Misuse of personal devices at work

You may have seen an article we wrote in March this year on the risks associated with mobile messaging and how regulating record keeping practices in financial services firms is slowly becoming a priority amongst the U.S. Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC). Additionally, in the UK, the Financial Conduct Authority (FCA) warned firms of the potentially increased risks from misconduct, in terms of using unmonitored or unencrypted communication applications for business purposes.

 

Warning not heeded

Given the above, should it be news that the largest US investment banks are facing fines for failing to monitor their employees who are using unauthorised messaging apps?  This year, Morgan Stanley is expected to pay a $200 million penalty regarding the use of unapproved personal devices and not meeting its record keeping requirements.

This amount mirrors what JPMorgan Chase agreed to pay the SEC and CFTC over failures to maintain and preserve written communications. Furthermore, the Bank of America and Goldman Sachs Group have also had discussions with the regulators to pay a similar amount for regulatory matters connected to the unauthorized use of personal phones. Overall, these fines look set to amount to around $1 billion, not an insignificant haul for the SEC and CFTC who have taken confident strides forward in upholding data protection and information security rules and regulations.

 

Follow the rules: it pays off

Financial institutions are required to scrupulously monitor communications involving their business activities to head off improper conduct. This requirement, already challenged by the proliferation of mobile-messaging apps, was strained further as firms sent workers home shortly after the start of the Covid-19 outbreak. Regulators require banks to keep records of all business-related communications and as a result financial firms typically ban the use of personal email, texts, and other social media channels for work purposes, although employees do not always comply with those rules, and they are even harder to impose with employees working from home and as such unseen in their day-to-day activities.

In general, the following are needed in order to comply with the regulatory requirements:

  • Use only approved personal devices and communication channels
  • Adequate record keeping and monitoring

Making sure that the appropriate company policies are in place and that the employees follow these policies, would mean that the imposition of these penalties would be far less likely.  As technology changes, it’s even more important that firms ensure that their communications are appropriately recorded and are not conducted outside of official channels in order to avoid the necessary and supervisory/market oversight.