Off-channel messaging (and regulators) still a massive headache for banks

Earlier this month, the US Securities and Exchange Commission fined 26 broker-dealers a cumulative $392.7 million for failing to “maintain and preserve” off-channel messages on platforms like WhatsApp, iMessage, and Signal. In a press release, the SEC called the problem “widespread and longstanding.”

American Financial Services, Edward Jones, LDL Financial, and Raymond James took it on the chin the hardest, with each receiving $50 million fines. RBC Capital paid $45 million, BNY Mellon Securities coughed up $40 million, and TD Securities forked over $30 million.

On the same day—August 4—the Commodity Futures Trading Commission announced that it had fined TD Bank $75 million, Cowan and Cowan $3 million, and Trusit Bank $3 million for similar offenses. The CFTC said TD had violated communications rules from at least 2015 to present, Cowen from at least 2019 to February 2024, and Truist from December 2019 to present.

Since December 2021, the SEC has charged 82 firms $2.07 billion in civil penalties, and the CFTC has fined 24 firms $1.2 billion for off-channel communication infractions. That’s a total of $3.27 billion spread across 106 financial institutions over nearly 33 months—or just about $100 million in fines per month.

“[The regulators] just assume people are doing the worst,” says one operations manager at a New York-based broker-dealer. “And keep in mind that they use this money to run themselves—the money isn’t going to a charitable organization. It’s fucking insane when you think about it. Sure, some things are definitely warranted, but something like this is an overstep, in my opinion. If a client is a friend or is overseas, you can’t accept their outside-of-work message on WhatsApp?”

A chief information officer at a tier-1 bank says that firms are now simply “accepting that fines are the cost of doing business because it will take too long and too much effort to tie systems together efficiently.” He wasn’t endorsing this attitude but says it’s just “the way it is right now” in the capital markets. 

The SEC declined to comment for this column, and the CFTC did not respond to a list of emailed questions in time for publication.

Seeing this latest round of penalties, two questions sprung to my mind. First, is this still a problem, or are these leftovers from 2021-2023? The CFTC noted that their fines were for infractions that extended into 2024, while the SEC did not provide dates for its enforcement actions. Second, why are US regulators taking such an aggressive approach on this—at least from a monetary perspective—while European regulators appear to be trying to work with financial institutions in the region to avoid fines? More on that in a minute.

When it comes to regulatory and back-office matters, I think few are as well-versed as Virginie O’Shea, the founder and CEO of Firebrand Research. Odds are, if you’re interested in those subjects, you’ve seen her on a webinar or at a conference. (And she’s a fantastic follow on social media.)

“If you look at the fines, they’re not for 2024 activities, they’re all 2022, 23. So it just took a little while for people to pivot from what they were doing. I think now, people are very much aware of it, but habits are hard to change,” she says. “People are addressing it now, but the regulators are going back and making a point.”

In some ways, she’s an optimist on the subject. She says to me that these fines are based mainly on activities during the pandemic, as people developed bad habits when communicating with clients and banks struggled to enact definitive policies.

She also notes that these fines are “not for nefarious” actions; they’re monitoring and reporting infractions.

Brad Levy, CEO of Symphony, also says that he doesn’t think that traders were being “nefarious” by using services like WhatsApp. But there are industry-grade platforms out there for traders to chat, Bloomberg, Refinitiv/LSEG, Microsoft Teams, and…well…Symphony. And the SEC and CFTC have made it abundantly clear that they are not effing around on this issue.

Levy also says that for as much as the industry likes to boast that it is all about “cloud” and being “mobile”, the capital markets—partially because of regulatory oversight—is slower than some other industries to adopt these technologies.

“We’re in this bridge where we’re not in cloud, we’re not mobile, we’re not comfortable being distributed in how you regulate, it’s clearly coming, and I just think that we are adjusting to that environment,” he says. “The problem, though, is inside of all that noncompliance, there are definitely bad actors.”

Now it’s time for a little reckless speculation. These market regulators are collecting a lot of data on who is talking to whom on unapproved platforms. As noted before, these fines have been for noncompliance—not for more serious illegal behavior. If a firm self-reports its wrongdoing or is otherwise caught out, why shouldn’t the regulators first tell the firm to fix its processes? If they are still non-compliant in the future, that’s when you nail them with a hefty fine and have the bank fire the offenders. This seems—to me, anyway—to be the path that European regulators are taking.

Levy wonders if the $3.2 billion in fines could simply be an opening salvo. These agencies may have found instances of traders using racist, misogynistic, or homophobic language. Or, they might have seen instances of front-running, wash trading, or insider trading. Neither Levy nor myself are saying that this is what has happened, but if that turns out to indeed be the case and there are more serious enforcement actions to come, the fines could be seen as a necessary step to get these firms to put an end to off-channel communication while the agencies also build cases against individual wrongdoers.

That’s just a theory, but it’s an interesting one, to be sure, because the industry is definitely taking notice of the different approaches by US and European regulators. “People think people in finance are geniuses, and that’s giving us too much credit,” says the operations manager at a broker-dealer. “It’s no different than anywhere else: Someone pings you on a non-approved line of communication—a client reaches out accidentally on WhatsApp—why wouldn’t you answer? It wasn’t malicious—it’s just plain stupidity.”

So, again, why not give the benefit of the doubt to the human being rather than levying an avalanche of fines? Levy notes that in today’s modern world, it’s basically impossible to disconnect from texting services and social media. That’s where your partner is, where your kids are, where your friends are, and—yes—that’s where your clients are, too. After all, aren’t you supposed to meet your customers where they are?

While Firebrand’s O’Shea—who is based in London—says she believes that things are getting better on the off-channel communication front, she, too, wonders why the SEC and CFTC have been on the hunt while a regulator like the UK Financial Conduct Authority has engaged in one-on-one discussions and hosted roundtables on the subject. Are Americans exponentially more likely to talk off-channel than Brits?

“The FCA made the banks aware that they had stuff that they could go after them for if they didn’t address it, but they didn’t go the extra mile of fining them,” O’Shea says. “So different regulators are taking different approaches. In the US, you guys have almost a draconian approach to things sometimes, and in particular the SEC.”

I guess time will tell whether the SEC eases its war on off-channel communication, ratchets it up (or brings even more serious charges), or if European regulators decide to join the fire brigade.

For what it’s worth, in October 2023, Gurbir Grewal, director of the SEC’s Division of Enforcement, provided these remarks to the New York City Bar Association Compliance Institute:

“Time and again, we see firms that have good policies but fall short on implementation. Our ongoing off-channel communications sweep to ensure that regulated entities, including broker-dealers and investment advisers, comply with their recordkeeping requirements is a good example. … As the orders in these actions describe, in every case, the firms had policies and procedures in place, but employees nevertheless communicated through unapproved methods. That is because there was widespread failure in implementing those policies. In fact, as detailed in all the orders, the individuals charged with supervising employees to prevent this misconduct were themselves violating the procedures.”

Will banks and brokers learn from these enforcement actions? Will the $100-million-per-week fine rate will slowly dwindle? Or are these fines the cost of doing business—as the bank CIO says—in an increasingly interconnected world?

Have thoughts, let me know: anthony.malakian@infopro-digital.com.

The image accompanying this column is “Esther before Ahasuerus” by Artemisia Gentileschi, courtesy of The Met’s open-access program.