In September 2022, the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CTFC) reached settlements totalling around $1.8billion with 12 of Wall Street’s leading investment banks. These were as a result for failing to monitor employees’ use of unauthorised messaging apps, like Whatsapp, with colleagues and clients.
Speaking on this is Harriet Christie, chief operating officer at MirrorWeb. MirrorWeb helps organisations meet their compliance and digital preservation needs. The cloud-based, unified compliance platform supports firms in meeting the record-keeping requirements imposed by regulators like the SEC, FINRA and the FCA.
The platform captures all electronic communications including email, social media, websites, instant messaging, SMS and WhatsApp. The user can monitor and supervise all communications, as well as apply lexicon policies, export content and refine searches.
Two years after joining the company as a key account manager in 2018, Christie was appointed COO in 2020. Since then, she has helped oversee the evolution of the MirrorWeb product and service offering, as well as the business’ impressive growth since her taking on the role.
Speaking to The Fintech Times, she explains how organisations and employees should go about using communication platforms while being compliant with regulations:
Financial services’ inconvenient need for WhatsApp archiving
The prominent institutions, which included Morgan Stanley, Citigroup, Goldman Sachs and Bank of America, were penalised for failing to monitor employees’ use of unauthorised messaging apps with colleagues and clients. One of these included Whatsapp.
The probe followed on from JP Morgan’s $200million fine in December 2021, with the floodgates apparently opening. Authorities seem to have used that initial $200million settlement figure as a yardstick for the industry. It signifies the end of an unofficial grace period afforded to firms adapting to the pandemic.
Such monumental penalties have, of course, had a seismic impact on the financial services landscape. Repercussions reached far beyond the behemoths evidently being made an example of. But how did we get to this stage? How can firms address the employee behaviours which are clearly no longer going to be tolerated?
What’s up with WhatsApp?
The SEC mandates that banks maintain records of all communication between clients and brokers. Private exchanges, like those occurring through WhatsApp, are far more difficult to monitor. The likelihood of data being compromised only increases as personal devices is introduced to the equation.
It’s important to note that the issue here is not with WhatsApp itself. The same concerns apply with WeChat, Telegram, and other ‘ephemeral’ messaging apps. The issue is the difficulty in documenting communications on these encrypted platforms. The subsequent contravention of record-keeping requirements is problematic.
Phone call fatigue
Until relatively recently, consumers had limited options available to them if they wanted to reach out to a regulated firm. To discuss their bank account, for instance, they’d need to either get on the phone or head over to their local branch for a personal discussion. Now, they are able to communicate with the organisation through a multitude of digital channels.
It’s not just an option, but a preference. WhatsApp, Facebook Messenger and Telegram were among the most downloaded apps in Q1 2022. WhatsApp itself has an astronomical two billion active users worldwide. According to Forbes, 93 per cent of US consumers want to communicate via text message, with speed, ease of use and (consumer) familiarity with the platforms proving decisive advantages.
This works both ways. It’s also easier and more efficient for employees to communicate through tools that they’re familiar with using in their day-to-day life, than one provided by their employer.
Remote channels
The disruption of the covid-19 pandemic led to far greater reliance on messaging apps, as physical proximity, even with colleagues, was prohibited. In 2019, 68.1 million US mobile phone users accessed WhatsApp to communicate. This figure is projected to grow to 85.8 million users in 2023. A by-product of this reliance on new digital channels was an escalation in the number of workers using personal phones or tablets for business, as lines began to blur and professional and personal lives intertwined.
Employees are more likely to act casually when working remotely, whether that means taking longer breaks or messaging clients or colleagues through an unauthorised channel. Having allowed these communication habits to set in over a sustained period, they’re now very difficult to shift back to a pre-covid level. Especially given the inherent convenience and usability that employees have become accustomed to.
To achieve compliance on encrypted platforms like WhatsApp, business leaders must ensure they can capture, preserve, and monitor conversations
Paying the bill
JP Morgan’s $200million dollar fine in December 2021 was the first significant penalty in a probe that has also impacted the aforementioned dozen leading investment banks to the tune of $1.8billion. The SEC’s crackdown has since continued to expand, as Wall Street’s private equity giants have revealed that they’re under investigation.
The enforcement unit has also launched enquiries about smaller Registered Investment Advisor (RIA) protocols for ‘off-channel’ business communications. RIAs are subject to the same regulations as the larger firms that were previously penalised, so while they may have been spared the ambush of the initial investigations, they should be mindful that they’re in the regulators’ crosshairs nevertheless.
What now?
The situation leaves business leaders and compliance teams in a quandary. Should they sacrifice convenience and operational efficiency in the pursuit of compliance, banning messaging apps outright and instead relying on the tried and tested solutions of email, phone calls and, to a lesser extent, social media?
This is probably a tempting option given the enormity of the penalties being administered. It has certainly been the more popular approach given that, in July 2022, just 15 per cent of financial firms were monitoring WhatsApp.
But it’s not quite that simple. Banning employees from using particular channels doesn’t necessarily mean that all risks are eliminated. The prohibition of helpful tools will probably lead to disgruntled employees and “compliance gaps” in the workplace. The safer option is for business leaders to understand the platforms that employees and consumers prefer to use. Then, they can develop suitable policies accordingly.
Ultimately, if employees want to use unauthorised apps, they will do so. That is of course unless a supervisory procedure is in place to police it correctly. This has had immense repercussions for the likes of Goldman Sachs, Bank of America et al, who have not succeeded with this step, despite their resources.
Can WhatsApp be monitored?
The preferable option here is surely to empower staff to utilise the platforms with which they’re most comfortable. This minimises limitations wherever possible.
To achieve compliance on encrypted platforms like WhatsApp, business leaders must ensure they can capture, preserve, and monitor conversations. This is easier said than done, and the process has historically been a source of great difficulty. However, in recent years, new solutions have been developed specifically to tackle this emerging necessity.
Much as they had previously for social media platforms, digital archiving vendors have built the technology to capture and archive communications data. Especially from apps like WhatsApp, WeChat, Signal and Telegram. This rescues business leaders from the frustration of having to choose between efficiency and compliance. Both can now co-exist very peacefully.
Crucially, firms can also allocate secondary numbers on personal devices. This allows employees to differentiate between business and non-work-related contacts, and capture pertinent data accordingly. This means that privacy can also be maintained despite heightened levels of professional scrutiny.
It would be counter-intuitive to ignore the rising demand for encrypted messaging apps in the workplace. Thankfully, businesses no longer have to.
