Both the U.S. Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) have focused on off-channel communications and record-keeping that violate rules established to maintain market transparency and faith in competition. These violations have cost investment firms operating in the U.S. hundreds of millions of dollars in penalties because traders used personal cell phones and message-deleting apps for business communications.

An August 2023 penalty assessed in the U.K. by the Office of Gas and Electricity Markets (Ofgem) against Morgan Stanley for £5.4 million ($6.9 million), after a 30 percent discount for cooperation, illustrates the perils for energy companies in the U.S.[1] In September 2022, Morgan Stanley was separately penalized among a number of other institutions by the U.S. SEC and CFTC  for failing to capture and retain communications (traders used encrypted messaging WhatsApp) in wholesale energy trades.[2] The Federal Energy Regulatory Commission (FERC), responsible for overseeing the wholesale energy markets and other specified energy transactions, also has record retention requirements to monitor markets, ensure competitive market transparency, and enforce its jurisdictional oversight. FERC usually considers investigations and enforcement actions when the CFTC uncovers wrongdoing in energy commodities.

In short, FERC enforcement may be next.

Understand Existing Practices

Competitive markets require transparency. As a consumer protection measure, The Dodd-Frank Act requires financial services companies to keep records of their transactions:

  • Across all communications (e.g., phone, text, email, video)
  • Timestamped to reflect the date of the communications
  • Organized and accessible
  • Stored for the duration of the transaction plus five years

Failure to enforce communications policies or to record energy trades and communications also can be subject to enforcement by the CFTC or FERC, depending on the type of market transactions.

In the case of recent SEC violations, the SEC found that traders were using the encrypted WhatsApp to communicate about trades. Although the companies prohibited using communications tools outside the established channels, the regulators levied penalties for failing to ensure compliance. FERC similarly could choose to enforce failure to enforce communications policies, especially when market volatility elicits calls for investigations into potential market manipulation.

Set Clear Communications Rules

Employees must understand business communications protocols. If a violation occurs, the company cannot afford to explain that employees were unaware of the proper business communications protocols that must be conducted on specific company-approved channels (e.g., devices, apps) or must be maintained.

Senior management should send an initial communication notifying employees of approved channels and emphasizing the importance of following the approved channel communication requirements. Business and infrastructure functions (e.g., Compliance, Legal. Risk Management) should reinforce the message in emails, town halls, intranet postings, newsletters, business or group meetings, and other communications.

Communications should be supplemented with training that includes real-life examples to ensure personnel understand what constitutes business communication and comply with the preservation of electronic communication requirements. Relevant employees should also certify periodically (e.g., quarterly, semi-annually, annually) that they follow the preservation requirements.

Monitor and Enforce Communications Protocols

Companies should ensure technological solutions are in place to appropriately capture the communications on the approved channels and incorporate them into the company’s communication surveillance and retention programs. Companies should also continually evaluate their surveillance coverage (e.g., incorporating new channels resulting from evolving technology) and lexicons (i.e., keyword or phrase search terms) to ensure the surveillance program remains relevant and effective.

Policies regarding document retention and surveillance technology procedures should be designed and operational. Companies should test the implementation of the policies and procedures to confirm they are operating effectively. For example, a company could send test messages from approved communication channels to ensure the electronic communication is captured and maintained in the company’s retention technology solution, flowing through the communication surveillance tools, and being flagged (contains certain trigger words) and investigated appropriately.

Data analytics is another mechanism for conducting ongoing monitoring and identifying potential flags. For example, a company could monitor ongoing trading activity and communications to identify instances where there is a spike in trading activity that coincides with a lack of trader communication, a potential indicator that the technology solutions are not capturing trader communications, or the trader used an unapproved channel for business communications.

A company should also establish an effective consequence management framework to enforce communication policies and procedures and deter future violations. The framework should include disciplinary measures (e.g., compensation penalties, suspension, termination), corrective actions to prevent or detect similar offenses, and communications of the disciplinary measure to demonstrate the seriousness of the activities and the company’s commitment to being a good corporate citizen.

Establish Your Regulatory Strategy

If FERC enforcement appears to be active, consider having an internal audit or an objective third-party test and certify the effectiveness of the off-channel communications program. If your assessment determines that there have been unrecorded communications, it is essential to take proactive measures to minimize further violations and address what has been done internally, including documentation and communication of policies and a process to monitor compliance.

Regardless of the findings, an independent certification would serve, in effect, as insurance since it would identify potential issues in advance, show efforts to comply, and likely would reduce the penalty were a violation to become subject to FERC inquiry and enforcement. Regulators tend to perceive proactive efforts to be a sign of good faith efforts to minimize future violations. FERC has been known to solicit information on how companies comply with their regulations before bringing industry-wide enforcement actions. Once strengthened compliance protocols are in place, consider whether to issue a voluntary letter to the appropriate regulatory agencies identifying the transgression and listing the actions undertaken to prevent the transgression from happening again. FERC may reduce or assess no fines for companies who self-report.

Compliance Conclusions

For energy market participants interested in protecting their profits from regulatory penalties, the SEC, CFTC and Ofgem actions indicate that it could be time to perform an internal assessment of potential violations, take actions to address unrecorded communications, and establish a regulatory strategy for minimizing compliance risk in the future.

Wall Street regulators recently have focused on record-keeping violations and communications outside of regulatory reporting requirements, fining hundreds of millions of dollars for violations by major financial firms. Overseas, Ofgem has applied its regulatory scrutiny to the same players and found that the energy traders were engaging in the same practices. Given recent fluctuations in energy prices, FERC enforcement could come next. Be prepared and know how your traders are communicating.

This article originally appeared in Law360, September 2023. All rights reserved. Download a PDF of this article here.


[1] https://www.ofgem.gov.uk/publications/ofgem-fines-morgan-stanley-co-international-plc-msip-over-ps54m-failure-record-and-retain-electronic-trading-communications

[2] https://www.sec.gov/news/press-release/2022-174

Posted In:


About the Authors

Chris Hoyle

Christopher Hoyle

Chris Hoyle, a Partner with StoneTurn, has nearly 20 years of professional experience in fraud and compliance risk management and forensic accounting. Chris specializes in assessing and remediating compliance programs, […]

Read Bio
Tanya Bodell StoneTurn

Tanya Bodell

Tanya Bodell, Partner, leads StoneTurn’s energy and sustainability offerings in business advisory services, regulatory support and expert testimony in large-stakes litigation, levering more than 25 years of experience in energy […]

Read Bio