On 27 September 2022, the U.S. Securities and Exchange Commission imposed fines totalling more than $1.1 billion on 15 broker-dealers and one affiliated investment adviser for "widespread" and "longstanding" failures in relation to their record keeping procedures. The U.S. Commodity Futures Trading Commission imposed further fines totalling more than $710 million for related conduct.
An investigation found that between January 2018 and September 2021, employees of varying levels of seniority, at each of the firms, regularly sent messages on their personal devices for business-related purposes. Such messages were not maintained and preserved by the relevant firm in breach of its record keeping obligations.
This enforcement action should act as a timely reminder for firms to review their policies and procedures in relation to the use of unrecorded channels of communication and / or personal devices for business-related purposes.
1 A firm's recording obligations
Multiple regulators across the globe impose requirements on firms to record telephone conversations and to keep electronic communications, and have shown willingness to take enforcement action against firms that do not meet such requirements.
UK
For any firm to which chapter 10A of the Financial Conduct Authority's ("FCA") Senior Management Arrangements, Systems and Controls sourcebook ("SYSC") applies (in relation to the carrying out of specified activities), it must take all reasonable steps to record telephone conversations, and keep a copy of electronic communications, that are made with, sent from, or received on, equipment provided, or accepted for use, by the firm (SYSC 10A.1.6 R). Records of such communications must be kept for a minimum of five years (SYSC 10A.1.14 R).
A firm must also take all reasonable steps to prevent an employee from making, sending, or receiving relevant telephone conversations and electronic communications on privately-owned equipment which the firm is unable to record or copy (SYSC 10A.1.7 R).
Hong Kong
Firms licenced by or registered with the Securities and Futures Commission ("SFC") are required to have a centralized telephone recording system to record all conversations with clients (paragraph 35 of the SFC's main code of conduct (the "Code")). Client orders received by telephone and order confirmations made by telephone must be recorded in that system (paragraph 3.9 of the Code). Although the receipt of oral orders via a mobile phone is strongly discouraged, that is permitted if the order is immediately called in to the central recording system. Such recordings must be kept for at least 6 months.
Dubai
Firms conducting investment business (which would include broker-dealers) in or from the Dubai International Financial Centre ("DIFC") are required by the Dubai Financial Services Authority ("DFSA") to take reasonable steps to ensure that they make and retain recordings of voice and electronic communications, whether with a client or other third party, where they are intended to lead to the conclusion of a specific transaction (section 6.7 of the Conduct of Business module of the DFSA's rulebook). DFSA guidance on that requirement recognises that it is permissible for those communications to take place on a mobile phone, but only where the firm is able to record them. Records of such communications must be kept for a minimum of six months.
2 Remote working
In recent years, we have seen a drive towards creating greater flexibility when it comes to working arrangements, which includes increased remote working by employees. Remote working may result in a heightened risk of employees using unrecorded or encrypted channels such as WhatsApp, Signal or Telegram for business-related purposes. The use of such channels limits a firm's ability to monitor communications and hinders the effectiveness of its control functions.
Monitoring communications not only allows a firm to evidence transaction terms and fulfil its obligations as a supervised body, it also helps a firm to identify misconduct. Employees may use unrecorded or encrypted channels for nefarious purposes, such as to share confidential client information. Regulators will be keen to take enforcement action for such misconduct.
UK
The FCA has, in its communications, sought to reiterate the importance of maintaining a controlled working environment. See, for example, its guidance on remote or hybrid working (last updated on 14 February 2022) and its newsletter, Market Watch 66 (last updated on 22 January 2021). The FCA's message is clear; a firm's ability to meet its regulatory responsibilities, which includes its recording obligations, must not be compromised.
It appears that the recent US enforcement action has sparked an interest at the FCA. It has been reported that the FCA has been making enquiries of a number of global banks as to how often employees use personal devices and how such use is monitored.
Hong Kong
A 2018 SFC circular on instant messaging apps recognizes that the use of smart phones for communication with clients is widespread and accordingly requires order messages, and the IM accounts and devices for storing and processing them, to be properly maintained and centrally managed to reduce the possibility of error and minimise the risk of record tampering. These messages must be kept for at least 2 years.
Dubai
Remote working arrangements for firms operating in or from the DIFC have a further complication to address, which comes from the nature of the DIFC as a geographically small financial free zone. Many of the staff working at DIFC firms will be resident outside the free zone in 'onshore' UAE, and so live in a different legal jurisdiction to that in which they work. During the height of the pandemic, both the DFSA and regulators in onshore UAE took a flexible approach to allow home working arrangements that would not ordinarily be acceptable. The end of that flexibility was marked in April this year with the DFSA issuing a 'Dear SEO' letter on remote working. In that letter, the DFSA reminded all of its authorised firms that their licence only permitted them to provide financial services "in or from" the DIFC, and that individual staff members (such as traders or financial advisers), when providing those financial services, should also be located in the DIFC and not in 'onshore' UAE.
3 What should you do?
It is crucial that a firm is able to demonstrate that it has strong and effective policies and procedures in place to prevent the use of unrecorded communication channels for specified business-related purposes.
When assessing its policies and procedures, a firm may want to have consideration of the following:
- When were your policies and procedures last reviewed?
- Regularly review your policies and procedures and update them so that they take into account any new risks. For example, developments in possible modes of communication or changes to the workplace environment.
- Policies should state that the use of unrecorded communication channels and / or personal devices for specified business-related activities is prohibited. The consequences of non-compliance should also be made clear.
- How effective are your policies?
- It is not sufficient to simply prohibit the use of unrecorded communication channels and / or personal equipment for specified business-related purposes.
- Consider whether there is sufficient senior management oversight and support in relation to promoting the firm's standards of conduct.
- Consider asking employees to attest (at least on an annual basis) that they do not use an unrecorded communication channel for specified business-related purposes.
- Carry out regular compliance reviews to compare order messages against clients’ account activities to detect irregularities and potential malpractice.
- How often are employees provided with training on your policies?
- Employees should be briefed on the firm's policies and procedures in their induction, ideally with bespoke sessions as required.
- Refresher training should be offered, at a minimum, when there are changes to policies to account for newly identified risks.