Latest Wave of SEC Off-Channel Communications Enforcement Actions: Five Takeaways

On September 29, 2023 — the last business day of its fiscal year — the U.S. Securities and Exchange Commission (SEC) issued the latest in a series of actions charging 10 firms with recordkeeping failures in connection with employees’ use of unapproved applications on personal devices to engage in communications relating to the firms’ business (known as “off-channel communications”).¹ The firms charged included broker-dealers, investment advisers, and dually registered broker-dealers and investment advisers as well as one family of firms that self-reported conduct to the SEC. To date, the SEC has charged over 40 registrants and leveled over $1.6 billion in penalties as part of its off-channel communications matters. Other regulators, including the Commodity Futures Trading Commission (CFTC), have brought similar cases.

Here are five key takeaways from the September 29, 2023, orders.

1. The orders give only scant guidance as to the types of communications the SEC views as falling within Rule 204-2(a)(7) of the Advisers Act. Most of the SEC’s off-channel communications actions to date have involved broker-dealers. Those broker-dealer settlements have found violations of Section 17(a)(1) of the Securities Exchange Act of 1934 (Exchange Act) and Rule 17a-4(b)(4) thereunder, which impose a broad requirement that a broker-dealer retain communications “relating to its business as such.” In certain of these September 29 cases — and some before then — the SEC has also charged investment advisers (including dually registered broker-dealers and investment advisers) for off-channel communications where the record-keeping standard is narrower and more nuanced. Unlike the more expansive “business as such” scope in the Exchange Act provisions, the Investment Advisers Act of 1940 (Advisers Act) requires that registered investment advisers retain certain specific categories of communications including “any recommendation made or proposed to be made and any advice given or proposed to be given.” What communications fall within Rule 204-2(a)(7) remains uncertain, as the SEC is reported to be taking an expansive view of that recordkeeping requirement.² Although these recent September 29 orders state that some of the communications at issue related to recommendations made or proposed to be made and advice given or proposed to be given, they generally lack explicit descriptions of the types of communications the SEC found to fall within those categories. Thus, how the SEC construes the Advisers Act recordkeeping requirement with respect to investment advisers’ e-communications remains an open question, even as the SEC’s Enforcement staff continues conducting a sweep of investigations into these adviser issues.
2. The SEC encourages self-reporting. As before, the SEC here encouraged self-reporting of recordkeeping violations. In the September 29, 2023, press release, the SEC’s Enforcement Director, Gurbir S. Grewal, stated: “One of the orders included in today’s announced actions is not like the others … [t]here are real benefits to self-reporting, remediating and cooperating.” This refers to the SEC’s lowest off-channel communications civil penalty to date, $2.5 million, against a family of firms that self-reported off-channel communications. Other firms in this and other orders have settled for penalties ranging from $7.5 million to $125 million. While Director Grewal’s comment suggests that the low fine was a result of self-reporting, it is unclear whether other factors may also have influenced this figure. There is no explanation in the September 29 orders of why the penalty against one firm was $35 million while others were $8 and $8.5 million. In addition, the SEC previously leveled penalties ranging from $7.5 million to $15 million against other firms that self-reported off-channel communications. This may be a result of penalties being tailored to firm size or other factors, including the quality of the self-report and the remedial steps undertaken thereafter; as a result, it is difficult to predict what the penalty size would be if a larger firm were to self-report. What is more, these September 29 settlements show the limits of self-reporting: This family of firms still had to admit liability, pay millions in penalties, and agree to undertakings, including retaining an independent compliance consultant (terms discussed further below).
3. The orders continue to emphasize conduct by the firms’ senior employees. Each of the orders described engagement in off-channel communications by senior employees, including, among others, senior management or executives, group heads, supervisors responsible for supervising junior employees, managing directors, and partners. While the orders did not name individuals, each also included multiple paragraphs providing specific examples of instances where senior employees were found to have sent or received off-channel communications. This is not to say that the SEC is interested only in the conduct of senior employees; lower-level employees were also mentioned in some of the orders. Taken together, however, the orders reflect consistent emphasis on the “tone at the top” and scrutiny of the conduct of senior employees.
4. These orders required admissions that firms violated the federal securities laws. In a departure from its common practice of allowing respondents to settle on a “no admit, no deny” basis, all off-channel communications settlements have required admissions of liability. The September 29 orders all contain admissions to the facts set forth in the orders and acknowledgement by the firms that their conduct violated the federal securities laws. This trend appears poised to continue as the SEC continues to position the prevention and preservation of off-channel communications as a key priority for the securities industry.
5. The sanctions imposed on all 10 firms include substantial undertakings to retain independent compliance consultants. Consistent with the SEC’s prior off-channel communications actions, the September 29 orders impose undertakings. While the undertakings contain a number of subparts, perhaps the most noteworthy is the requirement that each firm retain an independent compliance consultant to review, among other things, (i) the firm’s policies and procedures designed to ensure that electronic communications are preserved, (ii) trainings conducted by the firm in connection with the preservation of electronic communications, and (iii) the measures and technology solutions in place to prevent the use of off-channel communications and support compliance with the federal securities laws.

Taken together, these September 29 orders reflect the SEC’s continued focus on holding firms accountable for engaging in off-channel communications, particularly at senior levels. They also reflect how self-reporting can result in lower civil money penalties.

¹ See SEC Press Release, SEC Charges 10 Firms with Widespread Recordkeeping Failures (Sept. 29, 2023). On the same day, the SEC issued a separate press release, and settled orders, involving off-channel communications at credit rating agencies, which are not substantively addressed in this alert.
² See Letter from Managed Funds Association, et al., to Gary Gensler, SEC Chair (Jan. 31, 2023). Chris Prentice and Carolina Mandl, SEC Collects Wall Street’s Private Messages as WhatsApp Probe Escalates, Reuters (Sept. 25, 2023, 3:36 p.m.).

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.