Financial services firms need to focus on their upstream recordkeeping in order to better enable more robust and accurate downstream regulatory compliance
What does the fining of a major Wall Street firm for trade surveillance failures, the holding to personal account of the CEO of a United Kingdom-based bank, the impact of cybersecurity incidents at a pair of broker-dealers, and another two firms being held accountable for off channel communications all have in common? They all represent failures of one or more aspects of upstream recordkeeping with the consequent downstream inability to meet compliance obligations.
Recordkeeping is a core competency for financial services firms. It encompasses a firm’s knowledge of what data or records it has, why it has them, and where they are. It also covers keeping those records secure and unaltered. Without a comprehensive and robust approach to recordkeeping and an associated data governance plan, firms will simply not be able to either fulfil or show evidence that they have met compliance obligations.
Firms are utterly reliant on their records to be able to act on everything from responding to regulators’ requests for information, meeting reporting requirements (internally as well as externally), investigating a complaint, keeping sensitive customer information secure, to undertaking supervision and surveillance.
Trade surveillance failures
In March, the U.S. Office of the Comptroller of the Currency (OCC) and the U.S. Federal Reserve Board fined a firm a combined total of $348.2 million for “deficiencies in its trade surveillance program” and “an inadequate program to monitor firm and client trading activities for market misconduct.”
The OCC’s civil monetary penalty and the cease-and-desist order noted that the firm’s trade surveillance program was found to have operated with “gaps in venue coverage and without adequate data controls required to maintain an effective program.” As a result, the firm failed to oversee billions of instances of trading activity on at least 30 global trading venues.
As part of the findings, the OCC made a key point of the need for the firm to implement robust data governance as part of swathe of required corrective actions. Critically, the firm will not be able to on-board new trading venues unless or until the examiner-in-charge provides the firm with a prior written determination of no supervisory objection. Other corrective actions included requiring the firm to form a Compliance Committee to manage the corrective actions and conduct a look-back review of the data deficiencies. Also, the OCC imposed a series of specific responsibilities on the firm’s board for the oversight of the remediation.
As a root cause, the trade surveillance failures were due to a lack of upstream recordkeeping and data capture. Without the source records, the firm was incapable of undertaking the required trade surveillance.
Personal liability for bank CEO
In January, the UK’s Prudential Regulation Authority (PRA) fined the former CEO of a bank £118,808 for breaching three PRA Conduct Rules. The PRA found that the former CEO failed both to act with due skill, care, and diligence, and to take reasonable steps to ensure that the bank had adequate systems and controls in keeping with PRA recordkeeping requirements. As part of the settlement, the former CEO attested that he will not re-enter the UK financial services field — a de facto ban.
The personal liability enforcement action follows, the PRA’s sanction that was imposed on the bank in April 2023, in which it was censured for wide-ranging significant regulatory failings, including, for the first time, failure to capture and retain WhatsApp messages. The seriousness of the breaches justified a fine of more than £8.51 million. However, since the bank is winding-down its operations, the PRA imposed a public censure as a warning shot to the financial services industry more broadly.
The importance of recordkeeping was reiterated by the regulator making plain that inadequate recordkeeping hinders a firm‘s ability to prudently manage risk, and also hinders the PRA’s ability to investigate that firm. Specifically, the bank was found to have not adopted or implemented any policies and procedures in relation to the retention of business-related correspondence and records. It consequently had no formal recordkeeping policies or procedures in place to manage or retain electronic messages such as WhatsApp messages or iMessages.
The PRA was clear that a CEO has a “crucial role” to play in ensuring their firm meets the standards expected of it and requires the relevant individual to exercise sound judgment. The standard required of the CEO as Senior Management Function 1 (SMF 1) “was consequently more exacting than for the Firm’s other SMFs and Employees.”
Other incidents
In March 2024, the Financial Industry Regulatory Authority (FINRA) fined a pair of broker-dealers in the same group $150,000 each for failing to establish and maintain a supervisory system, including written supervisory procedures that are reasonably designed to safeguard customer records and information.
The capability to keep records and data secure and unaltered is another aspect of recordkeeping and one which firms need to ensure is fully embedded in all of their business activities.
Also in March, the U.S. Commodity Futures Trading Commission (CFTC) fined another two firms for off-channel communications. A swaps dealer was fined $6 million, and an introducing broker was fined $1 million for failing to maintain and preserve records. The orders found that both firms failed to stop employees — including those at senior levels — from communicating by using unapproved communication methods, including messages sent by personal text.
Each order further finds that the firm-wide use of unapproved communication methods violated each firm’s internal policies and procedures, which generally prohibited business-related communication over unapproved methods. Both firms were among the 16 firms recently fined by the U.S. Securities and Exchange Commission for, again, the use of off-channel and unpreserved communications. The additional penalties add to the $2.6 billion already levied for failures to maintain and preserve electronic communications — another crystal-clear reminder of the continuing regulatory focus on recordkeeping.
Recordkeeping as core competency
All aspects of recordkeeping are an expected core competency for financial services firms. Only with a complete, native context, secure, but accessible data set can firms begin to fulfil all relevant compliance obligations but also gather insightful strategic management information.
Recordkeeping and the associated required data governance can only begin with the upstream capture and retention of all relevant records and data points. Indeed, only with recordkeeping robustly in place up-front, can downstream compliance and security activities be comprehensively assured.
