In April and July 2022, we published articles highlighting the risks of using social media applications like WhatsApp on private devices in the workplace.
Last week, we saw that 16 Wall Street firms including Barclays, Bank of America, Citigroup and Goldman Sachs have been fined a combined $1.8 billion after staff violated federal rules obliging financial institutions to preserve business communications. The staff of the banks regularly discussed business activities with colleagues, clients and third-party advisers using applications like WhatsApp on their private devices.
This landmark case by the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) has come as not preserving communications, aside from violating the federal rules, hinders the agencies’ ability to oversee the financial markets and ensure compliance with key rules.
The CFTC Commissioner, Christy Goldsmith Romero commented that staff used personal apps to avoid oversight and even sometimes, at the direction of senior executives who wanted to obscure trading communications.
The FCA’s approach:
The Senior management arrangements, Systems and Controls (SYSC) of the FCA Handbook primarily focuses in 10A.1.6 on what firms must do to mitigate the risks of using personal phones at work:
- According to SYSC 10A.1.6R, a firm is required to take reasonable steps to record telephone conversations and preserve a copy of electronic communications.
- This includes conversations and communications that are intended to result in a transaction, even if they eventually do not (10A.1.8R).
- 1.7R requires a firm to prevent an employee or contractor from making, sending or receiving relevant telephone conversations and electronic communications on privately-owned devices, preventing firms from recording or copying.
As shown in the article, the risk of communicating confidential information is high through social media applications and firms must focus on how to prevent this.
Firms are required to have procedures in place which preserve all relevant communications as emphasized in the FCA handbook to steer clear of penalties and fines.
What do firms need?
The FCA released in 2021, the Market Watch 66 which requires firms to continue to comply with their recording obligations in the SYSC of the FCA Handbook and sheds light on the increased risk of misconduct caused by homeworking.
Unmonitored communication on private apps can result in the sharing of sensitive information. As a result firms will need to ensure that:
- They must have effective, recording policies that are up to date.
- They must be able to show that their policies, procedures and management oversight are in line with the recording rules.
- If such apps are being used on business devices, they are recorded and auditable.
- Firms also need to examine policies and controls for the use of personal devices to connect to personal networks and obtain potentially sensitive data through work-related systems to ensure that recording can take place effectively. This may involve prohibiting personal devices to be used for business activities where conversations cannot be recorded.
FCA action
The FCA have acted against individuals and firms for misconduct that involved the use of applications like WhatsApp and other social media platforms to arrange deals and give investment advice. The FCA have sought orders to prevent the individuals and firms from conducting these activities in the future.
The apparent increasing use of personal messaging systems and applications is presenting a surging issue for compliance teams.
Data Protection – How can Complyport Help?
Our experienced Cyber Security and Data Protection team led by Martin Schofield—one of the world’s leading specialists in the field—brings a wealth of experience to every project we are engaged in. Compylyport can not only provide advice, guidance and support on cybersecurity and data protection but we can also provide a Data Protection Officer Support as a Service.
DPO Support As a Service
Our Data Protection Officer/Support service team, provided by an experienced and multiskilled personnel including a Certified Data Protection Officer and Industry Practitioners, are at your disposal when you are looking to address data protection risks and enhance your privacy mechanisms and internal framework. Our service entails assisting you to understand and work within the legislative complexities, which govern the processing of personal data, and at the same time consider your business needs with respect to Information Systems, data security and organizational processes across the full scale of your operations.
Our multi-faceted Data Protection Services are provided through our multiskilled team of legal, security and operational experts when you are looking to:
- Implement essential elements of UK Data Protection Act 2018 (DPA) and the General Data Protection Regulation of the European Union EU2016/679 (GDPR), such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.
- Foster a data protection culture within your organisation and with your external stakeholders
- Carry out DPIAs where needed and suggest the appropriate technical and organisational measures) to mitigate the identified risks
- Support the management of Data Breaches with respect to response, notifications, communications, and advice on corrective actions necessary to prevent losses, regulatory complications and reputation impact.
- Where necessary, provide a contact point for the Information Commissioner’s Office (ICO)
- Provide solutions/answers to those data protection questions that puzzle your staff and help with decision making when a data protection issue arise in the context of your daily business.
If this article has raised any questions, or you think your firm may require assistance, please contact either Martin Schofield via martin.schofield@complyport.co.uk or Jan Hagen via jan.hagen@complyport.co.uk to book in a free consultation.
About Complyport
Complyport is the City’s market leading consulting firm supporting the UK financial services industry for over 20 years. We specialise in providing Governance, Risk and Compliance services to support the regulated financial services industry to raise standards and thrive.
Complyport advises and assists firms to become authorised and to comply with the rules and requirements of regulators on an ongoing basis. Our vision is to be there for our clients every step of the way, helping them change, grow, and excel through expertise, insight, and innovation, and in so doing to become our clients’ most valued supplier and trusted advisor.
We have successfully assisted over 1000 firms to become authorised with the FCA and EU and are providing regulatory support to over 600 regulated firms on an ongoing basis globally. With presence in the UK and EU, as well as via our Associates Network, Complyport can assist firms across multiple jurisdictions.
Complyport’s multidisciplinary consultants possess deep expertise in their field, having acted in FCA skilled person reviews, as expert witnesses in legal cases and as expert investigators for firms or their legal advisers.
Day to day, we conduct audits and reviews of a firm’s products, processes, policies, and procedures to identify scope for business, to determine the impact of regulatory developments and to verify compliance with local regulations. Our clients tell us we live our values; we are driven, agile and collaborative.
