The Securities Exchange Commission is trying to encourage profound cultural change about compliance after a high-profile crackdown on “out-of-channel” communications. Many firms find themselves in a difficult scenario—a sort of regulatory purgatory where they know they need to make significant changes to their data storage infrastructure, but are trying to face the reality that face so much; they haven't been intercepting employees' cell phone messages and have seen many firms fined heavily for doing just that.
However, all is not lost. One path these firms can take is self-reporting, and here we'll look at what it looks like, why the term is a bit misleading, and its benefits.
Self-reporting precedent
In October 2001 Report of the Sea, the SEC shared a framework for assessing cooperation from companies. The report detailed many factors the commission considers in determining whether and to what extent it grants relief based on cooperation. The report identifies four specific measures of a company's cooperation:
- Self-policing: Have effective compliance procedures in place before misconduct occurs.
- Self-reporting: Reporting misconduct when discovered, including a thorough review and prompt disclosure of misconduct to regulators and the public.
- Repair: Including disciplinary measures, modifying procedures to prevent recurrence and compensating those adversely affected; AND
- Cooperation: Assistance of law enforcement authorities.
Self-reporting is the practice most emphasized and encouraged in recent SEC press releases, but all four measures can be broadly defined as cooperation, or engagement with the regulator on their own terms. This is what firms should strive to achieve in order to minimize enforcement penalties against them.
Why 'Self-Reporting' is Fraudulent
It stands to reason that firms may be put off by the notion of self-reporting because of the connotations of the term. It immediately evokes a sense of wrongdoing and feels like an admission of guilt.
Regulatory compliance is a rapidly evolving landscape with which businesses struggle to keep up. Self-reporting firms are not confessing to their advisors that they are engaging in illegal behavior; they are admitting they didn't have the right systems and procedures in place to prove they didn't. This, of course, is still problematic, like anything were said in those unrecorded messages.
The modus operandi of regulators is rightly “guilty until proven innocent”. The rules still apply and non-compliance will be punished, but it is accepted that mistakes have happened. It is still a violation, but very common, and so proactivity is viewed positively.
The SEC's perspective
Before the kicking started outside the channel JPMorgan Chase in December 2021, the capture of mobile platforms such as WhatsApp, WeChat and Telegram was an unusual practice. In fact, it wasn't even a service that was available from the major technology vendors that handled communications surveillance.
Necessity drives invention, and so that ability now exists. Still, it's fair to say that the SEC won't wait for many companies to have a formalized mobile procedure before setting a new precedent with Wall Street's biggest players.
What are the benefits of self-reporting?
The SEC has repeatedly publicized incidents in which multiple firms have been charged with the same offense and in which a self-reporting firm has been treated with relative leniency. This happened to Perella Weinberg in September 2023, who reported it herself recordkeeping failures and agreed to pay a $2.5 million civil penalty to settle the charges. Other firms that were charged as part of the initiative but did not self-report ended up paying between $8 million and $35 million.
Director of the SEC's Division of Enforcement, Gurbir Grewal, explained, “One of the orders involved in the actions announced today is unlike any other. There are real benefits to self-reporting, remediation and collaboration.”
This case was publicized again in November when the SEC separated them implementation results for fiscal year 2023; a shining example they were keen to highlight in their pursuit of a culture of proactive compliance. The narrative continued in February 2024, when 19 firms were fined over $81 million for similar record keeping failures. The firms' penalties ranged from $8 million to $16 million, with one notable exception — one firm received a significantly lower penalty of $1.25 million, which Grewal explained again.
“Once again, one of these orders is not like the others: Huntington's punishment reflects his self-report and voluntary cooperation.”
Bite the bullet
Since the SEC surprised JPMorgan with a $125 million penalty on Christmas 2021, the investigation into out-of-channel communications has dominated the headlines. Major institutions were targeted early on, but the regulator has steadily applied the same principles across the industry since then and has been very vocal about doing so.
This issue will not go away. If firms are still not getting the information they should have, it is only a matter of time until they are held accountable by regulators and forced to do so. The process of aggregating all relevant communications will also become more difficult as a company's digital backlog expands and new platforms emerge.
Self-reporting, remediation and collaboration is an attractive path for businesses looking to take that fundamental step. It is not an admission of guilt but an acknowledgment of oversight and, based on cases so far, it acts as a gesture of good faith to regulators, who are more likely to react leniently. It's not just about checking a box to reduce fines, but putting the right procedures in place for the sake of future-proofing businesses, applying fundamental principles to modern technology.
WhatsApp's investigation has shown that effective compliance is not about being prescriptive, but proactive. We don't know what the next WhatsApp will be, and so the self-reporting 'pure proposition' should encourage firms to grab what they can and add new communication channels as they emerge.
Harriet Christie is Chief Operating Officer at MirrorWeb