Since December 2021, the U.S. Securities and Exchange Commission (SEC) has fined dozens of firms over two billion in penalties for failing to retain and supervise off-channel communications (OCC) in violation of business records rules.
While much has been written about the settlements from compliance and supervisory perspectives, less attention has been paid to how firms should manage OCC issues when they arise – as they commonly do – in customer litigation or a broader regulatory investigation.
Scenario One: Investor Litigation
It is no secret that text messages exist in almost all investor litigation against investment advisors and broker-dealers – whether on firm devices or personal devices. It follows that the SEC’s OCC settlements will have an impact on these cases and firms may first learn of OCC issues during discovery.
At a minimum, settlements make great soundbites to parade in front of panels for the headline effect, even though they have nothing to do with the investor litigation in question. For firms that have already settled with the SEC, claimant’s counsel will likely attempt to use these settlements as evidence of negligence or a lack of proper supervision – not only for the headline, but to bolster an argument for discovery of representatives’ personal communications devices.
For firms under investigation or those who have not yet been in the OCC crosshairs, there are still plenty of OCC related landmines. In fact, all firms dealing with customer litigation can expect discovery requests (and fights) in three primary categories: (a) e-comms themselves; (b) compliance and supervision; and (c) regulatory investigation and enforcement.
E-comms
Production of e-communications from a firm issued device should be relatively simple, although it is important to review for indications of communications going off-channel. A case where a representative did engage in OCC with a client presents more challenges. The firm should endeavor to answer a few questions at the outset:
- Did the representative engage in OCC with only this investor?
- Did the firm repatriate the e-comms onto the firms’ systems once discovered?
- Did the firm warn or discipline the representative for violating the e-comms policy?
If each of these is answered in the affirmative, that is a good first step in defense. If each of these is answered in the negative, the firm will need to address them.
Another key obstacle may simply be the preservation and collection of data where a representative engaged in OCC. Firms should make sure any hold or preservation notice includes all personal devices and any auto-delete settings for messaging applications used on the personal device. If the employee is willing, the firm should image the representative’s text messages with the client for the relevant time period (ideally with agreed-upon search terms). The firm should then take steps to repatriate the business-related e-comms onto the firm’s systems and conduct searches of those communications to ensure that there are no additional compliance violations. The firm also should consider appropriate disciplinary actions.
Compliance and Supervisory Documents
It is highly likely that claimant’s counsel will push for compliance manuals, bulletins, updates, and training related to OCC. The latter may be cumbersome for firms, especially with regards to training, which can be both formal and informal. However, these documents may be helpful to the firm’s defense. Documents showing supervision of e-comms will also be useful in a failure to supervise case. Attestations of compliance with firm policy may be beneficial as well.
Regulatory Investigation and Enforcement
For firms that have already inked an SEC OCC settlement, claimant’s counsel will be champing at the bit to obtain the “file”: document requests, responses, productions, and communications with the regulator.
In reality, claimant’s counsel will likely do very little with the “file,” but the implications and demands of such a production are vast. It goes without saying that a firm should make the appropriate objections in response to such a request and expect this issue to go before the panel. What is paramount is educating the panel on confidentiality issues – not to the mention burden of such a production with very limited, if any, relevance to an investor dispute.
For a firm in the midst of an active OCC investigation, there is the added importance of objecting to and educating the panel regarding producing documents related to an ongoing investigation. Firms may want to present the argument that during an on-going investigation, the regulator, not a private investor or even the firm, should determine if the regulatory file may be produced in an unrelated investor litigation given investigatory confidentiality, privacy concerns, and more – not to mention the burden of such a production to account for those issues. It is highly unlikely such a “file” would have any utility to a panel in an unrelated investor litigation.
For a firm that has not yet heard from regulators regarding OCC, e-comms may be used in a different manner. If, during discovery, it becomes apparent that a representative engaged in OCC, claimant’s counsel may use the threat of a panel referring the conduct to regulators as leverage for settlement, and as evidence of negligence or failure to supervise.
Scenario Two: Regulatory Investigations
In this scenario, the regulator might send an innocuous document request, investigating a minor issue. Then, during the investigation, the firm discovers a potentially larger issue: a representative engaged in OCC.
The first step is critical: quickly ascertain the scope of the problem, until then, , it will be difficult to form an effective strategy.
Next, identify a remediation plan. Repatriate business-related e-comms onto the firm platform, revise policies (if necessary), conduct additional training, and discipline the representative. Such discipline could include letters of warning; loss of pay, bonus, or incentive compensation; heightened supervision; and, in repeat cases, potential termination.
The third step is often the most painful: disclosure. Except in particularly egregious cases, the best course of conduct is to disclose both the problem and remediation plan before the regulator discovers the issue itself. In this step, it is important not to minimize the scope of the issue. The worst-case scenario is often a disclosure followed by the regulator discovering that the problem is much worse than the firm disclosed.
Practical Considerations
Most of the sanctioned firms had OCC policies in place that prohibited OCC. It is reasonable for firms to assume that representatives abide by firm policy. However, what many of the SEC settlements showed was that OCC was often pervasive and occurred at all levels in the firm. When a representative communicates via OCC, it is typically not out of flagrant disregard to firm policies and regulatory requirements, but an instant decision to provide efficient customer service. Changing behavior, then, starts from the top down: if firms prohibit using messaging applications to conduct firm business, then that policy must be respected by all levels throughout the firm.
Firms should periodically revise OCC policies to reflect evolving technologies and industry practices. In doing so, firms may want to engage a multidisciplinary team including legal, compliance, data privacy, and IT functions to fully understand the firm’s capabilities to capture and supervise communications. Communication of these updates to representatives is integral to compliance.
Firms should consider plain-language updates to policies and include a non-exhaustive list of messaging applications. Firms should also consider providing interactive, hypothetical scenarios that can give representatives guideposts for what is considered “business as such” under the SEC rule that should only be conducted through firm-approved communication channels. A Q&A can also be productive as any messaging does require judgment.
OCC can be tricky to navigate in real time. Firms will need to be conscious of OCC history when in investor litigation to formulate a successful defense strategy. From a regulatory perspective, it is necessary to keep up to date on compliance, supervision, and new technologies.
As communications technologies continue to evolve and customer service necessitates immediate communication, this is not an issue that will go away any time soon.
Stefanie Wayco is a Partner at Duane Morris LLP.