eComms compliance – the SEC continues its scrutiny and issues substantial fines

      In September 2021, the SEC began its focus on how banks were monitoring, archiving and safeguarding business-related eComms being undertaken by their employees on their personal mobile devices. The SEC uncovered widespread use of unapproved devices and private messaging apps by employees, occurring even when firms had established policies and procedures concerning such communications.

      Latest SEC eComms Developments

      Last month, the SEC charged 16 firms for widespread recordkeeping failures, as well as failure to supervise their employees by not detecting or preventing the use of unapproved devices. The firms admitted to wrongdoing and agreed to pay penalties totalling more than $1.1 billion.  SEC Chair Gary Gensler commented, “Finance, ultimately, depends on trust. By failing to honor their recordkeeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust.”

      The SEC’s investigation uncovered pervasive off-channel communications. From January 2018 through September 2021, the firms’ employees routinely communicated about business matters using text messaging applications on their personal devices. The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws.

      The importance of rigorous eComms compliance policies and procedures

      These latest developments deliver a straightforward message that firms must abide by the SEC’s recordkeeping rules.  They also make clear that firms must implement rigorous policies and procedures in order to demonstrate compliance with Securities Exchange Act of 1934 Rule 17a-4(b)(4) and Advisers Act Rule 204-2(a)(7).

      Now is the time to bolster your record retention processes and to fix any issues that could result in similar future misconduct. Employees must be made aware that by using their personal accounts and devices for business communications, they are opening themselves up to review by the SEC. Firms must now take steps to communicate clearly with their employees and state explicitly the approved applications that they may use and that anything else is prohibited for business.

      Requiring attestation and acknowledgement of communications protocols

      In the first instance, firms should require attestation and acknowledgement of staff specific to communications protocols. Many firms are actively asking for affirmation from their staff that they are aware of the rules and are complying with policy.  It should be communicated to staff what the approved apps and communication channels are and that they will be recorded and preserved in alignment with the SEC’s regulations. It’s also vital that employees confirm awareness, acknowledgement and agreement of this information and this can be done via something as simple as an email reply confirmation.  Staff are then aware and agree that they must not be speaking over a communication channel if it is not an approved one.

      Training staff on eComms policies

      Firms can also go further – with the training of staff on the policy. Firms need to establish and publish rigorous policies and procedures and provide staff with related ongoing training.  In our experience we are finding that where training is concerned, nothing can replace live compliance training and live cyber training, face-to-face, allowing staff to ask specific questions about exactly what systems and apps they can or cannot use.  There is no substitute for this human approach that leads to questions and discussions amongst employees and trainer, and it’s something that makes an impact and helps employees understand the implications of the issue.

      Ensuring compliance manuals and security policies are up to date

      The next challenge for firms is to ensure that the compliance manual and/or information security policy is up to date. Firms must take steps to update the compliance manual with explicit instructions that all comms utilised by employees need to be recorded and preserved. The manual must also make clear what applications are approved for use and that to use and anything else is therefore prohibited.  These are the challenges that firms must now face if they are to avoid substantial fines from the regulators going forward.

      Adding to the complexity is the rise of Shadow IT, the purchasing of cloud-based applications without authorization, offering ease of access to apps that often offer free services. To assist with this, tools like Global Relay and Smarsh can assist in record keeping and a Mobile Device Management (MDM) system such as JAMF for ios, IBM Maas360, and Microsoft Intune, can assist in configuring end user devices and enforcing password length, offering only the applications available, allowing you to catalogue installed applications on employees’ devices, while monitoring and keeping track of equipment. These additions to bolster your information security policy, for example a MDM solution, could be the answer.

      How Waystone Compliance Solutions can help

      Our dedicated, experienced cyber and data protection compliance consultants work together with firms to update their compliance manual, policies and procedures and offer guidance and advice on how to ensure they remain compliant, including offering advice on technical solutions. In addition, we provide bespoke training for employees to help them to understand the role that they play in complying with record keeping obligations and to assist with embedding a culture of compliance within the organisation.

      If you have any questions or would like to discuss how Waystone Compliance Solutions can help you to ensure that your regulatory obligations are met, please contact us.

      Contact Us

      Previous post Next post

      More like this

      Cyber Risk in the Middle East – How secure is your firm and its ecosystem?

      Cyber-attacks are the unauthorised exploitation of systems, networks and technologies and they have been a high-risk item on companies' agendas…
      Read more

      Cybersecurity Awareness Month – a focus for asset managers

      Cybersecurity Awareness Month occurs each October and is a collaboration between government and private industry, designed to promote the importance…
      Read more

      What role should NEDs play in cybersecurity?

      Waystone Compliance Solutions’ Chief Information Security Officer, Conor Flynn, was recently featured in an Assured article where he provided insight…
      Read more

      Building your cyber security foundation

      At Waystone Cyber Security Solutions we believe that as you grow your firm it should be built on a strong…
      Read more

      SEC Fines Firm $35 Million for Failure to Protect Client Data

      On September 20, 2022, the U.S. Securities and Exchange Commission (“SEC”) fined Morgan Stanley Smith Barney for their purported failure…
      Read more

      Securing sensitive employee data – recommended HR policies and procedures

      The onboarding and offboarding of employees is not a subject that we often think about in terms of information security.…
      Read more