ENFORCEMENT—SEC, CFTC fine 11 financial groups $1.8 billion over pervasive recordkeeping failures - 29 September 2022

Widespread use of off-channel communications tools at major financial institutions violated federal law and regulations, caused cybersecurity and privacy risks, and may have hobbled investigations.

In massive parallel crackdowns, the SEC and CFTC ordered civil penalties of over $1.1 billion and $710 million, respectively, against 11 financial institution groups in connection with the use of unapproved communications methods and failure to preserve communications records. Unapproved and unrecorded communications were used pervasively, including by senior employees, and occurred over multiple channels including personal text, WhatsApp, and Signal, among others. The firms admitted the facts in the orders.

CFTC Chairman Rostin Behnam indicated that recordkeeping violations are rigorously enforced.

“As demonstrated today, the Commission will vigorously pursue registrants who fail to comply with their core regulatory obligations and hold them accountable,” said Behnam.

The SEC noted that the recordkeeping failures likely deprived it of off-channel communications in various investigations.

“If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.

Significant recordkeeping failures. Broadly, SEC and CFTC books-and-records rules require messages in connection with registered securities, commodities, and swaps businesses to be sent through approved communications methods and monitored, subject to review, and when appropriate, archived.

The SEC and CFTC found that the respondents at 11 financial institutions, which included 28 separate entities, violated their own policies and federal law and regulations by failing to ensure that employees used approved communications methods. Investigations revealed that employees used unapproved methods to communicate on an extremely widespread basis, including by personal texts and chat apps like WhatsApp and Signal. As a result, many thousands of communications were not recorded or preserved.

The use of unapproved communications methods often extended into senior levels.

“The CFTC found significant unauthorized communication practices at the direction of senior executives, who knew they were violating bank policies but wanted to obfuscate communications surrounding trading,” said CFTC Commissioner Christy Goldsmith Romero.

For example, a sampling of the personal devices of thirty UBS employees, which included numerous senior-level employees, found that all but one employee had violated UBS’s communications policies and procedures by using personal text message and other unapproved methods to communicate with brokers, coworkers, and market participants. Moreover, the sampled communications revealed that hundreds more UBS employees—including numerous managing directors and senior supervisors—similarly conducted firm business using off-channel methods.

Romero added that in some instances, employees were instructed to delete messages, both as a routine matter and in response to investigations. For example, the head of a trading desk at Bank of America routinely directed traders to delete messages on personal devices and to use Signal, including during the CFTC’s investigation. Similarly, a trader at Nomura deleted messages including WhatsApp after the CFTC sent a request to preserve documents, including incriminating statements about trading.

Cybersecurity concerns. CFTC Commissioner Kristin Johnson pointed out that use of unauthorized communications methods could cause cybersecurity and privacy risks.

“Toggling between authorized and unauthorized communication tools and engaging in offline communications of confidential client information or protected market data creates cybersecurity and privacy threats for customers, as well as banks and bank-affiliated entities and their employees, said Johnson.

Violations and sanctions. The respondents are:

  • Barclays—SEC $125 million, CFTC $75 million
  • Bank of America and Merrill Lynch, Pierce, Fenner & Smith Inc.—SEC $125 million, CFTC $100 million
  • Citi—SEC $125 million, CFTC $75 million
  • Credit Suisse—SEC $125 million, CFTC $75 million
  • Deutsche Bank—SEC $125 million, CFTC $75 million
  • Goldman Sachs—SEC $125 million, CFTC $75 million
  • Morgan Stanley—SEC $125 million, CFTC $75 million
  • UBS—SEC $125 million, CFTC $75 million
  • Jefferies—SEC $50 million, CFTC $30 million
  • Nomura—SEC $50 million, CFTC $50 million
  • Cantor Fitzgerald—SEC $10 million, CFTC $6 million

Warning to correct issues. The regulators urged registrants to fix recordkeeping issues.

“These actions deliver a straightforward message to registrants: You are expected to abide by the Commission’s recordkeeping rules,” said Sanjay Wadhwa, deputy director of Enforcement. “The time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel.”

CFTC Acting Director of Enforcement Gretchen Lowe noted that the scope also extends to certain non-registrants.

“Registrants and other market participants subject to the federal commodities laws and regulations are encouraged to examine their own internal controls and supervision to ensure they are in compliance,” said Lowe.

Perhaps signaling the possibility of future enforcement actions, l added that registrants should not only fix any issues but should also self-report deficiencies. “[B]roker dealers and asset managers who are subject to similar requirements under the federal securities laws would be well-served to self-report and self-remediate any deficiencies.”

© 2021 CCH Incorporated and its affiliates and licensors. All rights reserved.

This website uses cookies to ensure that we give you the best experience on our website. This cookie data is anonymous, read about how we use cookies and how you can control them in our Cookie Notice. Otherwise, we’ll assume you’re OK to continue. Find out more.