The U.S. Securities and Exchange Commission (SEC) is attempting to catalyze a profound cultural shift in compliance following high-profile crackdowns on "informal channels" of communication. Many companies are aware of the need for significant changes to their record-keeping infrastructure.

Self-Reporting Precedent

In the Seaboard report of October 2001, the SEC shared an evaluation framework for company cooperation. The report outlined numerous factors the Commission considers when determining whether and to what extent leniency should be granted based on cooperation. Four specific measures of company cooperation were identified in the report:

• Self-Policing: Establishing effective compliance procedures before misconduct occurs.
• Self-Reporting: Reporting misconduct upon discovery, including conducting thorough reviews of misconduct and promptly disclosing it to regulatory agencies and the public.
• Remedial Measures: Including disciplinary actions, procedural modifications to prevent recurrence, and compensating affected individuals.
• Cooperation: Assisting law enforcement agencies.

Self-reporting has been the most highlighted and encouraged practice in recent SEC press releases, but all four measures can broadly be defined as cooperation, or cooperating with regulatory agencies as required. This is what companies should strive for to minimize enforcement penalties.

"Misleading" Self-Reporting

Regulatory compliance is a rapidly evolving field, and companies struggle to keep up. Companies that self-report aren't admitting that their advisors engaged in illegal activity, but rather admitting that they failed to implement proper systems and procedures to prove they didn't. Of course, this is still a problem because anything could have been said in those unrecorded messages.

The way regulatory agencies operate is entirely correct, "guilty until proven innocent." Rules still apply, non-compliance is punished, but people are acknowledging negligence has occurred. It's still a negligence, but a very common one, so being proactive is also positive.

SEC's Perspective

In December 2021, the SEC surprised JP Morgan with a $12.5 million fine, indicating that regulation of mobile platforms such as WhatsApp, WeChat, and Telegram isn't common. In fact, it's not even one of the main technology providers handling communication surveillance services.

The SEC has repeatedly publicized events where multiple companies were charged with the same offenses, as well as events where a self-reporting company received relatively lenient treatment.

In September 2023, Perella Weinberg self-reported their record-keeping errors and agreed to pay a $2.5 million civil penalty to settle charges. Other companies accused as part of the initiative but did not self-report eventually paid fines ranging from $8 to $35 million.

Gurbir Grewal, head of the SEC's enforcement division, explained: "One of the orders announced today is different from the others. Self-reporting, remediation, and cooperation have real benefits."

This case was again highlighted in the enforcement outcomes for fiscal year 2023, a shining example of their pursuit of a proactive compliance culture, extending until February 2024, when 19 companies were fined over $81 million for similar record-keeping errors.

Fines for companies ranged from $8 to $16 million, but there was one notable exception, with a company's fine significantly lower at $1.25 million. Grewal reiterated, "Again, one of the orders in these cases is different from the others: Huntington's fine reflects its self-reporting and cooperation."

SEC in Action

Since surprising JP Morgan with a $125 million fine on Christmas 2021, investigations into unofficial channels of communication have been making headlines. Leading institutions were early targets, but since then, regulatory agencies have been steadily applying the same principles across the industry and have been very transparent about it.

If companies haven't captured the information they should have, they'll inevitably be held accountable by regulatory agencies and forced to do so. As companies' digital footprints grow and new platforms emerge, the process of collecting all relevant communications will become increasingly challenging.

Self-reporting, remediation, and cooperation are attractive paths for companies seeking that fundamental step. It's not an admission of guilt, but an acknowledgment of negligence, and based on cases so far, as a gesture of good faith toward regulatory agencies, they're more likely to be lenient.

It's not just about ticking a box to reduce penalties but about safeguarding businesses for the future by applying fundamental principles to modern technology. The WhatsApp investigation shows that effective compliance isn't about prescription but about proactivity. We don't know what the next WhatsApp will look like, so a "clean record" from self-reporting should prompt companies to capture everything they can and add new ones as new communication channels emerge.