The Securities and Exchange Commission in late September announced charges against credit rating agencies DBRS Inc. and Kroll Bond Rating Agency, LLC (KBRA) for longstanding failures to preserve electronic records, including off-channel communications on personal and work-issued devices. Additionally, the SEC charged DBRS with violating disclosure and internal control provisions of the federal securities laws in rating certain commercial mortgage-backed securities (CMBS). To settle the charges, DBRS agreed to pay $8 million in civil penalties and KBRA agreed to pay $4 million in civil penalties.
“Credit rating agencies are gatekeepers in our securities markets that are subject to recordkeeping requirements—requirements that aren’t optional, but rather foundational to the Commission’s ability to maintain fair, orderly, and efficient markets,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “If there’s an allegation of wrongdoing at the credit rating agency, the Commission must be able to review preserved documents to determine what happened. If there is an examination, our examiners must be able to look at relevant documents to assess compliance issues.”
The SEC action represents a significant development in the ongoing mobile messaging compliance sweep, as it would be the first settlement with an entity other than a broker-dealer or registered investment adviser (RIA). It signals the expansion of the sweep to other types of regulated entities with broad recordkeeping requirements, akin to those of broker-dealers and RIA’s which have been the prior focus of the sweep.
DBRS and KBRA face a potential enforcement action alleging violations of Rule 17g-2, a regulation governing the records to be maintained and retained by NRSROs. This includes all communications, including electronic communications, “received and sent by the nationally recognized statistical rating organization and its employees that relate to initiating, determining, maintaining, monitoring, changing, or withdrawing a credit rating.”
Ballard Spahr note that other entities regulated by SEC recordkeeping rules, including national securities exchanges, national securities associations, registered clearing agencies, and municipal advisors, are also required to preserve all forms of written communications under rules such as 17a-1 and 15Ba1-8. Under Rule 17a-1, national securities exchanges, national securities associations, registered clearing agencies and the Municipal Securities Rulemaking Board must maintain all correspondence “relating to its business as such and in the conduct of its self-regulatory activity.” Under Rule 15Ba1-8, municipal advisors must keep and maintain “all written communications received, and originals or copies of all written communications sent, by such municipal advisor (including inter-office memoranda and communications) relating to municipal advisory activities, regardless of the format of such communications.”
“Given their critical gatekeeping function, rating agencies are required to disclose how ratings are determined and to have effective internal controls to ensure they adhere to their ratings methodologies,” said Osman Nawaz, Chief of the SEC Enforcement Division’s Complex Financial Instruments Unit. “Our investigation found that DBRS fell short in fulfilling these requirements in rating certain CMBS transactions.”
The SEC issued two separate orders against DBRS, one relating to recordkeeping violations and the other relating to disclosure and internal controls violations. The SEC’s recordkeeping order finds that, since at least July 2019, DBRS employees, including those at senior levels, communicated internally by text messages about initiating and determining credit ratings and about adjustments to results of the quantitative predictive model that DBRS used to rate multi-borrower CMBS transactions. The order finds that DBRS failed to retain these messages in violation of recordkeeping provisions of the federal securities laws. In fact, according to the order, at the direction of DBRS and with approval from its compliance department, at least nineteen analytical employees wiped their DBRS-issued phones in 2022 during a company rollout of new devices.
DBRS admitted the SEC’s findings and agreed to pay a $6 million penalty, cease and desist from committing violations of the relevant recordkeeping provisions, and a censure. DBRS also agreed to retain an independent compliance consultant to, among other things, conduct a comprehensive review of its policies and procedures relating to the retention of electronic communications and its framework for addressing non-compliance by its employees with those policies and procedures.
Without admitting or denying the SEC’s findings, DBRS agreed to pay a $2 million penalty, cease and desist from committing violations of the relevant provisions, and to be censured.
The SEC’s order finds that, since at least January 2020, KBRA employees, including senior executives and heads of rating groups, sent and received numerous text messages concerning credit rating activities on their personal and KBRA-issued mobile devices. The messages included discussions of initiating, determining, maintaining, monitoring, changing, or withdrawing credit ratings. KBRA did not maintain or preserve the substantial majority of these off-channel communications, in violation of recordkeeping provisions of the federal securities laws.
KBRA admitted the SEC’s findings and agreed to pay a $4 million penalty, cease and desist from committing violations of the relevant recordkeeping provisions, and to be censured. KBRA also agreed to retain an independent compliance consultant to, among other things, conduct a comprehensive review of its policies and procedures relating to the retention of electronic communications and its framework for addressing non-compliance by its employees with those policies and procedures.
TeleMessage captures and retains mobile content, including mobile SMS messages, voice calls WhatsApp, and WeChat conversations from corporate or BYOD mobile phones to ensure compliance with various data protection regulations. The messages are securely and reliably retained within TeleMessage servers or forwarded to your choice of archiving data storage vendor.
Our mobile archiving products securely record content from mobile carriers and mobile devices for various ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements: