SEC Sweep Inquiries and Enforcement Action of Unauthorized eComms
In October 2021, Reuters reported that the SEC has commenced sweep-style inquiries into how banks are monitoring, archiving, and safeguarding business-related electronic communications being undertaken by their employees (including via such employees’ personal mobile devices). In particular, the SEC seems focused on assessing if, and to what extent, employees are conducting business using off-channel modes of communications (e.g., channels where communications are not being supervised or maintained by the registrant and/or are vulnerable to cybersecurity attacks) and how banks are monitoring for, and managing, such risks.
According to the foregoing report, SEC enforcement staff contacted multiple banks to examine whether they have been adequately documenting employees’ work-related communications, such as text messages and emails, with a focus on their personal devices.
Further, in December 2021, the SEC took enforcement action against the broker-dealer subsidiary of one of the largest U.S. banks for alleged failure over several years to archive numerous required business-related communications. The SEC charges, which were settled with the foregoing firm agreeing to pay a $125 million penalty, alleged that these communications were repeatedly undertaken via personal devices and involving text and WhatsApp messages and personal emails despite firm policies prohibiting such practices.
Additionally, the charges highlight the widespread and well-known nature of the foregoing failures, where multiple senior members of the firm with supervisory and executive responsibilities relating to implementing the firm’s compliance policies and procedures themselves engaged in the foregoing prohibited practices. The SEC alleged that the firm not only failed to archive important business communications but, as a consequence, was incomplete in responding to the SEC’s document requests during the course of multiple SEC investigations (as several requested documents maintained on personal devices or unauthorized devices had been deleted). Per the SEC, these failures meaningfully impacting the SEC’s ability to investigate potential violations of the federal securities laws.
“Recordkeeping violations may not grab the headlines, but the underlying obligations are essential to market integrity and enforcement... We continue to see in multiple investigations instances where one party or firm that used off-channel communications has preserved and produced them, while the other has not. Not only do these failures delay and obstruct investigations, they raise broader accountability, integrity and spoliation issues.” - SEC Director of Enforcement, Gurbir Grewal – October 6. 2021 Speech at PLI’s Broker-Dealer Enforcement and Regulation Session
While these sweep examinations and enforcement activity have not yet extended to the private fund manager space, they are equally relevant to private markets fund mangers, where ACA’s electronic communications review team has noticed a significant uptick in the type of activities that bring into play the risks that the SEC is focused on here. Certainly, in the current remote working environment that still very much remains in existence at many private markets fund managers, we have for some time noticed, and continue to notice, a significant blurring by many employees of the lines between business and personal communications (including the use of non-approved communication channels to conduct business) by many employees.
These risks only further underscore the need for private markets fund managers to more effectively track, archive, and surveil their employees’ business-related communications across all communication channels being utilized.
While the initial (and natural) reaction to such regulatory scrutiny may be to aggressively clamp down on employees’ use of various electronic communication channels (internal and external), such as Microsoft Teams and WhatsApp (and monitor for such violations), it is worth reflecting that such an approach is increasingly becoming antiquated and, as such, is unlikely to manage risk effectively in the longer-term. For one, the use of non-email based apps for business communications has significantly increased across the investment management industry, and trying to reverse course on this trend is likely futile. Second, the ability to archive non-email communication channels has significantly expanded over the past several years. Many private market fund managers’ policies restricting business communications exclusively to firm-provided email accounts were often drafted years ago when the state of archiving capabilities was quite different from what it is today.
As such, we recommend that private fund managers re-visit their historic policies by: (i) comprehensively polling their employees on what apps employees and their industry contacts are using to conduct business and (ii) working with their archiving vendors to determine if communications via these apps can be archived. For example, since the onset of COVID-19, we have seen numerous private fund managers become comfortable with employees using Microsoft Teams’ chat feature to correspond internally on business matters and have discovered they can (and are) effectively archiving these communications.
Further, as evidenced by recent regulatory scrutiny, the need to supplement old school electronic communication reviews with machine-learning based holistic surveillance tech tools has become increasingly critical. These tools, such as ACA’s holistic surveillance tool, combine behavioral and natural language processing (NLP) machine-learning algorithms to detect potential inappropriate employee behavior early in an effort to prevent (or at least minimize) damage. Another advantage of these tools is that they can holistically integrate surveillance of business communications across all apps into a single unified view such that these communications can be understood in context, and risky behavior patterns more readily detected, irrespective of what apps are used or even how these apps are accessed (e.g., via firm-provided desktops/other devices or personal hand-held devices). This is a significant advantage over “reviewing” communications app-by-app in isolation.
Additionally, with the increased adoption of Bring Your Own Device (BYOD) programs over the past few years, managers should ensure they have adequately implemented enterprise-level technological controls on both firm-issued and personal hand-held devices to prevent employees from inappropriately copying, downloading, or otherwise moving sensitive work-related data from work accounts set up in applications used to conduct business (such as Microsoft Outlook, Teams, WhatsApp, etc.).
Further, given the significant increase in cyber-attacks (especially since the onset of the COVID-19 pandemic), private fund markets fund managers should: (i) reiterate to employees the significant risks associated with emailing sensitive work documents to their personal email addresses (or other inappropriate email accounts) for any reason (such as the perceived convenience of working from one’s personal computer while away from the office), (ii) periodically monitor such risks via the email review process, and (iii) set up technological filters and controls to detect and prevent such activities where inappropriate.
Finally, employees should be reminded that to the extent they receive or initiate communications through unauthorized electronic communication channels (whether via their personal devices or firm-issued devices), they should not delete these communications without the prior approval of their compliance department and should forward these communications to their firm-provided email accounts or other firm-approved communication channels that are subject to archiving. This latter step will ensure that these business communications are archived one way or the other.
Download our Private Markets and Hedge Fund Quarterly Updates
This is just one of the many insightful articles included in our Quarterly Updates from Q4 2021. Download the full newsletters to learn more:
Join us for a live webcast
Our surveillance, compliance, and technology experts will discuss the latest client communication trends in the financial industry and what solutions are available to monitor and archive those communications.
How we help
ACA’s surveillance solutions are designed to help you manage your firm-wide risk in a way that meets regulatory expectations and industry best practices. Our offerings combine consulting, managed services, and technology to provide a holistic solution for developing and executing a comprehensive and truly risk-based surveillance program.
For questions or to discuss how ACA can help your firm strengthen its surveillance program, increase efficiencies through technology, and ensure your regulatory obligations are met, reach out to your ACA consultant or contact us here.