HSBC, Scotia Capital Hit With SEC Text Message Fines

In its ongoing sweep of firms’ off-channel communications, the Securities and Exchange Commission on Thursday charged HSBC Securities Inc. and Scotia Capital Inc. for what it called “widespread and longstanding failures” by both firms and their employees to maintain and preserve electronic messages.

To settle the charges, HSBC and Scotia acknowledged that their conduct violated recordkeeping provisions of the federal securities laws and agreed to pay penalties of $15 million and $7.5 million, respectively, according to the SEC.

The SEC’s investigation of HSBC Securities and Scotia Capital, both registered broker-dealers, “uncovered pervasive and longstanding use” of off-channel communications at both firms.

According to the SEC’s orders, both firms admitted that their employees often communicated “off-channel” about securities business matters on their personal devices, using messaging platforms such as WhatsApp.

The Commodity Futures Trading Commission announced the same day that it had fined The Bank of Nova Scotia and Scotia Capital USA Inc., a futures commission merchant, $15 million for failing over a period of years to stop their employees, including those at senior levels, from communicating both internally and externally using unapproved communication methods, including messages sent via personal text and WhatsApp.

The SEC announced charges last September $1.1 billion of fines affecting 15 broker-dealers and one affiliated investment advisor, while the CFTC imposed $710 million in penalties on 11 financial institutions over employees routinely communicating about business matters using text messaging applications such as WhatsApp on their personal devices.

Combined with JPMorgan’s $200 million regulatory fine, which regulators announced in December, the total level of penalties over these record-keeping lapses stands at $2.01 billion.

HSBC, Scotia Issues

From at least January 2018 to September 2021, HSBC Securities employees sent and received off-channel communications that related to the business of the broker-dealer operated by the firm.

From at least January 2020 to December 2021, SCUSA employees sent and received off-channel communications that related to the business of the broker-dealer operated by SCUSA.

According to the SEC, neither firm “maintained or preserved the substantial majority of these communications, in violation of the federal securities laws.” The failings involved employees at multiple levels of authority, including supervisors and senior executives, the SEC said.

Both HSBC Securities and Scotia Capital cooperated with the SEC’s investigation by, among other things, self-reporting the recordkeeping failures after gathering communications from the personal devices of a sample of the firms’ personnel.

“Today’s actions should not only remind firms of the importance of following SEC recordkeeping requirements, but also the value of disclosing violations when they do occur,” said Gurbir  Grewal, director of the SEC’s Division of Enforcement in a statement.

“Both HSBC and Scotia Capital self-reported and self-remediated their recordkeeping violations, and the reduced penalties in these cases reflect their efforts and cooperation. As we continue our efforts to ensure compliance with the Commission’s essential recordkeeping requirements, we encourage other firms to take note and likewise self-report,” Grewal said.

The two firms’ supervisors routinely communicated off-channel using their personal devices.

Both firms were charged with violating certain recordkeeping provisions of the Securities Exchange Act of 1934 and with failing to reasonably supervise with a view to preventing and detecting those violations.

In addition to the financial penalties, each firm was ordered to cease and desist from committing violations of the relevant recordkeeping provisions and was censured.

The firms also agreed to retain compliance consultants to, among other things, conduct comprehensive reviews of their policies and procedures relating to the retention of electronic communications found on personal devices and their respective frameworks for addressing non-compliance by their employees with those policies and procedures, the SEC said.