The Securities Exchange Commission (SEC) is trying to instigate deep cultural change around compliance following a high-profile crackdown on ‘off-channel’ communications. Many firms find themselves in a difficult scenario – a kind of regulatory purgatory where they know that they need to make significant changes to their recordkeeping infrastructure but are tentative about dealing with the reality facing so many; they haven’t been capturing employee’s mobile messages, and have seen a lot of firms fined a lot of money for exactly this.
However, all is not lost. One avenue these firms can pursue is self-reporting, and here we’ll analyze what it looks like, the benefits of this course of action, and why the term is a little misleading.
Self-reporting precedent
In October 2001’s Seaboard Report, the SEC shared a framework for evaluating cooperation by companies. The report detailed the many factors the Commission considers in determining whether and to what extent, it grants leniency based on cooperation. The report identifies four specific measures of a company’s cooperation:
- Self-policing: Having effective compliance procedures in place before the misconduct occurred.
- Self-reporting: Reporting misconduct when discovered, including a thorough review and prompt disclosure of the misconduct to regulators and the public.
- Remediation: Including disciplinary action, modifying procedures to prevent recurrence, and compensating those adversely affected; and
- Cooperation: Assisting law enforcement authorities.
Self-reporting is the practice most highlighted and encouraged in recent SEC press releases. Still, all four measures can be broadly defined as cooperation or engaging with the regulator on their own terms. This is what firms should strive to accomplish to minimize enforcement penalties against them.
Why ‘self-reporting’ is misleading
It’s rational that firms may be put off by the notion of self-reporting due to the term’s connotations. It immediately conjures a feeling of wrongdoing and feels like an admission of guilt.
Regulatory compliance is a rapidly evolving landscape that businesses struggle to keep up with. Firms that self-report are not confessing to their advisors indulging in illicit conduct; they’re admitting that they hadn’t implemented the appropriate systems and procedures to prove that they did not. This is, of course, still problematic, as anything could have been said in those unrecorded messages.
Regulators’ modus operandi is quite rightly ‘guilty until proven innocent.’ The rules still apply, and noncompliance will be punished, but there’s an acceptance that lapses have taken place. It’s still an oversight but very common, so proactivity is viewed positively.
SEC perspective
Before the off-channel crackdown began with JP Morgan in December 2021, capturing mobile platforms like WhatsApp, WeChat, and Telegram was an uncommon practice. It was not even a service readily available from the leading technology vendors handling communications surveillance.
Necessity expedites invention, and so that capability now exists. However, it’s fair to say that the SEC will not expect many companies to have had a formalized mobile procedure before they set a new precedent with Wall Street’s largest players.
What are the benefits of self-reporting?
The SEC has repeatedly publicized incidents in which multiple firms have been charged with the same offense and one that has self-reported has been treated with relative leniency. It happened to Perella Weinberg in September 2023, who self-reported their recordkeeping failures and agreed to pay a civil penalty of $2.5 million to settle the charges. Other firms that were charged as part of the initiative but had not self-reported paid between $8 million and $ 35 million.
The SEC Enforcement Division Director Gurbir Grewal explained, “One of the orders included in today’s announced actions is not like the others. There are real benefits to self-reporting, remediating, and cooperating.”
This case was again publicized in November when the SEC shared their enforcement results for Fiscal Year 2023, a shining example they were keen to spotlight in their pursuit of a proactive compliance culture. The narrative continued into February 2024, when 19 firms were fined over $81 million for similar recordkeeping failures. The firms’ penalties ranged from $8 to 16 million, with one notable exception—one firm received a significantly lower penalty of $1.25 million, which Grewal again explained.
“One of these orders is not like the others: Huntington’s penalty reflects its voluntary self-report and cooperation.”
Biting the bullet
The probe into off-channel communications has dominated headlines since the SEC surprised JP Morgan with a $125 million penalty in Christmas 2021. Leading institutions were targeted early, but the regulator has steadily applied the same principles across the industry and been very vocal about doing so.
This issue is not going to go away. If firms are not yet capturing the information that they should be, it’s a matter of time until regulators hold them accountable and force them to do so. Gathering all pertinent communications will also become more difficult as a company’s digital backlog expands and new platforms emerge.
Self-reporting, remediation, and cooperation are appealing for businesses looking to make that fundamental step. It’s not an admission of guilt but an acknowledgment of oversight, and, based on the cases so far, it acts as a gesture of good faith to regulators, who are more likely to react leniently. It’s not just about checking a box to reduce penalties but getting the correct procedures in place for future-proofing businesses by applying fundamental principles to modern technology.
The WhatsApp probe has demonstrated that effective compliance is not about being prescriptive but proactive. We don’t know the next WhatsApp, so the self-reporting ‘clean slate’ should trigger firms to capture everything they can and add new communications channels as they emerge.
Harriet Christie, Chief Operating Officer – Harriet graduated from the University of Sheffield in 2010. She entered the Tourism space at LateRooms.com, earning the title of Global Accounts Manager within 3 years. In 2018 she began working as a Key Account Manager with MirrorWeb, a communications surveillance solution based in Manchester. Harriet was appointed Chief Operating Officer in 2020, and has overseen the business’ impressive growth.
SEC stock image by Mark Van Scyoc/Shutterstock
