eComms compliance – the SEC continues its scrutiny and issues substantial fines
Latest SEC eComms Developments
Last month, the SEC charged 16 firms for widespread recordkeeping failures, as well as failure to supervise their employees by not detecting or preventing the use of unapproved devices. The firms admitted to wrongdoing and agreed to pay penalties totalling more than $1.1 billion. SEC Chair Gary Gensler commented, “Finance, ultimately, depends on trust. By failing to honor their recordkeeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust.”
The SEC’s investigation uncovered pervasive off-channel communications. From January 2018 through September 2021, the firms’ employees routinely communicated about business matters using text messaging applications on their personal devices. The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws.
The importance of rigorous eComms compliance policies and procedures
These latest developments deliver a straightforward message that firms must abide by the SEC’s recordkeeping rules. They also make clear that firms must implement rigorous policies and procedures in order to demonstrate compliance with Securities Exchange Act of 1934 Rule 17a-4(b)(4) and Advisers Act Rule 204-2(a)(7).
Now is the time to bolster your record retention processes and to fix any issues that could result in similar future misconduct. Employees must be made aware that by using their personal accounts and devices for business communications, they are opening themselves up to review by the SEC. Firms must now take steps to communicate clearly with their employees and state explicitly the approved applications that they may use and that anything else is prohibited for business.
Requiring attestation and acknowledgement of communications protocols
In the first instance, firms should require attestation and acknowledgement of staff specific to communications protocols. Many firms are actively asking for affirmation from their staff that they are aware of the rules and are complying with policy. It should be communicated to staff what the approved apps and communication channels are and that they will be recorded and preserved in alignment with the SEC’s regulations. It’s also vital that employees confirm awareness, acknowledgement and agreement of this information and this can be done via something as simple as an email reply confirmation. Staff are then aware and agree that they must not be speaking over a communication channel if it is not an approved one.
Training staff on eComms policies
Firms can also go further – with the training of staff on the policy. Firms need to establish and publish rigorous policies and procedures and provide staff with related ongoing training. In our experience we are finding that where training is concerned, nothing can replace live compliance training and live cyber training, face-to-face, allowing staff to ask specific questions about exactly what systems and apps they can or cannot use. There is no substitute for this human approach that leads to questions and discussions amongst employees and trainer, and it’s something that makes an impact and helps employees understand the implications of the issue.
Ensuring compliance manuals and security policies are up to date
The next challenge for firms is to ensure that the compliance manual and/or information security policy is up to date. Firms must take steps to update the compliance manual with explicit instructions that all comms utilised by employees need to be recorded and preserved. The manual must also make clear what applications are approved for use and that to use and anything else is therefore prohibited. These are the challenges that firms must now face if they are to avoid substantial fines from the regulators going forward.
Adding to the complexity is the rise of Shadow IT, the purchasing of cloud-based applications without authorization, offering ease of access to apps that often offer free services. To assist with this, tools like Global Relay and Smarsh can assist in record keeping and a Mobile Device Management (MDM) system such as JAMF for ios, IBM Maas360, and Microsoft Intune, can assist in configuring end user devices and enforcing password length, offering only the applications available, allowing you to catalogue installed applications on employees’ devices, while monitoring and keeping track of equipment. These additions to bolster your information security policy, for example a MDM solution, could be the answer.
How Waystone Compliance Solutions can help
Our dedicated, experienced cyber and data protection compliance consultants work together with firms to update their compliance manual, policies and procedures and offer guidance and advice on how to ensure they remain compliant, including offering advice on technical solutions. In addition, we provide bespoke training for employees to help them to understand the role that they play in complying with record keeping obligations and to assist with embedding a culture of compliance within the organisation.
If you have any questions or would like to discuss how Waystone Compliance Solutions can help you to ensure that your regulatory obligations are met, please contact us.