Skip navigation
whatsapp-notification.jpg AFP Contributor/AFP/Getty Images

Ripping Off the Band-Aid of Self Reporting ‘Off-Channel’ Communications

The SEC has repeatedly rewarded firms who self-reported their use of WhatsApp and other unauthorized communication means with leniency.

The Securities Exchange Commission is trying to instigate deep cultural change around compliance following a high-profile crackdown on ‘off-channel’ communications. Many firms find themselves in a difficult scenario—a kind of regulatory purgatory where they know that they need to make significant changes to their recordkeeping infrastructure but are tentative about dealing with the reality facing so many; they haven’t been capturing employee’s mobile messages, and have seen a lot of firms fined a lot of money for exactly this.

However, all is not lost. One avenue these firms can pursue is self-reporting, and here we’ll analyze what it looks like, why the term is a bit misleading and its benefits.

Self-Reporting Precedent

In October 2001’s Seaboard Report, the SEC shared a framework for evaluating cooperation by companies. The report detailed the many factors the commission considers in determining whether and to what extent it grants leniency based on cooperation. The report identifies four specific measures of a company’s cooperation:

  • Self-policing: Having effective compliance procedures in place before the misconduct occurred.
  • Self-reporting: Reporting misconduct when it is discovered, including a thorough review and prompt disclosure of the misconduct to regulators and the public.
  • Remediation: Including disciplinary action, modifying procedures to prevent recurrence, and compensating those adversely affected; and
  • Cooperation: Assisting law enforcement authorities.

Self-reporting is the practice most highlighted and encouraged in recent SEC press releases, but all four measures can be broadly defined as cooperation, or engaging with the regulator on their own terms. This is what firms should strive to accomplish to minimize enforcement penalties against them.

Why ‘Self-Reporting’ Is Misleading

It’s rational that firms may be put off by the notion of self-reporting due to the term’s connotations. It immediately conjures a feeling of wrongdoing and feels like an admission of guilt.

Regulatory compliance is a rapidly evolving landscape that businesses struggle to keep up with. Firms that self-report are not confessing to their advisors indulging in illicit conduct; they’re admitting that they hadn’t implemented the appropriate systems and procedures to prove that they did not. This is, of course, still problematic, as anything could have been said in those unrecorded messages.

Regulators’ modus operandi is quite rightly “guilty until proven innocent.” The rules still apply, and noncompliance will be punished, but there's an acceptance that lapses have occurred. It’s still an oversight, but a very common one, and so proactivity is viewed positively.

SEC Perspective

Before the off-channel crackdown began with JPMorgan Chase in December 2021, the capture of mobile platforms like WhatsApp, WeChat and Telegram was an uncommon practice. In fact, it was not even a service that was readily available from the leading technology vendors handling communications surveillance.

Necessity expedites invention, and so that capability now exists. However, it’s fair to say the SEC will not expect many companies to have had a formalized mobile procedure in place before they set a new precedent with Wall Street’s largest players.

What Are the Benefits of Self-Reporting?

The SEC has repeatedly publicized incidents in which multiple firms have been charged with the same offense and in which one firm that has self-reported has been treated with relative leniency. This happened to Perella Weinberg in September 2023, which self-reported its recordkeeping failures and agreed to pay a civil penalty of $2.5 million to settle the charges. Other firms that were charged as part of the initiative but had not self-reported ended up paying between $8 million and $35 million.

The SEC Enforcement Division Director Gurbir Grewal explained, “One of the orders included in today’s announced actions is not like the others. There are real benefits to self-reporting, remediating and cooperating.”

This case was again publicized in November when the SEC shared their enforcement results for Fiscal Year 2023; a shining example that they were keen to spotlight in their pursuit of a proactive compliance culture. The narrative continued into February 2024, when 19 firms were fined over $81 million for similar recordkeeping failures. The firms’ penalties ranged from $8 to 16 million, with one notable exception—one firm received a significantly lower penalty of $1.25 million, which Grewal again explained.

“Once again, one of these orders is not like the others: Huntington’s penalty reflects its voluntary self-report and cooperation.”

Biting the Bullet

Since the SEC surprised JPMorgan with a $125 million penalty in Christmas 2021, the probe into off-channel communications has dominated headlines. Leading institutions were targeted early, but the regulator has steadily applied the same principles across the industry since and has been very vocal about doing so.

This issue is not going to go away. If firms are not yet capturing the information they should be, it’s a matter of time until they’re held accountable by regulators and forced to do so. The process of gathering all pertinent communications will also become more difficult as a company’s digital backlog expands and new platforms emerge.

Self-reporting, remediation and cooperation is an appealing pathway for businesses looking to make that fundamental step. It’s not an admission of guilt but an acknowledgment of oversight, and, based on the cases so far, it acts as a gesture of good faith to regulators, who are more likely to react with leniency. It’s not just about checking a box to reduce penalties but getting the correct procedures in place for the sake of future-proofing businesses, by applying fundamental principles to modern technology.

The WhatsApp probe has demonstrated that effective compliance is not about being prescriptive, but proactive. We don’t know what the next WhatsApp will be, and so the self-reporting ‘clean slate’ should trigger firms to capture everything they can and add new communications channels as they emerge.

 

Harriet Christie is Chief Operating Officer at MirrorWeb

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish