What to expect for off-channel communication regulations moving forward
Provided by Grant Thornton
New focus from SEC, CFTC requires more data collection
Regulator Expectations for Off-Channel Communications Going Forward
This year, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have fined 10 broker-dealer firms and one financial institution a total of $289 million due to a failure to maintain and preserve off-channel electronic communications based on the federal securities law. These fines were due to violation of SEC Rule17(a), SEC Rule 204-2, the Financial Industry Regulatory Authority (FINRA) Rule 4511, FINRA Rule 3110, FINRA Rule 2010, and 17 CFR § 131.
Within the last two years, the SEC and the CFTC have fined more than 50 firms for not preserving off-channel communications between employees and stakeholders. The use of off-channel communications violates recordkeeping provisions of the SEC, which has previously focused on the enforcement of disciplinary action on firms that do not maintain records of all business communications if not captured and preserved.
Initially, regulators were only focused on broker-dealers and financial institutions, however the focus has now shifted to also include Registered Investment Advisors (RIA). On April 3, 2024, the SEC filed the first enforcement action against a standalone investment adviser for off-channel record keeping failures. Specifically, the firm’s policies and procedures prohibited employees from utilizing non-retained electronic communication services for business purposes, except in emergencies or technology disruptions, during which the communications were mandated to be duplicated, reported and preserved in the firm’s communication archive. Furthermore, the firm neglected to establish procedures to oversee employee compliance with the prescribed protocols for work-related communications. The firm was charged with violating Rules 204-2( a) (7) and 206(4 )-7 of the Investment Advisers Act.
Given these fines and violations, firms should enact policies, procedures and processes to monitor and preserve all communication related to business conduct between firm employees and stakeholders to minimize risk and reputational damage, and ensure compliance.
SEC and CFTC prioritize data collection
The SEC and CFTC are currently focusing on ensuring that firms have implemented effective surveillance protocols to detect off-channel communications related to business activities. They are looking for evidence that firms are collecting and retaining data from employees’ personal devices to ensure compliance. The CFTC also requires financial firms to retain all communications related to business transactions, specifically in commodity interests, cash or forward transactions, and all documents on which trade information is originally recorded. As it relates to record retention timeframes, firms must retain communication evidence for five years to comply with SEC Rule 17(a)-4; SEC Rule 204-2; CEA:§ 4s(f)(1)(C)/ 7 U.S.C. 6s(f)(1)(C); and 17 CFR § 1.14.
Following the imposition of fines for previous violations, regulators are also verifying that firms have hired independent consultants to monitor these protocols.
SEC broadens focus of its recordkeeping rules
The SEC’s recordkeeping rules for RIAs under the Investment Advisers Act mandate that RIAs preserve messages related to investment advice, fund transactions and order placements, even if these communications occur through personal text messages or other non-official channels. The SEC expects RIAs to implement strong policies and procedures for monitoring and enforcing compliance, managing firm-issued and personal devices and address issues like auto-delete functions.