Compliance deficiencies highlighted in $1.8B crackdown on messaging apps

The Securities and Exchange Commission (SEC) fined the firms more than $1.1 billion total, while the Commodity Futures Trading Commission (CFTC) levied another $711 million in penalties Tuesday. The agencies concluded that, collectively, the firms did not reign in off-channel communications by employees from 2018-21.

“Finance, ultimately, depends on trust. By failing to honor their recordkeeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust.”

Gary Gensler, Chair, Securities and Exchange Commission

Specifically, the two regulators found systemic use of off-channel electronic communications by company employees on business-related topics conducted on personal cell phones; messaging apps, including WhatsApp; and other channels. These messages were not captured, recorded, and stored by the firms, as required by the SEC’s and CFTC’s recordkeeping, books and records, and supervision requirements for market participants.

The wrongdoing was pervasive and included senior managers at the firms who themselves were supposed to be enforcing the rules, the regulators said.

The SEC and CFTC began their enforcement sweep regarding off-channel communications in December 2021 with a combined $200 million fine levied against JPMorgan Chase. The agencies cited JPMorgan for failing to maintain records of communications on securities, commodities, and swaps business matters made on bank employees’ personal devices.

Since the JPMorgan enforcement action, regulators and affected firms telegraphed further penalties were imminent through public comments and regulatory filings.

Fines levied by the regulators included the following:

• Bank of America, together with BofA Securities and Merrill Lynch, Pierce, Fenner & Smith, to pay $225 million total ($125 million to the SEC, $100 million to the CFTC)
• Barclays Bank and Barclays Capital to pay $200 million ($125 million to SEC, $75 million to CFTC)
• Citibank, Citigroup Energy, and Citigroup Global Markets to pay $200 million ($125 million to SEC, $75 million to CFTC)
• Credit Suisse, Credit Suisse International, and Credit Suisse Securities (USA) to pay $200 million ($125 million to SEC, $75 million to CFTC)
• Deutsche Bank and affiliates DWS Distributors, DWS Investment Management Americas, and Deutsche Bank Securities to pay $200 million ($125 million to SEC, $75 million to CFTC)
• Goldman Sachs & Co. to pay $200 million ($125 million to SEC, $75 million to CFTC)
• Morgan Stanley & Co., including affiliates Morgan Stanley Smith Barney, Morgan Stanley Capital Services, Morgan Stanley Capital Group, and Morgan Stanley Bank, to pay $200 million ($125 million to SEC, $75 million to CFTC)
• UBS and affiliates UBS Financial Services and UBS Securities to pay $200 million ($125 million to SEC, $75 million to CFTC)
• Nomura, including affiliates Nomura Global Financial Products, Nomura Securities International, and Nomura International PLC, to pay $100 million ($50 million to SEC, $50 million to CFTC)
• Jefferies and Jefferies Financial Services to pay $80 million ($50 million to SEC, $30 million to CFTC)
• Cantor Fitzgerald to pay $16 million ($10 million to SEC, $6 million to CFTC)

All firms admitted to the misconduct alleged by the SEC, while all but two firms admitted to the CFTC’s full allegations. Bank of America and Nomura did not admit or deny certain specific CFTC findings.

In addition to the financial penalties, each of the firms was ordered to cease and desist from future violations of the relevant recordkeeping provisions and censured.

“Finance, ultimately, depends on trust. By failing to honor their recordkeeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust,” said SEC Chair Gary Gensler in a press release. He added it’s important registrants “appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”

CFTC Chairman Rostin Behnam stated, “The Commission’s recordkeeping and supervision requirements ensure the safety and integrity of the U.S. derivatives markets and protect customers and market participants.” He added the CFTC would “vigorously pursue registrants who fail to comply with their core regulatory obligations and hold them accountable.”

Compliance considerations: At Bank of America, bank supervisors who were supposed to be responsible for preventing misconduct among junior employees were themselves routinely communicating on off-channel devices, according to the SEC’s order. In a sampling of personal devices of approximately 30 broker-dealers, nearly all were found to have engaged in some level of off-channel communications.

The SEC said it found “tens of thousands of messages” on personal devices, in messaging apps, and in other unauthorized electronic forms from Bank of America employees that concerned the bank’s and its subsidiaries’ “securities business, including investment strategy; discussions of customer meetings; and communications about market color, analysis, activity trends, or events.” A Bank of America managing director sent and received thousands of off-channel messages with colleagues, clients, and personnel at other financial services firms, the SEC said. The bank failed to record, store, and produce these messages upon request from regulators as required.

Issues found at other fined firms were similar. A senior investment banker at Goldman Sachs “sent and received tens of thousands of off-channel text messages,” according to the SEC’s order. Investigators found “voluminous” off-channel messages at Deutsche Bank, including hundreds sent and received by senior leadership. At Morgan Stanley, investigators found a “significant numbers of managing directors, executive directors, trading desk heads, and industry group heads participated in off-channel communications.”

The SEC ordered all sanctioned firms hire a compliance consultant to review their respective supervisory, compliance, and other policies and procedures related to the monitoring, recording, and storing of electronic communications by bank staff. The consultant must also review all related training, supervisory measures, and technical measures, as well as the framework to address noncompliance with rules regarding the monitoring, recording, and storing of electronic messages related to bank business.

The compliance consultant will be hired for a period of two years and must submit a progress report to the SEC after one year.

Separately, each bank’s internal audit team must conduct an audit of their respective firm’s progress in these areas.

All the firms must report to the SEC any discipline imposed on employees found to have violated policies and procedures on electronic communications within 10 days of handing out punishment.

The CFTC ordered each of the banks to conduct a comprehensive review of supervisory, compliance, and other policies and procedures designed to ensure compliance with all CFTC requirements related to recording and retaining electronic communications.