WATCH SHORT SUMMARY VIDEO
What does the fining of a major Wall Street firm for trade
surveillance failures, the holding to personal account of the CEO
of a UK bank, the impact of cyber security incidents at a pair of
broker dealers and another two firms being held accountable for
off-channel communications all have in common? They all represent
failures of one or more aspects of upstream recordkeeping with the
consequent downstream inability to meet compliance obligations.
Recordkeeping is a core competency for financial services firms.
It encompasses a firm knowing what data or records it has, why it
has them and where they are. It also covers keeping those records
secure and unaltered. Without a comprehensive and robust approach
to recordkeeping and the associated data governance, firms will
simply not be able to either fulfill or evidence compliance
obligations. Firms are utterly reliant on their records to be able
to act on everything from responding to regulators requests for
information, meeting reporting requirements (internally as well as
externally), investigating a complaint, being able to keep
sensitive customer information secure to undertaking supervision
and surveillance.
Trade surveillance failures
In March 2024, the Office of the Comptroller of the Currency
(OCC) and the Federal Reserve Board fined a firm a combined total of $348.2m
for ‘deficiencies in its trade surveillance program’ and
‘an inadequate program to monitor firm and client trading
activities for market misconduct’.
The OCC civil monetary penalty and the cease and desist order highlight that the firm’s trade
surveillance program was found to have operated with ‘gaps in
venue coverage and without adequate data controls required to
maintain an effective program.’ As a result the firm failed to
surveil billions of instances of trading activity on at least 30
global trading venues.
As part of the findings, the OCC made a key point of the need
for robust data governance to be implemented as part of swathe of
required corrective actions. Critically the firm will not be able
to on-board new trading venues unless or until the
examiner-in-charge provides the firm with a prior written
determination of no supervisory objection.
Other corrective actions include the need to form a Compliance
Committee to project manage the corrective actions, a ‘look
back’ review of the data deficiencies and the board of the firm
has a series of specific responsibilities imposed for the oversight
of the remediation.
As a root cause, the trade surveillance failures were due to a
lack of upstream recordkeeping and data capture. Without the source
records, the firm was incapable of undertaking the required trade
surveillance.
Personal liability for bank CEO
In January 2024 the Prudential Regulation Authority fined the former CEO of a bank £118,808
for breaching three PRA Conduct Rules between March 2016 and May
2020. It was found that the former CEO failed both to act with due
skill, care and diligence, and to take reasonable steps to ensure
that the bank had adequate systems and controls in relation to the
large exposures regime and PRA recordkeeping requirements. As part
of the settlement, the former CEO has given an undertaking to the
PRA that he will not in the future apply for or perform any
function in relation to any regulated activity carried on by any
authorized person, exempt person or exempt professional firm.
The personal liability enforcement action follows the PRA’s
sanction imposed on the bank concerned which was, in
April 2023, censured for wide-ranging significant regulatory
failings, which spanned breaches relating to large exposure limits,
capital reporting, governance and risk controls and PRA Own
Initiative Requirements (OIREQs) and, for the first time, failure
to capture and retain WhatsApp messages. The seriousness of the
breaches justified a fine of £8,515,000, however, since the
bank is in wind-down the PRA imposed a public censure as a warning
shot to the industry more broadly.
The importance of recordkeeping was reiterated with the
regulator making plain that inadequate recordkeeping hinders a
firm’s ability to prudently manage risk, and also hinders the
PRA’s ability to investigate that firm. Specifically, the bank
was found to have not adopted or implemented any policies and
procedures in relation to the retention of business related
correspondence and records. It consequently had no formal
recordkeeping policies or procedures in place to manage or retain
electronic messages such as WhatsApp messages or iMessages. The PRA
was clear that a CEO has a ‘crucial role’ to play in
ensuring their firm meets the standards expected of it and requires
the relevant individual to exercise sound judgment. The standard
required of the CEO as Senior Management Function 1 ‘was
consequently more exacting than for the Firm’s other SMFs and
Employees.’
Cybersecurity incidents
In March 2024, the Financial Industry Regulatory Authority
(FINRA) fined a pair of broker-dealers in the same
group $150,000 each for failing to establish and maintain a
supervisory system, including written supervisory procedures,
reasonably designed to safeguard customer records and
information.
The two firms self-reported cybersecurity incidents which
occurred at branch offices of each firm. Both firms were on notice
from prior FINRA examinations that they lacked reasonable
cybersecurity controls at branch offices with each firm having
experienced numerous cyber intrusions. The intrusions allowed
unauthorized third parties to gain access to customers’
nonpublic personal information including, among other things,
social security number, dates of birth, bank account numbers, and
drivers’ license information. In total 24 cyber intrusions
exposed the non-public personal information of more than 30,000
customers.
Broker-dealers are required to “adopt written policies and
procedures that address administrative, technical, and physical
safeguards for the protection of customer records and
information.” Such written policies and procedures must be
reasonably designed to:
- insure the security and confidentiality of customer records and
information; - protect against any anticipated threats or hazards to security
or integrity of customer records and information; and - protect against unauthorized access to or use of customer
records or information that could result in substantial harm or
inconvenience to any customer.
The capability to keep records and data secure and unaltered is
another aspect of recordkeeping and one which firms need to ensure
is fully embedded in all of its business activities.
Yet more off-channel communications
In March 2024, the Commodity Futures Trading Commission (CFTC)
fined another two firms for off-channel communications. A swap
dealer was fined $6m and an introducing broker was fined $1m for failing to maintain and preserve
records. The orders found that from at least 2019 to the present,
both firms failed to stop employees, including those at senior
levels, from communicating using unapproved communication methods,
including messages sent via personal text.
Each order further finds the firm-wide use of unapproved
communication methods violated each firm’s internal policies
and procedures, which generally prohibited business-related
communication via unapproved methods. Further, some of the
supervisory personnel responsible for ensuring compliance with the
firm’s policies and procedures also used unapproved
communication methods to engage in business-related communications,
in violation of firm policy.
Both firms were included in the 16 recently fined by the Securities and Exchange
Commission for, again, the use of off-channel and unpreserved
communications. The additional penalties add to the $2.6bn already
levied for failures to maintain and preserve electronic
communications – another crystal clear reminder of the continuing
regulatory focus on recordkeeping.
Recordkeeping as core competency
All aspects of recordkeeping are an expected core competency for
financial services firms. It is only with a complete, native
context, secure but accessible data set can firms begin to not only
fulfill all relevant compliance obligations but also to have
insightful strategic management information. Recordkeeping and the
associated required data governance can only begin with the
upstream capture and retention of all relevant records and data
points. With the embedding of workplace unified communication and
collaboration tools firms are fully aware of the need to enhance
the ability to retain a wider range of modalities and capture the
context of the likes of emojis, gifs and reactions. Indeed UC
providers themselves are feeling the need from customers and
prioritizing helping by providing more ways to solve recordkeeping
and supervision needs – therecent news from Zoom on its approach serves
as a positive example on what firms can expect from their
communication and collaboration providers. Only with recordkeeping
robustly in place up front, can downstream activities be effective
with proactive compliance and security able to be comprehensively
assured.
How Theta Lake can help
Backed by the investment arms of Cisco, RingCentral, Salesforce,
and Zoom, Theta Lake is a recognized leader in Digital
Communications Governance and it’s multi-award winning product
suite provides patented compliance and security for modern
collaboration platforms, utilizing hundreds of frictionless partner
integrations including RingCentral,
Webex by
Cisco,Microsoft 365 and
Teams, Slack,Zoom,Movius,Box, Mural, Asanaand more.
Theta Lake empowers organizations to safely, compliantly, and
cost-effectively expand their use of unified communication
platforms by enabling capture, compliant archives, and acting as an
archive connector for existing archives of record across video,
voice, and chat collaboration systems. Customers benefit from:
- The ability to ensure that all aspects of messaging can be
preserved, and a full audit trail provided to supervisors and
regulators. For example, chat messages can be viewed in their
native format over the entire history of the conversation, with
full context retained including images, GIFs, emojis and
reactions. - Searching instantly across participants, all modes of unified
communication and collaboration tools, meshed conversations, and
timelines in an easy to navigate search system that covers and
provides full replay for voice, video, chat, email, images, emojis,
files, whiteboards, and more. - Patented AI & ML to detect, surface, and enable actual
response for regulatory, privacy, and security risks in an AI
assisted review workflow with remediation and patented UCC security
control integrations for protection across what is shared, shown,
spoken, and typed. - Theta Lake’s risk and compliance
suite provides an advanced security and privacy
architecture named STAR3 (Secure in Transit, Access, in Redaction,
Remediation, and Removal), which is SOC2 Type II certified with ISO
27001 mapping, PCI DSS certified, 17a-4 and audit trail attested,
BAA supported, and undergoes regular penetration testing so our
customers, partners, and regulators worldwide are confident in That
Lake’s data and system security, integrity, and privacy.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Enforcement #Roundup #Regulators #Remain #Focused #Aspects #Recordkeeping #Security
