The Securities and Exchange Commission (“SEC”) entered an “Order” on September 23, 2020, against JonesTrading Institutional Services LLC (“firm”), a broker-dealer located in California, for failing to retain text messages relating to the firm’s business. The SEC fined JonesTrading $100,000.
The firm’s policies restricted employees from conducting business over text message or on personal devices, and employees annually attested to their compliance with those policies.
JonesTrading maintains policies and procedures to ensure it was retaining business-related records, including communications, in conformance with Communications Policy stated: “Electronic business communications must be accessed and transmitted only through firm sponsored systems.” The policy noted, “Regulators require retention of business communications and firm systems are designed to comply with retention requirements.” JonesTrading’s policies expressly prohibited its registered representatives from using text messaging to conduct business-related correspondence. The policy stated, “Text messaging is not approved to conduct business-related correspondence,” and “Home computers or other personal devices and external systems may not be used for business purposes.”
However, according to the Order, when the SEC issued a third-party subpoena to the broker-dealer, it found the firm conducted business using text messages, persons in the firm’s compliance department and management knew that text messages were sometimes used for discussing firm business (indeed, those persons had themselves used text messages for that purpose), and those text messages were not retained within the firms regulatory records repository and therefore could not be produced in response to the third-party subpoena.
BSA and AMLWhen it comes to regulations, the Bank Secrecy Act (“BSA”) mandates financial institutions to keep their customer records to aid in criminal, tax, or regulatory investigations or protect against international terrorism. Money laundering and fraud can provide the necessary funds for criminal organizations and terrorists to conduct operations that can threaten a nation’s security. There are cases where conspirators communicate through text messages and the bad actor was found to have received instructions via text message regarding where to wire the funds he received to conduct the trade-based money laundering operation.
FinCEN’s Critical Requirements to Achieve Regulatory Compliance
The Financial Crimes Enforcement Network (FinCEN) mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.
FinCEN does address customer due diligence (“CDD”). The CDD Rule has four (4) core elements that cover financial institutions to establish and maintain written policies and procedures that are meant to:
- identify and verify the identity of customers;
- identify and confirm the identity of beneficial owners of legal entity customers (i.e., the natural persons who own or control legal entities);
- comprehend the nature and purpose of customer relationships; and
- conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
Collectively, these elements comprise the minimum standard of CDD.
Financial institutions will need to identify and verify the identity of their customers that own twenty-five (25) percent or more of a particular company and the individual who controls the firm.
We all know or should know individuals launder their ill-gotten money through banks and investment firms. As such, the CDD Rule or FinCEN’s Final Rule strengthens the due diligence requirements for U.S. banks, mutual funds, brokers, and futures commission merchants to have them identify and verify their customers’ beneficial owners.
This matter is a strong reminder to be vigilant in ensuring that communications, including those conducted over text message or otherwise, utilizing an employee’s personal device be retained in compliance with applicable recordkeeping requirements.
This goes for everyone.I welcome your thoughts and comments.
References and Attribution
Jonestrading Institutional Services, LLC, Release No. 89975, Sept. 23, 2020, available here https://www.sec.gov/litigation/admin/2020/34-89975.pdf.
Kilpatrick Townsend & Stockton LLP