No time like present to tackle thorny problem of off-channel comms

They texted clients and colleagues from their personal devices. They exchanged emails from personal accounts. And, perhaps most systematically, they sent thousands of business-related messages that were not recorded by their employer on apps like WhatsApp, WeChat, Signal, and Slack.

So, what’s the big deal? Why does using unauthorized channels matter?

First, it’s a violation of federal securities laws. Employees at regulated entities must have their business conversations recorded and archived, available to be delivered if regulators demand. Not having access to all business communications could potentially impede investigations into more serious misconduct, the regulators say.

In addition, employees who are saying things to clients, customers, coworkers, and competitors on channels their employers don’t know about potentially obscure other misconduct.

There was a Securities and Exchange Commission (SEC) enforcement action announced in September that detailed how an investment analyst allegedly used the Xbox audio chat function to strategize with three friends about how to cash in on material nonpublic information. The analyst’s friends earned approximately $460,000 in illicit profits, according to the SEC.

While this case is an example of an off-channel communications violation, the insider trading claims are much more serious. This employee was allegedly using off-channel communications to hide illicit activity.

No regulator is going to fault a firm for not knowing about misconduct conducted on Xbox. But should firms be monitoring their employees’ electronic communications for clues about potential misconduct? Absolutely. There are plenty of technological solutions available to aid in this effort.

No legitimate firm would look the other way if it knew one of its employees was trading on material nonpublic information, right? But many of the world’s largest broker-dealers, investment firms, and swap dealers refused to address rampant and pervasive off-channel communications use by their employees. The violations were viewed by the industry with a collective shrug. It was simply the way business was conducted.

Compliance teams at these regulated entities likely understood the breadth and depth of their firm’s exposure. But they might have worried that pursuing the issue would draw the ire of the “people who earn the money.” It would have meant bucking a practice ingrained in the company’s culture.

So, they hesitated. They looked the other way. In so doing, they allowed the pattern to continue.

Dare I say it? Compliance was complicit.

Why did it take huge fines for firms to finally recognize the problem?

Addressing off-channel communications use “wasn’t a sufficiently high priority for the people at the top of those firms,” said Gregory Bruch, of Bruch Law Group, at the SEC’s Securities Enforcement Forum 2023 in October. The penalties, he said, “have reordered the priorities, elevated this issue, and changed things dramatically.”

Bruch noted the enforcement actions imposed an independent compliance consultant to help firms create stronger policies, conduct effective training with employees, impose penalties, and follow through with consequences if off-channel discussions continue. It was telling, Bruch said, that regulators were not willing to trust firms to address and remediate their own behavior on this issue without oversight.

If firms made compliance easier—by monitoring, supervising, recording, and archiving business conversations on the platforms their employees actually use—compliance would happen more naturally.

Changing the culture within an organization doesn’t happen overnight. It takes a commitment from top managers, buy-in from middle managers, and enough training so that everyone understands the stakes.

Some individuals have expressed compliance through fear is not going to be effective. They’re right, of course. The solution cannot be all sticks and no carrots.

How can firms make compliance easier? In many cases, employees are discussing business on channels their clients and customers choose. Asking them to switch to “authorized channels” seems standoffish and out of touch.

Firms should leverage technology to expand the number of channels they authorize for business use, particularly the most popular ones. Solutions should not come from the top down or be unilaterally installed by compliance teams. It should be a collaboration: “Here’s what we need to be compliant. How do we get there, together?”

If firms made compliance easier—by monitoring, supervising, recording, and archiving business conversations on the platforms their employees actually use—compliance would happen more naturally.

And when it doesn’t, if an employee insists on discussing business away from the firm’s prying eyes, there should be consequences. Firms should make those consequences explicit in the attestations that employees sign each year, on which they confirm they know and understand the firm’s policies on off-channel communications. Some firms might consider adding to those affirmations they reserve the right to examine an employee’s personal device, if the firm suspects an employee is communicating via unauthorized channels.

The new messaging on off-channel communications should be clear: What was done before is no more. It cannot continue. The stakes are too high.

Firms penalized by the SEC and Commodity Futures Trading Commission have made strides in addressing the issue, said Corey Schuster, co-chief of the SEC’s Asset Management Unit, at the agency’s forum.

“We have seen significant behavior changes, remediation, and increased compliance,” he said.

Firms that haven’t been fined should be examining their own vulnerabilities on the issue, he said.

“Firms need to make their own assessments to make sure they’re in compliance with the law. They can’t just set it and forget it,” he said.

Schuster repeated what has become a mantra at the SEC: Firms should investigate their exposure on this issue, conduct an internal investigation if necessary, and remediate the misconduct. Once that’s completed, they should self-report past violations to the agency and take their lumps.

Regulators are no longer willing to look the other way on off-channel communications use. Registered entities can no longer afford to do the same.