U.S. regulatory requirements of the SEC and will work closely with you to keep your firm compliant in the face of new and evolving rules. Find out more about our U.S. compliance consulting services.