Regulating record-keeping practices, whilst important, has not always been a top priority for financial services regulators around the world—especially as the monitoring of such activity (to a greater or lesser degree) is examined through the lens of data protection legislation. However, regulatory approaches are changing: the U.S. Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) are beginning to heavily fine firms for failing to effectively retain communications made through unofficial or less traditional channels. This much-needed wake-up call has prompted other regulators around the world, including the Financial Conduct Authority (FCA), to begin taking an interest.
Mobile Messaging – Concerns and Risks
In 2020, the SEC issued its first ever fine related solely to text messaging. They issued charges to a firm for failing to record and preserve business-related text messages given and received by its representatives on their mobile phone devices. Regulating Bodies are concerned about such messages and the increase in their use for a number of reasons, including:
Risk of informal quasi-social contracts mixing with business discussions, engaging legal liabilities or regulatory obligations | Associated risk that these channels may be deliberately used to facilitate activities like collusion, market abuse, or anti-trust law |
Risk of data leakage (e.g., inside information, personal data) | Firms’ inability to provide regulators with complete records, impeding effective supervision and/or regulatory enquiries or investigations |
Data security risks | Risk of losing access to and control of relevant work-related data held on personal devices when an employee leaves the business |
Firms’ inability to control and monitor for compliance and data loss | Where the practice is widespread, the potential for senior personnel with responsibility for compliance to be implicated in breaches of firm’s policies |
Even before the pandemic blurred the lines between home and work, many global regulators had been raising concerns about employees’ increasing use of different forms of mobile messaging. Applications such as WhatsApp, Telegram, WeChat, Signal, and Slack provide convenient, free, and immediate channels to communicate with colleagues, clients, and business partners.
In response to the rise of remote working, the FCA’s Market Watch 66 newsletter warned firms of the potentially increased risks from misconduct through increased use of unmonitored or unencrypted communication apps for in-scope activities on business devices. They also reminded firms that such communications should be recorded and auditable. Without effective recording and monitoring, firms risk losing evidence required to resolve disputes with clients or provide factual confirmation of decisions and actions taken on behalf of clients if required to do so.
Whilst confirming there was no specific restriction on the technologies firms can use for communications, the FCA stressed that firms need robust and effective policies, controls, and oversight to ensure that their regulatory recording obligations are met.
Reprisals from regulators
In 2018, the FCA prosecuted former banker Konstantin Vishnyak, who had deleted his WhatsApp chat history from his phone shortly after being arrested. The FCA argued that Mr Vishnyak “knew or suspected” that FCA investigators would want to review the data held on his WhatsApp in connection with their insider dealing investigation. Whilst he was found not guilty, the case showcased the FCA’s willingness to act whenever evidence it needs is tampered with or destroyed no matter where such evidence is recorded. The regulator is currently prosecuting Craig Whyte for failing to provide passwords for various laptops and phones seized under warrant.
Evidence where monitoring and keeping records of messaging channels can be found in the recent damning report on a group of Metropolitan police officers who exchanged a range of shocking messages, from violence against the public to hitting and raping women. If the messaging channel system did not record and monitor the messages exchanged then this report would not have been made and this culture of misogyny amongst certain groups of police officers and potentially violent tendencies, would not be uncovered. In the case of firms within the financial services sector, it could be the case of uncovering illicit activity, with confidential information exchanged, or even data leakages being discovered.
These cases remind firms that deleting messages on social messaging apps on a sender’s device (personal or business) does not necessarily delete them from the correspondent or receiving device. Regulators can—and have—obtained communications from third parties that evidence numerous messages received or sent through unapproved channels on the personal devices of a firm’s employees. One such example is the SEC’s 2021 Cease and Desist order charged against two Florida men and their Cayman Islands company for unregistered sales. The order also mandated a comprehensive review of the framework for addressing non-compliance by employees. This included policies and procedures concerning the use of personal devices to communicate about business in the past, and an evaluation of whether internal penalties for offenders were handed out consistently across business lines and senior management.
Firms should also note that the rules that the regulatory bodies want to put in place are not meant to merely punish non-compliance, but also protect firms from external cybersecurity risks. For example, in 2021 Check Point reported over 130 cyberattacks that used malware managed over Telegram, intercepting messages that were exchanged on a channel that was not end-to-end encrypted. as Attacks like these can weaken a firm’s security and leave confidential information vulnerable.
What can firms do?
Many contemporary regulatory concerns echo issues that arose around the use of text messaging in the early 2000s and the misuse of chatrooms associated with the LIBOR (2012) and FX (2013) trading scandals. As part of efforts to avoid this massive scale of criminality, most firms have policies that ban the use of unapproved communication methods by employees for business purposes.
However, the use of messaging apps is now so common that message volumes are far higher than in earlier decades, and the tide of change in communication preferences is unlikely to be held back. The speed and ease of use of messaging apps can also make it difficult to differentiate between personal and business-related content, meaning that lines are easily blurred. The exponential growth and use of these apps will make it difficult to blame employees for using them to communicate with clients—especially in jurisdictions like the UK, where there is regulatory focus on the importance of communicating with retail customers using their preferred channels.
Nonetheless, firms must take all reasonable steps to preserve data where channels have been used inside and outside of their communications policy. Many firms are now introducing firm-sponsored software solutions that preserve messages sent or received for business purposes—even on employees’ personal devices. Additionally, Market Watch 66 notes: “Senior Managers have an important part to play in establishing and embedding the right culture and governance within firms to continuously improve the standard of conduct at all levels.”
Other mitigation steps firms can take include:
- Reviewing and refreshing policies and procedures for the use of personal devices and/or text or social messaging apps for business related communications
- Seeking individual attestations from employees regarding their awareness of and compliance with relevant policies
- Sending reminders to staff and offering additional compliance training tailored to the issue
- Offering specific training for senior managers, including compliance staff, about the importance of setting an example
- Proactively implementing monitoring or spot-checks to provide assurance that record-keeping and communications policies are being followed
- If potential issues are detected, implement a review by internal audit or compliance
- Addressing breaches/non-compliance with the firm’s HR/Disciplinary policies and procedures related to the use of personal devices to communicate the firm’s business
- In response to regulatory requests, searching for, requesting, and producing relevant messages sent or received through unapproved communication methods and located on employees’ personal devices (i.e., possible data privacy issues)
Looking forward
In the hybrid workforce, it is imperative that a company’s infrastructure can support communication systems for their employees wherever they are located whilst remaining compliant with relevant laws and regulations.
This requires careful consideration of these laws and regulations before investing in technology that is specific to the business’ needs. This could help organisations build an infrastructure that is compliant and will support flexibility for its customers and employees. Moreover, this will contribute to an infrastructure that’s secure and reliable and able to connect staff and business applications around the world.
Firms and their employees must remind themselves that it is not always the tools of communication but instead the substance of that communication that governs whether it is subject to compliance regulations and laws. Importantly, management and compliance teams should not be exempt from the need for training in compliance requirements. Firms must not lower their guard against such violations—and when problematic conduct is discovered, action to correct it must be taken.