Firms brace for SEC spotlight on electronic communications

Just when you thought the regulatory environment in 2023 was feeling muted compared to the turmoil of the last two years, the SEC has gone and done it again. As part of an ongoing sweep of firms’ use of off-channel communications, the SEC fined HSBC and Scotia Capital for “widespread and long standing failures” to adhere to record-keeping requirements. As we’ve seen before, “the failings involved employees at multiple levels of authority, including supervisors and senior executives.”

Keep in mind that while we’re almost halfway through the year, examinations are still ongoing. Both the Securities and Exchange Commission and Financial Industry Regulatory Authority Inc. have indicated in their examination priority letters that electronic communications, including the SEC’s new marketing rule, will be a focus of those investigations. It’s unlikely we’ll see outcomes from these examinations until later this year. But if the flurry of activity around the SEC’s actions on Form CRS violations after announcing that as a priority is indicative, we can expect the latter part of the year to be rather busy. Indeed, at Finra’s annual conference, Gurbir Grewal, director of the SEC’s enforcement division, said more sweeps are coming.

In addition to that, other regulators have adopted a similar posture to that of the SEC and Finra. In April, the Consumer Financial Protection Bureau published its Policy Statement on Abusive Acts or Practices. This document provides insight into the agency’s actions to enforce the Consumer Financial Protection Act of 2010 with respect to abusive conduct. Importantly, the analysis reiterates the act’s lack of a requirement to show harm to consumers — only requiring that these practices are presumed by the regulators to be harmful. Much of this document targets marketing practices that are intentionally malicious; the surveillance for these types of activities should already be a part of your compliance programs for digital communications. But advertising is specifically called out as a primary way that firms convey trust to consumers. Companies should be monitoring advertisements — digital or otherwise — for potential violations of that trust.

The Department of Justice also recently announced a similarly aggressive stance when it comes to text messages that may not be recorded. Kenneth Polite, chief of the DOJ’s criminal division, said “our prosecutors will not accept [missing text messages] purely at face value,” indicating that they’re going to be asking tough follow-up questions during investigations where messages seem to be missing. This tenor, combined with the multibillion dollar fines levied against large firms last year, suggests firms should be shoring up their policies and procedures to adequately respond to those questions.

This posture isn’t limited to the U.S. In the U.K., a proposed bill in Parliament holds organizations liable for their employees’ actions if they profit from fraud committed by those employees. If adopted, organizations that do business in the U.K. (including those based outside of the U.K.) will be subject to the new guidelines. Importantly, an organization can receive an unlimited fine, depending on the severity of the fraud. And since electronic communications can be a very common medium for the commitment of fraud, this is a signal from ex-U.S. regulators that they are approaching the regulation of this space in a very similar fashion. This is in addition to the Financial Conduct Authority’s recent warning against a lack of care when employing “finfluencers” on social media. This warning is aligned with recent announcements by the U.S. regulators.

Since the SEC has been on the forefront of this particular push for enforcement, it has been hiring staff accordingly. In testimony to Congress on March 29, SEC Chair Gary Gensler requested an increase in the SEC’s budget “to deal with the possibility of more enforcement of securities regulations as financial markets see growth and changes.” This translates to an additional 170 positions in 2024, largely in enforcement and examination roles. This follows previous statements that “fines will no longer be seen as a cost of doing business.”

So yes, while we’re just now starting to see an uptick in enforcement actions in the regulatory space with respect to electronic communications, it’s clear the disparate regulators covering diverse jurisdictions are in lockstep. Protecting investors from fraudulent, misleading or otherwise problematic electronic communications in the current environment seems to be of the utmost importance across the financial services industry. If firms haven’t yet begun the process of kicking the tires of their supervisory controls for these types of communications, it should certainly be a priority — a necessary precaution to avoid an examination notice from one of the aforementioned regulators.

Bill Simpson is the director of compliance at Hearsay Systems.

Related Topics: Consumer Financial Protection Bureau, Department of Justice, Financial Industry Regulatory Authority, Hearsay Systems, Securities and Exchange Commission