“As technology changes, it’s even more important that registrants ensure that their communications are appropriately recorded and are not conducted outside of official channels in order to avoid market oversight”
SEC Chair Gary Gensler, SEC Press Release 2021-262, 23rd December 2021
The run up to Christmas 2021 proved to be an extremely busy period for regulators. Compliance professionals’ inboxes were subjected to a deluge of regulatory updates from the Bank of England (“BoE”) and the Financial Conduct Authority (“FCA”). However, if those professionals act for firms that are only authorised and regulated by the BoE and/or the FCA then there is a possibility that they may not have seen the US Securities and Exchange Commission’s (“SEC”) administrative proceeding no. 3-20681 in the matter of J.P.Morgan Securities LLC (hereinafter, “the respondent”). The case provides a sobering reminder of the importance of robust systems and controls for maintaining recordings of electronic communications pertaining to trading activities.
Summary of key findings from the SEC’s decision
The SEC found that:
- certain of the respondent’s employees had engaged in widespread internal and external communication about the firm’s business activities on unrecorded personal mediums, including emails, message applications (WhatsApp) and text messages;
- the said employees hailed from all ranks within the firm, including senior management;
- the respondent had policies and procedures in place during the material period that prohibited use of such personal mediums for business purposes, but these were not implemented; and
- the respondent “frequently” failed to search for messages on personal mediums. In turn, this meant that the respondent was unable to accurately fulfil several requests for information that were received from the regulator.
As a result of these findings, the SEC:
- censured and levied a $125 million fine on the respondent;
- required the respondent to engage the services of a compliance consultant to review its systems and controls governing the use of electronic communications mediums. The consultant is to present its findings to both the respondent and the SEC. Furthermore, the compliance consultant is to conduct a follow-up review of the respondent’s systems and controls a year after it has submitted the initial report. The purpose of the follow up review is to opine on the effectiveness of any remedial action taken by the respondent; and
- required that the respondent notify the SEC of any steps it has taken to discipline any of its employees who are found to have breached its policies and procedures.
In its release, the SEC stated that the respondent “admits the facts” and “acknowledges that its conduct violated the federal securities laws”.
Significance to British investment firms
The circumstances underpinning the SEC’s enforcement action could have arisen in any jurisdiction in the world. During the COVID-19 pandemic regulators have been particularly vocal about the importance of ensuring that staff involved in trading activities do not stray into the use of unrecorded devices for this purpose. For example, in edition 66 of its Market Watch newsletter (first published 11th January 2021), the FCA asserted that:
“Risks from misconduct may be heightened or increased by homeworking. This includes increased use of unmonitored and/or encrypted communications applications (apps) such as WhatsApp for sharing potentially sensitive information connected with work”.
The FCA and several UK based trading venues have a history of taking disciplinary action against investment firms for failings in relation to communications production and retention.
How to avoid getting caught out
In Market Watch 66, the FCA reiterated its expectations of firms. In addition, organisations such as the FICC Markets Standards Board (the “FMSB”) have published excellent guidance for firms regarding how to mitigate the risks posed by home and hybrid working structures. A strong regime governing electronic communications is likely to include the four pillars set out below:
- Gap analysis and link to a firm’s market abuse risk assessment: has your firm performed a gap analysis of the coverage of communications mediums by its recording and surveillance architecture? Has this been updated in the last year, particularly in light of the addition of new communications devices and/or changes to the firm’s business model? Have the findings been fed into the firm’s market abuse risk assessment?
- Robust policies and procedures: do these state, in plain language, the types of medium that are and are not permitted to be used for business purposes? Are these documents easily accessible? Do they include a clear protocol for requesting approval for new communications applications? Have escalation processes for technical outages and staff breaches been defined? Have these been reviewed and updated in the last year?
- Training: have all relevant employees been provided with practical training on the FCA’s recording keeping requirements as they apply to electronic communications? Has the training been provided to all relevant new joiners during the past year? Does the training outline the firm’s policies and procedures, e.g. with regards to which mediums can and cannot be used for business purposes? Does the training draw upon real life case studies to illustrate what can go wrong if a firm and/or individual has found to have breached the FCA’s requirements?
- Independent review: when was the last time your communications recording and monitoring infrastructure was reviewed by an independent expert? If a review was recently performed, has your firm ensured that any areas for improvement identified therein have been addressed? If your firm is thinking about obtaining an independent review then using the SEC’s decision in the matter of J.P.Morgan Securities LLC as a blueprint for negotiating the terms of engagement is a good place to start. This is because, in the decision, the SEC itemises the areas a compliance consultant should focus on.
The SEC’s action involving J.P. Morgan Securities LLC is a timely reminder of the importance of keeping their communications recording arrangements keeping under constant review. The anniversary of the publication of Market Watch 66 is fast approaching. Firms should expect contact from the regulator to gauge their effectiveness of their systems and controls in this area.
A.C.Culley & Co. has extensive experience of trading floor operations. Contact us today if you would like to help in strengthening your systems and controls.
Originally published by Thomson Reuters © Thomson Reuters.
2021. Market Watch 66, Financial Conduct Authority. Available at: https://www.fca.org.uk/publications/newsletters/market-watch-66 (last accessed 9th January 2021).
2021. JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges, Securities and Exchange Commission. Available at: https://www.sec.gov/news/press-release/2021-262 (last accessed 9th January 2021).
2021. Administrative Proceeding File No. 3-20681 in the Matter of J.P. Morgan Securities LLC, Securities and Exchange Commission. Available at: https://www.sec.gov/litigation/admin/2021/34-93807.pdf (last accessed 9th January 2021).