The Securities Exchange Commission (SEC) is trying to instigate deep cultural change around compliance following a high-profile crackdown on ‘off-channel’ communications. Many firms find themselves in a difficult scenario – a kind of regulatory purgatory where they know that they need to make significant changes to their recordkeeping infrastructure but are tentative about dealing with the reality facing so many; they haven’t been capturing employee’s mobile messages, and have seen a lot of firms fined a lot of money for exactly this.
However, all is not lost. One avenue these firms can pursue is that of self-reporting, and here we’ll analyze what it looks like, the benefits to this course of action, and why the term is a little misleading.
Self-reporting precedent
In October 2001’s Seaboard Report, the SEC shared a framework for evaluating cooperation by companies. The report detailed the many factors the Commission considers in determining whether, and to what extent, it grants leniency based on cooperation. The report identifies four specific measures of a company’s cooperation:
- Self-policing: Having effective compliance procedures in place before the misconduct occurred.
- Self-reporting: Reporting misconduct when it is discovered, including a thorough review and prompt disclosure of the misconduct to regulators and the public.
- Remediation: Including disciplinary action, modifying procedures to prevent recurrence, and compensating those adversely affected; and
- Cooperation: Assisting law enforcement authorities.
Self-reporting is the practice most highlighted and encouraged in recent SEC press releases, but all four measures can be broadly defined as cooperation, or engaging with the regulator on their own terms. This is what firms should strive to accomplish to minimize enforcement penalties against them.
Why ‘self-reporting’ is misleading
It’s rational that firms may be put off by the notion of self-reporting due to the term’s connotations. It immediately conjures a feeling of wrongdoing, and feels like an admission of guilt.
Regulatory compliance is a rapidly evolving landscape which businesses struggle to keep up with. Firms that self-report are not confessing to their advisors indulging in illicit conduct, they’re admitting that they hadn’t implemented the appropriate systems and procedures to prove that they did not. This is of course still problematic, as anything could have been said in those unrecorded messages.
Regulators’ modus operandi is quite rightly ‘guilty until proven innocent’. The rules still apply and noncompliance will be punished, but there's an acceptance that lapses have taken place. It’s still an oversight, but a very common one, and so proactivity is viewed positively.
SEC perspective
Before the off-channel crackdown began with JP Morgan in December 2021, the capture of mobile platforms like WhatsApp, WeChat and Telegram was uncommon practice. In fact, it was not even a service that was readily available from the leading technology vendors handling communications surveillance.
Necessity expedites invention, and so that capability now exists. However, it’s fair to say that the SEC will not expect many companies to have had a formalized mobile procedure in place before they set a new precedent with Wall Street’s largest players.
What are the benefits to self-reporting?
The SEC has repeatedly publicized incidents in which multiple firms have been charged with the same offence, and in which one firm that has self-reported has been treated with relative leniency. It happened to Perella Weinberg in September 2023, who self-reported their recordkeeping failures and agreed to pay a civil penalty of $2.5 million to settle the charges. Other firms that were charged as part of the initiative but had not self-reported ended up paying between $8 million and $35million.
The SEC Enforcement Division Director Gurbir Grewal explained, “One of the orders included in today’s announced actions is not like the others. There are real benefits to self-reporting, remediating and cooperating.”
This case was again publicized in November when the SEC shared their enforcement results for Fiscal Year 2023; a shining example that they were keen to spotlight in their pursuit of a proactive compliance culture. The narrative continued into February 2024, when 19 firms were fined over $81 million for similar recordkeeping failures. The firms’ penalties ranged from $8 to 16 million, with one notable exception—one firm received a significantly lower penalty of $1.25 million, which Grewal again explained.
“Once again, one of these orders is not like the others: Huntington’s penalty reflects its voluntary self-report and cooperation.”
Biting the bullet
Since the SEC surprised JP Morgan with a $125 million penalty in Christmas 2021, the probe into off-channel communications has dominated headlines. Leading institutions were targeted early, but the regulator has steadily applied the same principles across the industry since, and been very vocal about doing so.
This issue is not going to go away. If firms are not yet capturing the information that they should be, it’s a matter of time until they’re held accountable by regulators and forced to do so. The process of gathering all pertinent communications will also become more difficult as a company’s digital backlog expands and new platforms emerge.
Self-reporting, remediation and cooperation is an appealing pathway for businesses looking to make that fundamental step. It’s not an admission of guilt but an acknowledgement of oversight, and, based on the cases so far, acts as a gesture of good faith to regulators, who are more likely to react with leniency. It’s not just about checking a box to reduce penalties, but getting the correct procedures in place for the sake of future-proofing businesses, by applying fundamental principles to modern technology.
The WhatsApp probe has demonstrated that effective compliance is not about being prescriptive, but proactive. We don’t know what the next WhatsApp will be, and so the self-reporting ‘clean slate’ should trigger firms to capture everything they can, and add new communications channels as they emerge.
How MirrorWeb can help
Self-policing means establishing compliance procedures before any potential misconduct occurs. And when self-reporting on past compliance gaps, it’s vital to show that lessons have been learned and an effective procedure has since been implemented.
MirrorWeb is that procedure. Our platform captures all leading digital channels and evolves quickly with demand, keeping regulators satisfied. Book a quick demo above and we’ll show you what we can do.