2022 was a record year when it came to fines handed out to North American financial firms.
The SEC alone collected $6.4 billion in penalties, which shattered its previous high of $3.8 billion in 2021. The CFTC collected over $2.5 billion in restitution, disgorgement, and civil monetary penalties, with over $700 million of that total coming from fines against firms that failed to maintain and preserve off-channel communications. And although it pales in comparison to the SEC and CFTC figures, the nearly $50 million in fines handed out by FINRA in 2022 was no small amount of change.
While 2022 may have been the year of headline-grabbing fines that put the financial services industry on notice, it appeared as if 2023 would focus on a much more selective and systematic approach. In 2022, we saw large banks fined amounts exceeding $100M for their record keeping failures. In 2023, the attention started to shift towards the next tier of firms, namely small to mid-size hedge funds. The penalties were drastically reduced compared to 2022, and for a brief period, it seemed as if regulators had sent their initial message and order would begin to be restored.
However, that line of reasoning got flipped upside down in August of this year when the SEC and CFTC announced on the same day that they were fining a total of 13 Wall Street firms a combined $549 million for the use of unauthorized messaging platforms such as WhatsApp, iMessage, and Signal.
Self-report. Cooperate. Remediate.
But lost in the excitement of the announcement was a rather insightful piece of advice from the Director of the SEC’s Division of Enforcement, who following the fines, had this to say: “Self-report, cooperate, and remediate. If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.”
Self-report. Cooperate. Remediate. Rather than keep guidance ambiguous, regulators spelled out exactly what firms should do when they find themselves in violation of their compliance requirements. And as part of that, they clarified that this proactive approach would result in better outcomes as opposed to keeping the info to themselves and hoping they don’t get caught. When you put it in these terms, it seems like an opportunity for firms to control their own fate when being faced with regulatory penalties.
Taking a proactive approach to self-report, cooperate, and remediate is only half the battle though. While this guidance may greatly reduce the punishments handed out to firms for their shortcomings, the need to resort to these steps in the first place indicates firms have already let illicit behavior slip through the cracks. Those who rid their organizations of wrongdoing before it gets to the “self-report, cooperate, and remediate” steps will ultimately save themselves from reputational damage and monetary fines. In this blog, we examine some of the top enforcement areas for North American regulators in 2023 that your firm can actively look to prevent before it’s too late.
Top Enforcement Areas by North American Regulators:
Record Keeping Failures
So far in 2023, firms in the Americas have been fined more than half a billion dollars by the SEC and CFTC for their failures to properly monitor and preserve business-related communications within their organization. In most instances, this meant employees were using their personal devices to discuss business matters on platforms that they knew their firms weren’t monitoring, such as WhatsApp. However, there were also cases of business records being deleted before their required three-year retention period had passed. In May, regulators fined the brokerage arm of the largest bank in the United States for mistakenly deleting 47 million emails from nearly 7,500 employees who regularly interacted with customers.
Whatever the case may be, regulators have made it clear that they will continue to punish those that do not meet their record keeping requirements. Whether it be rogue actors intentionally circumventing the system, or unintentional failures by archiving and retention software, it could be argued that record keeping is the single most important area of emphasis for North American regulators in 2023.
Insider Trading
As is the case in most years, regulators have steadily investigated and enforced fines for insider trading and the use of material non-public information (MNPI). On June 29th, the SEC announced insider trading charges against 13 defendants in four separate proceedings. Similar to the record keeping failures, this coordinated announcement around the insider trading cases has been seen by many as a message intended to reiterate a key focus area for regulators. While the cases are ongoing and penalties have not yet been determined, the SEC alleges that the defendants in the four cases illegally profited more than $40 million. Perhaps what is most interesting about these four cases is the fact that they target “gatekeepers,” individuals who are often the first lines of defense against misconduct. The defendants in these four cases included a Chief Compliance Officer, a board member, a veteran registered broker-dealer, and a police chief—all gatekeepers in various public sectors.
Enforcement against insider trading cases will not go away anytime soon. The SEC has publicly stated that they are continuing to prioritize and enhance their use of data analytics and technology to identify unusual and suspicious trading patterns for potential insider trading actions, as they have already led to several risk-based crackdowns. Regulating bodies such as FINRA, the SEC, and CFTC have sophisticated data analytics tools at their disposal to assist in bringing forth enforcement actions, and those tools will only increase in efficiency and precision over time.
Disclosure Failures
Regulators wasted no time enforcing non-disclosure infractions to start off 2023. In January, a video game company was fined $35 million for allegedly failing to maintain disclosure controls and procedures related to complaints of workplace misconduct and violating the whistleblower protection rule of the Securities Exchange Act of 1934. A few weeks later, a large religious organization and its assessment management firm were fined $5 million for failing to file forms that would have disclosed their equity investments, and for instead filing forms for shell companies that obscured their portfolio. Disclosure enforcements made headlines again in mid-June, when an investment advisory firm was ordered to pay $9 million after failing to disclose material information to investors, failure to waive required advisory fees, and inadequate policies to ensure sufficient oversight of fee waivers.
While each of these disclosure failures is unique in its own way, they perhaps underscore the SEC’s suggestion to “self-report” more than any other area on this list, highlighting the fact that a lack of transparency will only hurt firms in the long run.
Cryptocurrency
Since the collapse of FTX in November 2022, there has been a heightened sense of urgency to not only increase regulations for the cryptocurrency market, but also enforce penalties for those that have treated this new frontier like the Wild West and taken advantage of the ambiguity that currently exists. On numerous occasions, the SEC chair has discussed the importance to the Commission of “rooting out noncompliance [in crypto markets] through investigations and enforcement actions.” In many instances, enforcement has stemmed from failures by digital currency firms to register as broker-dealers, exchanges, or transfer agents, and/or for allegedly misleading investors.
2022 ended with the SEC issuing a total of $242 million in crypto-related fines throughout the year as part of 30 total enforcements, which also resulted in nine arrests. In January of this year, the Commission picked up where it left off when a crypto platform was fined $45 million for failing to register the offer and sale of its retail crypto asset lending product.
The monetary fines handed out for crypto-related offenses in recent years are truly staggering and with the exception of record keeping fines, are the highest dollar value for any enforcement area by North American regulators.
Cybersecurity
Recent data breaches and ransomware attacks against high-profile organizations has made cybersecurity a top priority for North American regulators. In June, the CFTC announced they were creating a special task force to mitigate cybersecurity concerns. This comes after the SEC proposed new cybersecurity risk management rules in 2022 intended to both prevent attacks in the first instance and respond to them with additional disclosures. While the new rules are yet to be put in place, they are expected to be revisited and approved later this year. Separately, they finalized and adopted a cybersecurity risk governance rule for public companies in late July 2023.
While the monetary fines for cybersecurity fines in 2023 are only a fraction of some of the other top enforcement areas, the techniques being used by cyber hackers are only becoming more sophisticated and firms should fully expect to be held accountable if they do not have controls in place to stop ransomware threats and other forms of attack.
Why Proper Surveillance Solutions Are Needed
If regulators are coming out and explicitly stating that the firms that police themselves and self-report will ultimately help their cause and minimize the damage, market participants should be acting on this immediately. And while having an understanding of the regulator’s top enforcement areas helps, it is only half the battle.
If firms are utilizing outdated legacy surveillance systems that don’t talk to each other, it makes the task of meeting regulatory requirements much more difficult. By the time they come to realize the wrongdoing, it will likely be too late, and the regulators will already have uncovered the infractions. The best way to ensure your firm utilizes the “self-report” strategy suggested by regulators is by taking a proactive approach, and that requires systems that leverage cutting-edge technology and can catch the problem early.
In the instance of record keeping failures, a majority of these fines could have been avoided had the communications archiving and surveillance tools that firms utilize worked properly and done their job. Not only would they have retained records for the necessary periods of time, but they also would have monitored channels that are frequented by rogue actors, such as WhatsApp. When it comes to insider trading, systems that can monitor both communications and trade activity in parallel would have the ability to reconstruct trades instantly and determine whether illegal activity was taking place. Firms with AI-supported communications surveillance tools, or rich language-based rules, could pick up on crucial information that stakeholders may be withholding in the instances where they were fined for disclosure related issues. In summary, the benefits of a modern surveillance system, preferably one that integrates trade and communications surveillance together, are endless when it comes to weeding out rogue actors and illicit behaviors.
Regulators will always find ways to identify the shortcomings of market participants. As mentioned previously, the data analytics tools at their disposal are only improving, and it is safe to say their roles will not become obsolete at any point. And while a future-proof and advanced communications and trade surveillance system will certainly reduce the number of headaches for compliance departments, market participants must continue to have a finger on the pulse of the top enforcement areas in North America. Only then will they truly be able to self-report, cooperate, and remediate.
How SteelEyE Can Help
SteelEye is at the forefront of addressing several of the areas identified by North American regulators in 2023. Firstly, in combatting record keeping failures, SteelEye's 17a-4 compliant archive ensures that organizations can securely retain and retrieve their financial records, meeting regulatory requirements with ease. For tackling Insider Trading, SteelEye's Integrated Trade and Communications Surveillance Solution enables real-time monitoring and analysis of trading activities, identifying suspicious patterns, and safeguarding against illicit activities. In terms of disclosure failures, SteelEye's comprehensive compliance platform provides transparency and accuracy, helping firms adhere to disclosure obligations. In sum, SteelEye's versatile and compliant solutions play a pivotal role in helping financial organizations navigate these critical enforcement areas, promoting transparency, security, and compliance in an ever-changing regulatory landscape.
Turn Supervision into Super Vision
Contact our compliance experts to see our platform in action or learn more about how we can help your firm reduce compliance fatigue.
SPEAK WITH US TODAY
