On May 11 and 12, 2023, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) announced resolutions with two foreign banks and their U.S.-based broker dealers for apparent widespread and longstanding failures to maintain and preserve electronic communications. Collectively, the SEC and CFTC imposed $67.5 million in civil monetary penalties against the two banks and their affiliated entities.

The SEC and CFTC each charged the firms with violating the agencies’ recordkeeping requirements and with failing to reasonably supervise with a view to preventing and detecting those violations. The agencies’ investigations into the firms had uncovered the pervasive use of off-channel communications to discuss business matters, such as through personal text messages and third-party platforms. The investigations revealed that employees at multiple levels of authority, including senior executives, frequently utilized these means to communicate about business and failed to supervise other employees.  Furthermore, the SEC and CFTC found that the firms failed to maintain or preserve the substantial majority of these communications in violation of recordkeeping requirements.

Because the firms self-reported and took steps to remediate their recordkeeping failures prior to the commencement of the enforcement actions, their fines were reduced.  The Director of the SEC’s Division of Enforcement, Gurbir S. Grewal, stated that “[t]oday’s actions should not only remind firms of the importance of following SEC recordkeeping requirements, but also of the value of disclosing violations when they do occur.”  Grewal noted that the reduced penalties in these cases reflect the firms’ “efforts and cooperation,” and “encourage[d] other firms to take note and likewise self-report.”  Of note, the CFTC’s orders did not mention that the banks had self-reported or substantially cooperated with the agency, and the CFTC’s civil monetary penalties were exactly double those imposed by the SEC.

In addition to the financial penalties, the SEC orders require that the firms retain compliance consultants to review their policies and procedures relating to the retention of electronic communications.  Separately, the CFTC orders require the firms to conduct a comprehensive review of their compliance programs related to recordkeeping and submit several reports to the CFTC in connection with those reviews.

These resolutions indicate that regulators will continue to aggressively pursue compliance in this area.  In recent months, regulators have been cracking down on companies failing to preserve business communications on messaging apps and personal devices (see our prior client alert on this topic).  In light of these recent actions, companies should ensure that their communication policies and procedures are compliant with federal recordkeeping requirements, and review the effectiveness of such policies and procedures.

Authors: Daniel Ahn, Jon Ammons, Mark Bini, Therese Craparo, Anthony Diana, Kaela Dahan and Joanna Howe