WhatsApp Compliance: Self-Reporting Drives Regulatory Change Initiation

Monday, 15/04/2024 | 13:10 GMT by Harriet Christie
  • The SEC is pushing for cultural change in compliance, focusing on self-reporting.
  • Firms like Perella Weinberg and Huntington benefited from self-reporting, receiving lower penalties.
reporting Regulations

The Securities Exchange Commission (SEC) is trying to instigate deep cultural change around compliance following a high-profile crackdown on ‘off-channel’ communications. Many firms find themselves in a difficult scenario. It's a kind of regulatory purgatory where they know they need to make significant changes to their record-keeping infrastructure.

However, these firms are tentative about dealing with the reality facing so many. They haven’t been capturing employees' mobile messages, and many firms have been fined a lot of money for this. Nevertheless, all is not lost. One avenue these businesses can pursue is that of self-reporting, and here we’ll analyze what it looks like, the benefits to this course of action, and why the term is a little misleading.

Self-Reporting Precedent

In October 2001’s Seaboard Report, the SEC shared a framework for evaluating cooperation by companies. The report detailed the many factors the Commission considers in determining whether, and to what extent, it grants leniency based on cooperation. The report identifies four specific measures of a company’s cooperation:

  • Self-Policing: Having effective compliance procedures in place before the misconduct occurred.
  • Self-Reporting: Reporting misconduct when it is discovered, including a thorough review and prompt disclosure of the misconduct to regulators and the public.
  • Remediation: Including disciplinary action, modifying procedures to prevent recurrence, and compensating those adversely affected.
  • Cooperation: Assisting law enforcement authorities.

Self-reporting is the practice most highlighted and encouraged in recent SEC press releases, but all four measures can be broadly defined as cooperation, or engaging with the regulator on their own terms. This is what firms should strive to accomplish to minimize enforcement penalties against them.

Why ‘Self-Reporting’ Is Misleading

It’s rational that firms may be put off by the notion of self-reporting due to the term’s connotations. It immediately conjures a feeling of wrongdoing, and feels like an admission of guilt.

Regulatory compliance is a rapidly evolving landscape, which businesses struggle to keep up with. Firms that self-report are not confessing to their advisors indulging in illicit conduct, they’re admitting that they hadn’t implemented the appropriate systems and procedures to prove that they did not. This is of course still problematic, as anything could have been said in those unrecorded messages.

Regulators’ modus operandi is quite rightly "guilty until proven innocent." The rules still apply and noncompliance will be punished, but there's an acceptance that lapses have taken place. It’s still an oversight, but a very common one, and so proactivity is viewed positively.

SEC Perspective

Before the off-channel crackdown began with JP Morgan in December 2021, the capture of mobile platforms like WhatsApp, WeChat and Telegram was uncommon. In fact, it was not even a service that was readily available from the leading technology vendors handling communications surveillance.

Necessity is the mother of invention, and so that capability now exists. However, it’s fair to say that the SEC will not expect many companies to have had a formalized mobile procedure in place before they set a new precedent with Wall Street’s largest players. What are the benefits to self-reporting?

The SEC has repeatedly publicized incidents in which multiple firms have been charged with the same offence, and in which one firm that has self-reported has been treated with relative leniency.

It happened to Perella Weinberg in September 2023, who self-reported their recordkeeping failures and agreed to pay a civil penalty of $2.5 million to settle the charges. Other firms that were charged as part of the initiative but had not self-reported ended up paying between $8 million and $35million. The SEC's Enforcement Division Director, Gurbir Grewal, explained: “One of the orders included in today’s announced actions is not like the others. There are real benefits to self-reporting, remediating and cooperating.”

This case was again publicized in November when the SEC shared their enforcement results for the fiscal year 2023; a shining example that they were keen to spotlight in their pursuit of a proactive compliance culture. The narrative continued into February 2024 when 19 firms were fined over $81 million for similar recordkeeping failures.

The firms’ penalties ranged from $8 to 16 million, with one notable exception, one firm received a significantly lower penalty of $1.25 million, which Grewal again explained. “Once again, one of these orders is not like the others: Huntington’s penalty reflects its voluntary self-report and cooperation.”

Biting the Bullet

Since the SEC surprised JP Morgan with a $125 million penalty in Christmas 2021, the probe into off-channel communications has dominated the headlines. Leading institutions were targeted early, but the regulator has steadily applied the same principles across the industry since, and been very vocal about doing so.

This issue is not going to go away. If firms are not yet capturing the information that they should be, it’s a matter of time until they’re held accountable by regulators and forced to do so. The process of gathering all pertinent communications will become more difficult as a company’s digital backlog expands and new platforms emerge.

Self-reporting, remediation and cooperation is an appealing pathway for businesses looking to make that fundamental step. It’s not an admission of guilt but an acknowledgement of oversight, and, based on the cases so far, acts as a gesture of good faith to regulators, who are more likely to react with leniency.

It’s not just about checking a box to reduce penalties, but getting the correct procedures in place for the sake of future-proofing businesses, by applying fundamental principles to modern technology.

The WhatsApp probe has demonstrated that effective compliance is not about being prescriptive, but proactive. We don’t know what the next WhatsApp will be, and so the self-reporting ‘clean slate’ should trigger firms to capture everything they can, and add new communications channels as they emerge.

The Securities Exchange Commission (SEC) is trying to instigate deep cultural change around compliance following a high-profile crackdown on ‘off-channel’ communications. Many firms find themselves in a difficult scenario. It's a kind of regulatory purgatory where they know they need to make significant changes to their record-keeping infrastructure.

However, these firms are tentative about dealing with the reality facing so many. They haven’t been capturing employees' mobile messages, and many firms have been fined a lot of money for this. Nevertheless, all is not lost. One avenue these businesses can pursue is that of self-reporting, and here we’ll analyze what it looks like, the benefits to this course of action, and why the term is a little misleading.

Self-Reporting Precedent

In October 2001’s Seaboard Report, the SEC shared a framework for evaluating cooperation by companies. The report detailed the many factors the Commission considers in determining whether, and to what extent, it grants leniency based on cooperation. The report identifies four specific measures of a company’s cooperation:

  • Self-Policing: Having effective compliance procedures in place before the misconduct occurred.
  • Self-Reporting: Reporting misconduct when it is discovered, including a thorough review and prompt disclosure of the misconduct to regulators and the public.
  • Remediation: Including disciplinary action, modifying procedures to prevent recurrence, and compensating those adversely affected.
  • Cooperation: Assisting law enforcement authorities.

Self-reporting is the practice most highlighted and encouraged in recent SEC press releases, but all four measures can be broadly defined as cooperation, or engaging with the regulator on their own terms. This is what firms should strive to accomplish to minimize enforcement penalties against them.

Why ‘Self-Reporting’ Is Misleading

It’s rational that firms may be put off by the notion of self-reporting due to the term’s connotations. It immediately conjures a feeling of wrongdoing, and feels like an admission of guilt.

Regulatory compliance is a rapidly evolving landscape, which businesses struggle to keep up with. Firms that self-report are not confessing to their advisors indulging in illicit conduct, they’re admitting that they hadn’t implemented the appropriate systems and procedures to prove that they did not. This is of course still problematic, as anything could have been said in those unrecorded messages.

Regulators’ modus operandi is quite rightly "guilty until proven innocent." The rules still apply and noncompliance will be punished, but there's an acceptance that lapses have taken place. It’s still an oversight, but a very common one, and so proactivity is viewed positively.

SEC Perspective

Before the off-channel crackdown began with JP Morgan in December 2021, the capture of mobile platforms like WhatsApp, WeChat and Telegram was uncommon. In fact, it was not even a service that was readily available from the leading technology vendors handling communications surveillance.

Necessity is the mother of invention, and so that capability now exists. However, it’s fair to say that the SEC will not expect many companies to have had a formalized mobile procedure in place before they set a new precedent with Wall Street’s largest players. What are the benefits to self-reporting?

The SEC has repeatedly publicized incidents in which multiple firms have been charged with the same offence, and in which one firm that has self-reported has been treated with relative leniency.

It happened to Perella Weinberg in September 2023, who self-reported their recordkeeping failures and agreed to pay a civil penalty of $2.5 million to settle the charges. Other firms that were charged as part of the initiative but had not self-reported ended up paying between $8 million and $35million. The SEC's Enforcement Division Director, Gurbir Grewal, explained: “One of the orders included in today’s announced actions is not like the others. There are real benefits to self-reporting, remediating and cooperating.”

This case was again publicized in November when the SEC shared their enforcement results for the fiscal year 2023; a shining example that they were keen to spotlight in their pursuit of a proactive compliance culture. The narrative continued into February 2024 when 19 firms were fined over $81 million for similar recordkeeping failures.

The firms’ penalties ranged from $8 to 16 million, with one notable exception, one firm received a significantly lower penalty of $1.25 million, which Grewal again explained. “Once again, one of these orders is not like the others: Huntington’s penalty reflects its voluntary self-report and cooperation.”

Biting the Bullet

Since the SEC surprised JP Morgan with a $125 million penalty in Christmas 2021, the probe into off-channel communications has dominated the headlines. Leading institutions were targeted early, but the regulator has steadily applied the same principles across the industry since, and been very vocal about doing so.

This issue is not going to go away. If firms are not yet capturing the information that they should be, it’s a matter of time until they’re held accountable by regulators and forced to do so. The process of gathering all pertinent communications will become more difficult as a company’s digital backlog expands and new platforms emerge.

Self-reporting, remediation and cooperation is an appealing pathway for businesses looking to make that fundamental step. It’s not an admission of guilt but an acknowledgement of oversight, and, based on the cases so far, acts as a gesture of good faith to regulators, who are more likely to react with leniency.

It’s not just about checking a box to reduce penalties, but getting the correct procedures in place for the sake of future-proofing businesses, by applying fundamental principles to modern technology.

The WhatsApp probe has demonstrated that effective compliance is not about being prescriptive, but proactive. We don’t know what the next WhatsApp will be, and so the self-reporting ‘clean slate’ should trigger firms to capture everything they can, and add new communications channels as they emerge.

About the Author: Harriet Christie
Harriet Christie
  • 7 Articles
  • 11 Followers
About the Author: Harriet Christie
Harriet graduated from the University of Sheffield in 2010, with a BA in Management Accounting, Entrepreneurship, Business Law, BSR, HR. She entered the Tourism space, starting as an Accounts Executive at LateRooms.com, and earning the title of Global Accounts Manager within 3 years. She occupied this role for a further 5 years as the business continued to evolve and flourish, before taking up her role as a Key Account Manager with MirrorWeb, a data archiving solution based in Manchester. Harriet was appointed Chief Operating Officer in 2020. Since then, she has helped oversee the evolution of the MirrorWeb product and service offering, as well as the business' impressive growth since her taking on the role. https://www.mirrorweb.com/
  • 7 Articles
  • 11 Followers

More from the Author

Retail FX

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}