On August 8, 2023, the SEC charged eleven financial services firms, including a dually registered broker-dealer (BD) and Registered Investment Adviser (RIA), with widespread record-keeping violations. The firms acknowledged their wrongdoing and agreed to pay combined penalties of $289 million. The SEC alleged that the firms and their employees failed to maintain and preserve electronic communications. Along with other sanctions, the firms were ordered to improve their policies and procedures in order to prevent future violations.
The SEC identified pervasive and longstanding “off-channel” communications at all eleven firms that were charged. Generally, off-channel communications occur when Investment Adviser Representatives (IARs) use their personal devices for business purposes. The firms involved in these enforcement actions admitted that their employees often conducted business on their personal devices using various messaging platforms such as iMessage, WhatsApp, and Signal.
According to the SEC’s complaints against them, the firms violated the federal securities laws by failing to maintain or preserve a substantial majority of these off-channel communications. This failure to maintain and preserve required records undermined the SEC’s ability to conduct its examinations. Employees at multiple levels of authority, including supervisors and senior executives, committed the violations.
The SEC ordered all of the firms to pay significant financial penalties. Furthermore, the SEC censured the firms and ordered them to cease and desist from future violations of the relevant record-keeping provisions. In addition, the firms agreed to hire independent compliance consultants to conduct comprehensive reviews of their policies and procedures pertaining to the retention of electronic communications on personal devices. These consultants would also provide guidance on how to address situations where employees did not comply with the firm’s policies and procedures.
According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, “Compliance with the books and records requirements of the federal securities laws is essential to investor protection and well-functioning markets. To date, the Commission has brought 30 enforcement actions and ordered over $1.5 billion in penalties to drive this foundational message home.”
Specific complaints against the dually registered broker-dealer and RIA
Only one of the eleven firms charged with record-keeping violations was dually registered. The dually registered BD/RIA was accused of violating certain record-keeping provisions of the Securities Exchange Act of 1934 and Section 204 of the Investment Advisers Act of 1940, as well as Rule 204-2(a)(7) thereunder. The dually registered BD/RIA was also charged with failing to exercise reasonable supervision of employees in order to prevent and detect record-keeping violations. The SEC found that the BD/RIA failed to adhere to the firm’s policies and procedures. The firm’s employees, both at a senior and lower level, used their personal devices for business-related communications. They communicated externally and internally utilizing personal text messages or other text messaging platforms such as WhatsApp. These off-channel communications were used by employees to communicate business matters involving the brokerage firm and the RIA.
According to the SEC’s complaint, the BD/RIA’s supervisors, including senior leadership and desk heads, routinely communicated off-channel using their personal devices. Their use of non-approved methods violated the firm’s policies and procedures. During the time period covered by the SEC’s complaint, the BD/RIA failed to maintain and preserve off-channel communications. The SEC discovered these problems when the Commission began a risk-based initiative to investigate whether broker-dealers were properly retaining business-related messages sent and received on personal devices. The firm’s record-keeping deficiencies hindered the SEC’s ability to carry out its regulatory functions and investigate violations of the federal securities laws.
The SEC’s complaint charged the BD/RIA with failing to implement a system to follow-up and review whether supervisors were adhering to the firm’s policies and procedures. The BD/RIA did not sufficiently monitor whether its record-keeping and communications policies were being followed.
The BD/RIA’s policies and procedures advised employees “that the use of unapproved electronic communications methods, including on their personal devices, was not permitted, and they should preserve any personal email, chats or text messages sent or received for business purposes, by forwarding work-related communications to the firm’s compliance function.” Messages sent using the firm’s approved communications methods were monitored, subject to review, and archived where appropriate. However, when individual employees did not take steps to preserve work-related communications, messages sent on personal devices were not monitored, subject to review, or archived.
The SEC blamed the BD/RIA’s compliance deficiencies on its widespread failure to enforce the firm’s policies and procedures and prohibit off-channel communications. These deficiencies resulted in the firm’s failure to reasonably supervise its employees within the meaning of Section 15(b)(4)(E) of the Exchange Act and Section 203(e)(6) of the Investment Advisers Act.
These enforcement actions have serious implications for all RIAs, not just dually registered firms. RIAs are subject to their own books and records rule. Books and records rules allow the SEC to conduct its examinations and enforcement work. Record-keeping failures undermine the SEC’s ability to exercise effective regulatory oversight, which may result in harm to investors.
The SEC is well aware that many RIAs have committed and may still be committing similar violations. Clearly, the SEC will be on the lookout for these violations during RIA examinations.
A practical solution is for RIAs to adopt robust policies and procedures to ensure that IARs and other advisory personnel do not use personal devices for business-related communications. Members of the RIA should be required to sign an attestation that they will not use off-channel communications for business-related matters. Additionally, executives, supervisors, senior leadership and compliance staff must lead by example and must avoid using off-channel communications.
Many electronic communications archiving service providers are able to archive text messages, and advisers who have difficulty implementing policies prohibiting electronic messaging are encouraged to use such services.
The SEC’s enforcement actions are available Here.
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.