Enacted by the 73rd U.S. Congress and signed into law by President Franklin D. Roosevelt, the Securities Exchange Act of 1934 governs the secondary trading of securities in the United States. Among other regulations, the Exchange Act imposed recordkeeping requirements on broker-dealers with the goal of protecting investors, maintaining fair and efficient markets, and facilitating capital formation. A broker-dealer is a person or firm in the business of buying and selling securities for itself or as an agent of its clients. On September 27, 2022, the Securities and Exchange Commission fined 16 broker-dealer institutions for “widespread and longstanding failure[]… to maintain and preserve electronic communications.” The firms admitted to the facts set forth by the SEC in each respective order and acknowledged that their conduct violated recordkeeping provisions under the Exchange Act. Consequently, the SEC collected a combined penalty total of $1.1 billion and censured each firm. So, what exactly did these institutions do to get themselves in trouble with the SEC? Well, it turns out that instant messaging applications can get multi-billion dollar enterprises in trouble too.
In September 2021, the SEC launched a risk-based initiative to determine whether broker-dealers adequately preserved business-related communication from its employees’ personal devices. The Commission requested each firm to provide off-channel communications data over an approximately three-year period from 30 of its employees. From this data, the SEC concluded that all 16 broker-dealers had failed to adequately preserve business-related communication exchanged between employees on WhatsApp. It uncovered thousands of unretained business-related messages at each firm, and it also observed that off-channel communication was prevalent at all experience levels, including supervisors and senior officials. In particular, the Commission found that, because of this conduct, the entities were in violation of two recordkeeping provisions in the Exchange Act: Rule 17a-4(b)(4) and Section 15(b)(4)(E).
Section 17(a)(1) of the Exchange Act authorizes the SEC to issue recordkeeping regulations requiring broker-dealers to produce and preserve documents as necessary or appropriate in the public interest, for the protection of investors, or in furtherance of the purposes of the Exchange Act. The SEC exercised this authority by adopting Rule 17a-4(b)(4). The rule requires that broker-dealers keep originals of all business-related communication received and copies of all business-related communications sent in an easily accessible location. The Commission has justified this exercise of power by stating that such recordkeeping requirements “are an integral part of the investor protection function of the [SEC], and other securities regulators, in that the preserved records are the primary means of monitoring compliance with applicable securities laws, including antifraud provisions and financial responsibilities standards.”
Moreover, Section 15(b)(4)(E) of the Exchange Act requires broker-dealers to reasonably supervise its employees in order to prevent violations of the Act’s provisions. If a broker-dealer fails to have a reasonably effective and established procedure in place to prevent a violation or fails to reasonably discharge the duties and obligations incumbent upon him to implement the procedure and ensure its compliance, the broker-dealer risks punishment by the SEC as long as the penalty is in the public interest.
Here, the SEC found that all 16 firms violated Rule 17a-4(b)(4) and Section 15(b)(4)(E). Under Rule 17a-4(b)(4), where broker-dealers are required to store all business-related messages in an easily accessible location, none of the institutions here sufficiently monitored, reviewed, or archived employee communication on WhatsApp. Although most of the firms advised its employees of unapproved communication methods, such as WhatsApp, and had policies in place for its employees to comply with recordkeeping requirements, under Section 15(b)(4)(E), where broker-dealers are required to reasonably supervise its employees to prevent violations of the Exchange Act, all 16 entities failed to reasonably ensure that employees were following recordkeeping and communications regulations of the Exchange Act because each broker-dealer failed to implement sufficient monitoring to ensure that the company policies and federal securities laws were being followed. The SEC also deemed its penalties against the institutions as appropriate and in the public interest.
In addition, the SEC noted that during the three-year period in which the uncovered texts existed, it received documents and records from each firm in response to subpoenas stemming from Commission investigations. Because the broker-dealers failed to record off-channel, business-related messages on WhatsApp and other unapproved communication methods, the SEC concluded that each firm likely deprived the Commission of potentially helpful evidence in its investigations. Moving forward, all 16 financial institutions agreed to the following undertakings:
- Enhance its policies and procedures;
- Increase training regarding the use of approved communications methods;
- Hire a compliance consultant;
- Direct the consultant to conduct a comprehensive compliance review and provide a report;
- Adopt all recommendations in the report;
- Require the consultant to complete an annual evaluation of electronic communications;
- Conduct its own internal audit;
- Adhere to existing recordkeeping and communications requirements; and
- Cease and desist from violating federal securities laws.
So, why does the SEC feel the need to impose such harsh penalties for otherwise normal behavior – like communicating with colleagues via an instant messaging application? Throughout history, the SEC, regardless of leadership, has generally embraced a strong enforcement program. In 2006, the Commission released a statement naming the relevant factors in determining whether to impose a financial penalty against a corporation. It was especially concerned with investor protection and deterrence in its analysis. When assessing penalties, the SEC looked at whether shareholders benefitted from the misconduct, or whether they would be harmed by the imposition of a penalty since the costs may be passed on to them. The SEC also cited additional factors to consider, including:
- The need to deter a particular type of offense;
- The extent of injury to innocent parties;
- whether complicity in the violation was widespread throughout the corporation;
- The level of intent on the part of the perpetrators;
- The degree of difficulty in detecting a particular type of offense, the presence or lack of remedial steps by the corporation; and
- The extent of cooperation with the SEC and other law enforcement.
However, the current SEC Commissioner, Caroline Crenshaw, embraces a different philosophy. Crenshaw believes that the SEC’s focus on shareholder impact in assessing penalties is misplaced. Rather, in Crenshaw’s view, “concentrat[ing] the costs of harm with the entity who committed the violation … is key to a successful enforcement regime and to promoting fair and efficient markets more broadly.” First, Crenshaw argues that corporate penalties should be tied to the egregiousness of the misconduct. Second, she raises administrability concerns regarding the Commission’s ability to consistently identify the presence or absence of shareholder benefits. Third, Crenshaw is not fully convinced that financial penalties even harm shareholders. Crenshaw instead advocates for an enforcement program that focuses on the actual misconduct when considering to impose a penalty, reduces sanctions based on meaningful cooperation, condemns corporate ignorance to compliance, and foregoes any contemplation of corporate benefit or shareholder harm. Deterrence still remains a priority.
Crenshaw’s philosophy rightfully underscores a fundamental value of public markets: investor protection. Focusing on corporate benefit or shareholder harm in ascertaining an appropriate punishment fails to adequately prevent future violations from occurring. Instead, corporations will accept the proverbial “slap on the wrist” consequence, continue to pursue unethical ventures to maximize revenue, and put investors at risk of losing their investments. Notably, in anticipation of an SEC corporate benefit analysis, companies may engage in “information bundling” to complicate the measurement of corporate benefit. Information bundling is a tactic used by corporate executives to make it more difficult for investors to recover damages under federal securities laws stemming from a stock price decline. Rather than issuing an independent news release regarding an SEC violation, executives will attempt to conceal such disclosure by including unrelated information on different matters in the same report. Often times, the company’s stock price will not experience a drastic decline in response. As a result, investors have a harder time demonstrating “loss causation” – a required element of a fraud claim – because it may not be clear that the stock price decline was directly attributable to the violation. In a case study of corporations, it was found that 33% of companies bundled announcements of SEC violations with unrelated disclosures. In addition, information bundling has resulted on average in over $20 million lower recoveries for shareholders. If corporate benefit remains the test for administering punishments, the SEC’s responsibility to protect investors from corporate wrongdoing will be seriously undermined. Instead, as Crenshaw put it, “paying a penalty” will be written off by companies as “just a cost of doing business.”
Here, it appears that the SEC utilized Crenshaw’s philosophy when imposing a penalty on the broker-dealers. Each administrative proceeding primarily focused on the corporation’s misconduct as opposed to shareholder benefit in determining an appropriate penalty. The Commission also acknowledged each firms’ remedial steps in resolving the violation. Furthermore, by requiring a compliance consultant on staff, the firms’ improved policies and procedures, including monitoring and recording, should deter future violations. But only time will tell whether the new SEC philosophy will attain its goal of deterrence.
In 2022, the SEC levied a record $6.4 billion in enforcement actions, including $4 billion in penalties. However, subjecting corporations to astronomical fines may not result in total deterrence. The companies liable for such penalties are often companies that generate tremendous profit and are well-equipped to pay the fines without the risk of insolvency or great detriment to the business. On the other hand, forcing corporations to hire compliance consultants and take appropriate remedial steps should lead to increased accountability within the enterprise. Additionally, higher penalties could motivate corporate leaders to strengthen internal controls and encourage employees to foster a culture of compliance in order to prevent future violations. Lastly, Crenshaw’s considerations of self-reporting and corporate cooperation in determining the severity of a punishment should compel businesses to be proactive in averting unethical actions that may give rise to SEC violations. Nevertheless, it is obvious that the current SEC regime has adopted an aggressive approach regarding corporate wrongdoers, and companies must be on alert.