Who is at fault for Goldman Sachs’s $5.5 million fine?

This past August, Goldman Sachs found itself in the crosshairs of the Commodity Futures Trading Commission. The regulator charged that the bank had both violated a cease-and-desist provision of a prior order and committed record-keeping violations where the firm did not properly record and retain specific audio files. The CFTC ordered Goldman to pay $5.5 million as a penalty.

That order did not specifically name the vendors whose technology was at the center of the case, but one of the agency’s commissioners appears to have outed the firms in her statement arguing against the fine. One is Truphone—an independent outfit now owned by 1Global—and the other is trading turret goliath IPC. 

Here’s the breakdown. Back in November of 2019, the CFTC found that Goldman Sachs had failed to record the phone line of a trading and sales desk over 20 calendar days in January and February 2014. The lack of recording was cited as the fault of recording hardware malfunctioning after a software update. Goldman was ordered to pay a $1 million penalty and cease violating further CFTC recordkeeping provisions.

The bank did just that. For a while. In March 2020, as the pandemic made remote work the new normal for the foreseeable future, record-keeping issues resurfaced at the bank.

According to the CFTC, two separate failures took place. The first involved a vendor Goldman had been using before the pandemic to record calls on mobile devices. “Beginning in March 2020, increased use of the vendor’s recording service during the pandemic led to increased failures in the vendor’s hardware,” noted the CFTC after it announced the fine. As a result, according to the CFTC, thousands of mobile calls were neither recorded nor retained. The issue reportedly came to light when some employees complained of poor call quality to the bank and an interim fix was made in May 2020. By September of the same year, the bank switched vendors.

It is fantastical for the Commission to expect perfection—100% compliance for 100% of the time—when it comes to operations and technology systems and processes. That is impossible

Caroline Pham, CFTC

The second record-keeping failure occurred when Goldman started using software from a separate vendor “that was designed to replicate the experience of a hard-wired trading turret—a specialized phone setup used to facilitate trading—via a computer,” according to the CFTC. In May 2020, Goldman reportedly discovered that a software issue meant the system was not always recording calls, and as a result, thousands of calls were not being recorded or retained.

Not only did the bank struggle with retaining audio files, but the vendors it used in maintaining compliant communications saw their technology breaking down at the worst possible time. Some argue the fault lies with those vendors, but regulators have a growing history of holding banks accountable for the failures of third-party firms.

In a concurring statement on the penalty, Commissioner Kristin Johnson, a Democrat, emphasized Goldman has a responsibility for ensuring it was adhering to the CFTC’s rules. 

“While I acknowledge that challenges related to contracting with third-party vendors are at the center of this resolution, it is incumbent upon our registrants—particularly in light of the increasing dependence on critical third- and fourth-party service providers for technology and cyber resilience related services—to take steps to remain prepared and ensure compliance," she wrote. "[O]ur registrants must maintain well-developed continuity plans to ensure that there are no gaps in their compliance with CFTC regulations and that they are prepared to use alternative means of compliance, particularly in the event of third- or fourth-party service providers’ failures.”

Now, one fine can stick out from the rest, and it’s clear that there are several moving parts in this one that don’t make it similar to the WhatsApp fines that have been the talk of Wall Street. Third-party risk, the pandemic, and adequate compliance programs all play a role here, and in trying to figure out what went wrong, they all need to stand center stage.

Vendor breakdown

The dissenting statement of CFTC commissioner Caroline Pham, a Republican, provides some insight into the vendors involved in the communication breakdowns Goldman suffered.

While arguing that the penalty is bad form for the CFTC and that Goldman Sachs could not have prevented the vendor issues, she refers to the vendors as “Truphone vendor” and “Omni vendor”.

“[Goldman Sachs] promptly and diligently performed a root cause analysis beginning in March 2020 and remediated the Truphone vendor mobile phone issue within weeks," said Pham. "[Goldman Sachs also] identified and promptly remediated the completely separate and unrelated Omni vendor soft turret issue that also arose out of the pandemic and [the bank’s] need to shift to remote work and resulting inability to use the hard-wired trading turrets physically located in each office.”

Commissioner Pham’s office did not return requests for comment.

Truphone is an eSIM mobile services company that offered tools to businesses to make phone calls and record conversations conducted on mobile devices. Their services would allow users to connect to global telecom networks and use local numbers without needing to roam. Following the Russian invasion of Ukraine in 2022, the UK government sanctioned Roman Abramovich, who had a £300 million investment in Truphone alongside his business partners Alexander Abramov and Alexander Frolov. According to the FT, Abramovich held a 23% stake in the company while his partners held the rest.

Sanctions forced the company to be sold and as of the beginning of 2023, Truphone’s assets sit under 1Global. According to 1Global’s website, clients include Morgan Stanley, State Street, JPMorgan, and Barclays. Repeated requests for comment went unanswered by 1Global.

Two executives in the compliant communications space told WatersTechnology that Truphone was a popular vendor on the Street and that Goldman had been a Truphone user alongside most of the market.

Omni, on the other hand, points to IPC, which states to have more than 7,000 customers, including “100% of the top 50 global banks.” In July 2020, IPC detailed to WatersTechnology a number of upgrades it was working on in light of more people working from home. One of those updates was to its IQ/MAX Omni application, a soft-client application that replicates or provides similar functionality to a hard turret. Three sources confirmed to WatersTechnology that Goldman uses IPC turrets. Repeated requests for comment went unanswered by Goldman Sachs. IPC declined to comment for this story.

One telecoms industry veteran tells WatersTechnology they suspect the soft turret issue may not have been the actual turret, but instead, the issue may have been in getting the calls from the turret to the recorder. “You’ve got three moving parts here: one is the turret, the other is the connectivity to the turret, and the third is the actual recorder,” they say. “The challenge is going to be the vendor in the middle that is your home broadband if you are working from home.” For hard turrets in office, the network is typically provided by the turret provider.

A CTO at a trader voice vendor tells WatersTechnology that they also had developed a soft-client solution before the pandemic but “no one was really interested.” With the onset of Covid, demand skyrocketed. They say the architecture of their solution is set up so that even if something drops off the network, the recording is still preserved. “You are suddenly working in a new environment where technology has to evolve very rapidly,” the CTO says.

The telecom veteran sees Goldman as responsible for making sure the call is captured and for ensuring that their vendors are providing working technology. What might be missing from this equation is the additional capability to know when the call hasn’t made it to the recorder. “It’s wrong for Goldman to not know it,” they say.

Tim Carmody, chief technology officer at IPC, told WatersTechnology in 2020 that the IQ/MAX Omni solution had been in the market for eight years. “The Omni soft client was an interesting thing for people, but it was not heavily used because of the trading policies,” he said. “It was something that some of our customers already had, and certainly something that was available in the market already.” He said the application was in “dire need of a new user interface” but that it did what it was supposed to do. He did not specify a timeline for when IPC would make it more suitable for remote working.

“The evolution of the soft turret has been exaggerated and accelerated because of the pandemic and home working,” the telecom veteran says. “So of course, the challenge of homeworking was always going to create even more responsibility on the banks to ensure that there was no loss of data.” They contend that this will not be the last fine for improper record-keeping, as the banks are still playing catch-up with technology.

A new kind of contingency

At the largest investment banks, prior to March 2020, the ability to work from home was not part of the fabric of the capital markets. But faced with a pandemic, regulators had to accept that compliance would prove difficult in an environment outside of the office, as the world was adjusting to a new reality on the fly. 

On March 17, 2020, the CFTC issued a no-action letter providing temporary, targeted relief to futures commission merchants, introducing brokers, and swap dealers, among others. “The spread of coronavirus has caused compliance with certain CFTC requirements to be particularly challenging or impossible because of displacement of registrant personnel from their normal business sites due to social distancing and other measures,” the CFTC acknowledged.

In regard to swap dealers, the division of swap dealers and intermediary oversight (DSIO) granted temporary, targeted no-action relief from “requiring recording of oral communications related to voice trading and other telephonic communications, as well as time-stamping requirements when located in remote, socially-distanced locations.” Thirty days of no-action relief was also granted from the requirement to provide annual compliance reports to the CFTC.

On June 9, 2020, the no-action relief letters were extended to September 30, 2020. In extending the letters, the DSIO communicated that those relying on the relief were expected to establish and maintain a supervisory system to oversee personnel and that when Covid-19 risks decreased, full compliance with regulatory obligations was expected.

It’s for these reasons that Commissioner Pham disagreed with the penalty. “Every government authority and regulator around the world provided temporary relief or forbearance from regulatory requirements in light of the pandemic and devastating impact to business, including the CFTC and other US regulators,” she wrote in her dissent. “But I am not aware of any regulator in any public consent order imposing sanctions and penalties for one-off, non-material operational or technical issues arising from the pandemic—especially for the use of vendors to support remote work. It will only be the CFTC with that dubious distinction and disregard for the human reality.”

Pham also highlighted that the two vendor issues were not material non-compliance issues and did not appear to result in a material impact to the firm, harm to clients, financial losses, or misconduct. “It is fantastical for the Commission to expect perfection—100% compliance for 100% of the time—when it comes to operations and technology systems and processes. That is impossible,” Pham stated.

Regulators have long expected banks and dealers to have disaster recovery, business continuity and contingency planning in place

Eric Young, Guidepost Solutions

The counter argument, though, is that when banks and financial institutions create their compliance programs, being prepared for the next disaster is part of the expectation, says Eric Young, co-lead of the financial services practice at Guidepost Solutions, a global monitoring compliance and investigative firm.

“There’s always been a great expectation—particularly through technology—of being prepared for disasters, particularly when businesses go offline,” Young tells WatersTechnology. He says catastrophes of wildly different impacts have hit Wall Street previously, whether it was the terrorist attacks of September 11, 2001; the financial crisis, which started to fully take hold in 2008; or Hurricane Sandy, which hit New York City in October 2012.

“Regulators have long expected banks and dealers to have disaster recovery, business continuity and contingency planning in place,” Young says. “Often times, the rules lag behind the innovation, but more importantly, some of these rules were principles based rather than prescriptive.” Regulators will not prescribe to individual firms how to run their compliance programs (see: DSIO notice). Compliance programs should be tailored to the institution and individual risk profile.

Despite that expectation, not all technology has been able to keep up. Young, who previously served as a chief compliance officer at BNP Paribas, UBS and JPMorgan, says regtech has not kept pace with the rapid evolution of technology. “That is part of the reason why there’s typically regulatory violations and settlements, because the compliance technology hasn’t kept pace,” he says.

Most firms settle violations by paying the penalty. In some rare moves, firms will fight fines. It should be noted that the $5.5 million fine against Goldman represents less than one half of one percent of the net income Goldman Sachs reported for the third quarter of 2023.

Regulators are growing more concerned that institutions and—in particular—repeat offenders, will see fines as the cost of doing business. In an enforcement advisory sent to staff in October, the CFTC indicated that it was considering issuing higher penalties “to empower compliance professionals at entities to make the business case to senior management for the resources they need to do their jobs effectively.” Others have told WatersTechnology that regulators don’t have a firm grasp of technological innovation, which creates gaps in rules and capabilities. 

But, as has been said numerous times before, the compliance buck stops with the end-user. Even when technical solutions fail, it’s up to the user to have proper compliance, benchmarking and contingency planning in place so as to adhere to the various regulators’ rules.

As with most things involving oversight of Wall Street, your opinion of who’s to blame is likely to depend on where you work—a bank, a vendor, or a regulator.