Since December 2021, the U.S. Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) have levied almost $3.0 billion in penalties[1] for longstanding failures by 39 broker-dealers, swap dealers, and investment advisors to maintain and preserve electronic communications, with the latest round of enforcement actions in February 2024.[2]

These actions are continued warnings that effective recordkeeping reflects the right culture of a firm’s compliance with laws, regulations, and ethical codes. Especially for records capturing “off-channel” messages through personal or other unapproved devices and media between employees, or those with their clients, suppliers, agents, or vendors.

Reminder No. 1 – Proper Records Matter

Long an “orphaned” regulatory requirement, records management has been treated historically as low priority. Consequently, recordkeeping was viewed grudgingly by employees as “everyone’s responsibility” and therefore, no one’s. This lack of accountability by “Everybody, Anybody, Somebody, and Nobody” is unfortunately and universally common, across society (the “bystander effect”) and across all industries to the point that it has been immortalized in business leadership literature.[3]

In stark contrast, recordkeeping is viewed as absolutely crucial by the SEC, CFTC, U.S. Justice Department (DoJ), OFAC, and other agencies. They rely heavily on business communications to investigate and enforce compliance with federal and state securities, banking, and commodities laws as well as laws covering fraud, bribery and corruption, sanctions evasion, and national security. They are a “treasure trove” of discovery to prosecute violative behavior.

The ongoing and widening net of SEC and CFTC enforcement actions are blunt reminders that firms must prioritize how their records are managed. This includes enforcing clear ownership and accountability over the intake, archiving, and proper destruction of all records including business-related communications.

Records management reflects a type of corporate hygiene because good records should translate into complete and timely responses to regulatory and litigation inquiries.

Tip No. 1 –

Records, including electronic communications, reflect an end-to-end flow of data from intake to use to secured storage. Strict data governance is therefore essential to ensure all communications – including “off-channel” ones, are complete and secure.

• Given this data flow, identify and assign clear “records” owners to capture, own, maintain, and share in a secure manner.
• Business, operations, IT, Legal, Compliance, and others should therefore be clearly identified and accountable across this flow and responsibility formally assigned through formal policies and procedures.
• These controls must be consistently communicated, and rigorously enforced – by your firm before external parties do so first.

Reminder No. 2 – “Off-channel” chatter might reflect “off-conduct” culture and behavior

The SEC and other agencies are messaging the following: the inability (or unwillingness) to manage “off-channel” emails and texts reflects:

1) not only poor records management, but also

2) potential “off-conduct” behavior of management and their employees. Especially when some of the firms’ senior managers were found to have explicitly instructed their staff to communicate “off-line” and / or to auto-delete these “off-channel” texts and emails.

WhatsApp or other apps enabling self-deleting, “ephemeral” messaging have been found by the SEC, CFTC, and the DoJ to willingly (or unwittingly) evade laws meant to prevent the abuse of customers by dealers and others trading fiat currencies, digital, or other asset classes. This evasive technique can easily also apply to avoiding laws such as:

• OFAC and other economic sanctions against Russia, North Korea, Iran, or other targets
• Anti-bribery and corruption
• Anti-trust;
• Customer due diligence, ultimate beneficial owner (“UBO”); and / or
• Anti-money laundering, and countering terrorist financing.

For example, multiple red flags should be raised if:

• Messaging and then benefiting foreign government officials or third-party agents to win a competitive contract through WhatsApp, Telegram, Signal, Wickr, or other encrypted, self-destructing media.
• A supplier seeks to discuss oil shipments or sanctioned dual-use technology or other machinery using multiple intermediaries, currencies, and/or digital assets through a messaging service offering self-destructing emails.

• Trader A suggests to salesperson B, or counterparty C, to “take it offline” to further their discussions about a complex FX trade involving exotic currencies. These should be flagged by management and Compliance as a potential red flag, with enhanced surveillance and supervision of the trader, salesperson, and their supervisors’ off-channel texts and emails.

Tip No. 2 –

• Conduct training and awareness to ensure these red flags are promptly identified, escalated, investigated, and self-reported to external agencies; and
• Both first line businesses and second line compliance officers must therefore establish clear “off-channel” communications policies, procedures, and surveillance tools to capture, control, and archive these unauthorized emails, texts, videos, and chats so that these red flag activities are prevented and detected and quickly investigated, actioned, and reported when they arise.

Reminder No. 3 – “It can’t happen here”: it certainly can!

Many of the firms penalized in 2021 to early 2023 were large financial institutions. They can more easily pay the monetary penalties, afford the required independent monitors, and withstand the reputational “hit”.

Importantly, the most recent wave of enforcement actions has ensnared smaller registered investment advisors and affiliates of insurance companies involving individual investors. This enforcement trend will not stop and could significantly affect smaller players’ profitability and business success in the future.

Tip No. 3 –

• Do not assume that these “off-channel” enforcement actions cannot happen at your firm just because you think you “fly under the radar.”
• Your competitors could blow the whistle on your firm if they have privately self-reported to their regulator. They will not hesitate to throw competitors “under the proverbial bus” to minimize their own penalty.
• Self-assess and benchmark industry practices, especially if enforcement actions have been levied against your competitors or could affect your industry.
• Understand whether and how “off-channel” messaging and unauthorized business communications do or can occur at your company. This can be done using internal compliance, investigative or audit resources, or by retaining an independent external compliance consultant.

Reminder No. 4 – “Off-channel” messaging is borderless – and risks our national security

Future “off-channel” enforcement actions will further expand beyond the financial services industry. They will expand into healthcare, defense, technology, and others exposed to data privacy, government contracts, trade sanctions, and other higher risk laws affecting the national security of the United States.

For example, Russian, Iranian, and other economic sanctions can easily be circumvented using unauthorized, self-deleting emails and texts – especially when combined with the bribery and corruption of foreign government officials using black-market cryptocurrencies. This scenario is no longer from Hollywood but quite real.

As a reminder, the DoJ’s Evaluation of Corporate Compliance Guidelines explicitly expects all firms, small and large, public, and private, for- and not-for-profit, to manage and capture their business communications – especially “ephemeral” ones.^[4]

Furthermore, the European Union and Asian countries already enforce many of its privacy, tax, sanctions, anti-bribery and corruption, and anti-trust laws through recordkeeping requirements. It would be no surprise if the EU, Japan, Australia, or China further investigates and prosecutes these laws by enforcing recordkeeping including “off-channel” communications policies, procedures, and practices.

During these volatile economic and geopolitical times, international cooperation focusing on military, political, and financial intelligence likely includes the importance of monitoring “off-channel” communications.

Regulatory and law enforcement agencies within and beyond U.S. borders are already sharing this intelligence regularly, including electronic communications, particularly since so many major crimes are committed globally and across multiple industries.

It is therefore especially crucial that company boards of directors, senior management, and employees understand who is communicating what, with whom, and why, and whether these messages are properly and completely captured and archived.

Tip No. 4 –

• Benchmark industry practices with respect to capturing, monitoring, and archiving “off-channel” communications. Consider whether your competitors can do so, and if so, whether they are capturing all management and employees, or only those that pose higher risks, e.g., overseas sales, international trade, shipping, etc.
• Educate and engage your board of directors to ensure that “off-channel” communications risks are understood, after you conduct a meaningful compliance risk assessment of your products, services, clients, and third-party suppliers and agents. From there, consider what kind and to what extent, business communications occur between your company and these entities and parties.
• Risk-rank your employees and consider whose business and off-channel communications must be captured, monitored, and archived, and investigated and enforced where required.
• Strictly enforce your “off-channel” communications policies and procedures to send the right message that they are being monitored and that unauthorized business communications will be strictly enforced and disciplined.
• Engage third party consultants to independently evaluate your “off-channel” communications controls and “corporate hygiene” over recordkeeping, so that you have clear owners and accountability to manage and minimize your risks.
• Consider how best to implement recommended changes that you self-identify as well as those provided by your third-party consultant.

“The Story of Everybody, Anybody, Somebody and Nobody”[5]

“There was an important job to be done and Everybody was sure that Somebody would do it. Anybody could have done it, but Nobody did it. Somebody got angry about that because it was Everybody’s job. Everybody thought Anybody could do it, but Nobody realized that Everybody wouldn’t do it. It ended up that Everybody blamed Somebody when Nobody did what Anybody could have.”

[1] Table: SEC, CFTC off-channel communications penalties | Premium | Compliance Week

[2] SEC.gov | Sixteen Firms to Pay More Than $81 Million Combined to Settle Charges for Widespread Recordkeeping Failures

[3] I have included an abridged version of this poem attributed to Charles Osgood at the end of this blog.

[4] Microsoft Word – 2023.03.03 – Revised ECCP (revised3) (justice.gov) – see page 17.

[5] Condensed by a poem by Charles Osgood and posted by many including Lola Doskall. And too often is the life of a chief compliance officer when seeking to implement key policies and controls affecting “everybody.”