Change the channel: Another dirty dozen hit with chat app breaches

US regulators have fined 12 more firms for use of WhatsApp and other off-channel communications.

Mark Taylor

Mark Taylor

Senior Editorial Manager

Across two separate enforcement actions on Friday, September 29, the Securities and Exchange Commission (SEC) sanctioned multiple brokers, investment advisers, and credit rating agencies, for violating record-keeping rules.

The firms agreed to pay $92m for not maintaining or preserving electronic communications, adding to the haul of more than $2bn in penalties for Wall Street firms in two years for similar offences.

In total more than 30 names across financial services have paid multi-million-dollar penalties for allowing staff to use chat apps, with experts predicting the wave to continue as prosecutors continue to trace evidence across the industry.

Failure to maintain and preserve required records is a violation of federal securities laws, the SEC said.

The first notice consisted of five broker-dealers, three dually registered broker-dealers and investment advisers, and two affiliated investment advisers, including Interactive Brokers, Robert W. Baird & Co., William Blair & Co. and its affiliate William Blair Investment Management, Fifth Third Securities and Nuveen Securities.

What did regulators find during their probe of off-channel communications

Investigators “uncovered pervasive and longstanding off-channel communications” at all the firms. 

Employees used personal devices, sending texts, WhatsApp, and GroupMe messages to conduct business, make recommendations, and transmit advice, investigators said.

“The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws,” it said, adding that this also prevented the SEC from examining the communications for instances of misconduct as part of its enforcement.

Regulators praised Perella Weinberg Partners, together with its energy business Tudor, Pickering, Holt & Co. Securities, for self-reporting after an internal investigation.

“There are real benefits to self-reporting, remediating, and cooperating,” said Gurbir S. Grewal, director of the SEC’s enforcement division, in the news release.

The firms agreed to hire independent compliance consultants to conduct reviews of their electronic communications on personal devices and their frameworks for dealing with non-compliance.

Why were credit agency firms punished for record-keeping breaches

In the second notice, two credit rating agencies, DBRS Inc. and Kroll Bond Rating Agency were chastised for “longstanding failures to preserve electronic records”, including off-channel communications on personal and work-issued devices.

Additionally, the SEC charged DBRS with violating the federal securities laws’ disclosure and internal control provisions in rating certain commercial mortgage-backed securities.

“Credit rating agencies are gatekeepers in our securities markets that are subject to recordkeeping requirements—requirements that aren’t optional, but rather foundational to the Commission’s ability to maintain fair, orderly, and efficient markets,” said Gurbir Grewal, Director of the SEC’s Division of Enforcement.

“If there’s an allegation of wrongdoing at the credit rating agency, the Commission must be able to review preserved documents to determine what happened. If there is an examination, our examiners must be able to look at relevant documents to assess compliance issues,” Grewal said.

From at least July 2019, DBRS employees, including those at senior levels, communicated internally by text messages about initiating and determining credit ratings and about adjustments to the results of the quantitative predictive model that DBRS used to rate certain transactions.

DBRS not only failed to retain these messages in violation of federal securities laws, SEC officials said, but the firm’s compliance officers gave approval for at least 19 employees to wipe their phones.

Why have regulators targeted firms where WhatsApp and other chat apps are used

The SEC has now charged more than 30 firms for using WhatsApp and other non-approved communications, while its sister agency, the Commodities and Futures Trading Commission (CFTC) has imposed more than $1bn penalties on 20 financial institutions for similar misconduct offences.

Social distancing and remote working arrangements during the COVID-19 pandemic pushed many firms to adopt alternative communication methods to keep trade flowing, but regulators had indicated several years prior they were concerned about the growing use of WhatsApp, WeChat, Slack, and Facebook for trading chat.

In 2017, the Financial Industry Regulatory Authority (FINRA) issued guidance on how it and SEC record-keeping rules applied to digital communications “in light of emerging technologies and communications innovations”, and a year later, the SEC noted an uptick in the use of such apps by investment advisors.

By 2019, FINRA said it had spotted “red flags” that registered brokers “were using impermissible personal digital channel communications in connection with firm business”.

The first wave of enforcement cases was launched by the SEC in 2021, and just months later it and the CFTC announced settled actions for “widespread and longstanding failures” to maintain and preserve written communications.

Some of Wall Street’s biggest names were fined $200m for allowing traders to use off-channel communications, and two years on the cases have multiplied, with UK regulators now handing out similar punishments.

“With billions in penalties imposed to date, it is no surprise that both the SEC and FINRA have included in their 2023 examination priorities the inspection of broker-dealer compliance and supervisory programmes for electronic communications related to firm business and the record-keeping for those electronic communications,” said Ann Began Furman, a financial regulatory expert at Carlton Fields.

“To the extent the amount of penalties imposed is a measure of success of an examination programme, regulators have struck gold,” Furman said. “With such apparently favourable odds, regulators are likely to keep mining for registered personnel who engage in business-related digital communications with firm customers through channels not approved and controlled by the firm.”

CUBE comment

The SEC shows no sign of slowing its crackdown on WhatsApp use inside regulated firms. It has sent a message that given the pervasiveness of chat apps – there cannot be many or indeed any firms where employees aren’t chatting in this manner – it may be better to self-report and save the trouble of a multi-million-pound penalty. And businesses can’t say they weren’t warned.

Compliance approaches to record-keeping and off-channel communications were discussed in depth at a recent industry roundtable hosted by CUBE for compliance officers at banks, investment firms, and other financial services institutions. If you would like to join your compliance peers at a future roundtable, contact us today for details on how to attend these confidential, invite-only events.