Ever given a colleague a quick Signal call so you can sidestep a monitored workplace app? Well, we’d hope you’re not in a highly regulated industry like staff at eleven of the world’s most powerful financial firms, who yesterday were fined nearly $2 billion for off-channel comms.
Banking giants including Goldman Sachs, Credit Suisse, and Citigroup agreed to pay regulators $1.1 billion in penalties from the US Securities and Exchange Commission (SEC) and $710 million in fines from the Commodity Futures Trading Commission (CFTC) in separate actions on Tuesday for failing to monitor and stop their workers from using unauthorized messaging apps. The action comes after months of wrangling between the federal regulators and the banks.
The companies yesterday admitted their staff, including senior investment bankers and equity traders, regularly shot the breeze on WhatsApp and other “unapproved” private channels.
The companies were also hit with cease and desist orders preventing them from continuing to “commit or caus[e] any violations and any future violations of Section 17(a) of the Exchange Act.” In what might be the most unusual part of this situation, all of the companies (along with some of their subsidiaries) appear to have admitted to wrongdoing.
The SEC said in a statement that its investigation uncovered “pervasive off-channel communications,” and that after gathering communications from the personal devices of just a sample of the various firms’ personnel they found off-channel exchanges between “senior and junior investment bankers and debt and equity traders.”
SEC chair Gary Gensler said in a statement: “Finance, ultimately, depends on trust. By failing to honor their recordkeeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust.”
The agency went on to say that secret squirrel comms failings had occurred across all “16 firms” (that number includes the 11 and their affiliates – there’s a full list here), adding that it had “involved employees at multiple levels of authority, including supervisors and senior executives.”
The CFTC, meanwhile, said of its separate but related operation that the behavior was “egregious and widespread” and the “increasing reliance on novel communications platforms available on personal mobile devices, indicates a concern that — unless effectively addressed — may negatively impact market-participants’ internal compliance, the integrity of communications across market relationships, the Commission’s ability to carry out its mandate to oversee registrants, and the Division of Enforcement’s ability to effectively and efficiently investigate conduct that may violate the CEA and/or CFTC regulations.”
Quite.
The agency also said it was looking at allegations of similar misconduct at another “major financial institution” registered with the CFTC in the matter, citing a 2021 complaint where a dollar-swaps trader at a global investment bank was alleged to have deleted WhatsApp comms after the division made an order that he retain all communication on messaging apps including Facebook, Whatsapp, Telegram, Slack, or Signal, including any backed up versions in cloud storage etc.
As for what’s to stop them from doing it again, the businesses have all vowed to up their compliance efforts, agreeing to retain compliance consultants who will conduct comprehensive reviews of their policies and procedures on the retention of “electronic communications found on personal devices” and take a look at their “frameworks for addressing non-compliance by their employees with those policies and procedures.”
Gurbir Grewal, director of the SEC’s Division of Enforcement, said the 16 firms not only have admitted the facts and acknowledged that their conduct violated these very important requirements, but have also started to implement measures to prevent future violations. Grewal said that other finance types had better look out: “Other broker dealers and asset managers who are subject to similar requirements under the federal securities laws would be well-served to self-report and self-remediate any deficiencies.”
The Register is keen to hear any of your solutions to the sticky shadow comms problem. You could require staff to place personal devices in secured containers, but what happens when they’re needed outside the office? How do you enforce such a policy? And then how can the company be sure you don’t just walk out the office after work after market close, and simply send a Telegram message from your own cellphone? Quants and traders, on the whole, are better than your average non-finance fan at memorizing strings of numbers. ®