The recent $200m fine served to a top tier bank reminds us that compliance through policy alone is not adequate as a compliance strategy for supervisory oversight.
Regulators are clear: digital communications channels used by regulated representatives must be monitored, or firms must block prohibited channels that prevent them from complying with record keeping requirements.
Insufficient supervision and weak record keeping of digital communications is no longer an option – as demonstrated by the colossal $200m fine.
The SEC, FINRA, and other regulators such as the FCA in the UK and ESMA in Europe are intensifying their enforcement of compliance breaches surrounding uncontrolled e-communications. In fact, in their 2022 Examination and Risk Monitoring Program report, released on February 9th, FINRA focuses in detail on the risks surrounding digital communications.
Yet, there are still many financial firms that are not monitoring key eComms channels such as WhatsApp, which also lack the technology they need to ensure that prohibited channels aren't being used or that policies are being adhered to.
What are the WhatsApp and Digital Communications Compliance rules?
Often referred to as the "Books and Records" and/or "Communications with the Public" rules, these obligations require firms to create and preserve, in an easily accessible place, originals of all communications received and sent relating to its business. They also require firms to maintain and implement comprehensive procedures for the supervision of communications.
Record keeping and supervision rules are relatively straightforward to manage when it comes to email and desk phone communications, which used to be the two main methods for business communications. However, the advent of instant messaging channels like WhatsApp, Signal, and Telegram and the sheer volume of communications data has complicated manners.
The rules were also easier to manage before the Covid-19 pandemic where flexible working was a rarity within financial services. Many firms saw the use of eComms channels skyrocket during the pandemic as employees turned to digital platforms to communicate.
Electronic communications channels are constantly changing, and new platforms pose a big risk for firms’ compliance teams as they represent new places where regulated representatives can hold unmonitored conversations that need to be captured.
Consequently, WhatsApp compliance and the monitoring of digital communications channels has become a significant challenge and resulted in several news headlines and fines:
WhatsApp related headlines
December 2021: Top tier bank hit with $200 million in fines for letting employees use WhatsApp
June 2021: Staff of top tier bank ordered to save the last 3 years of text and chats from personal devices
October 2020: Two top commodities traders lose jobs over the use of WhatsApp
October 2017: Trader banned for 4 months by Hong Kong securities watchdog for using a mobile phone and WeChat messaging to accept orders
June 2017: Large bank bans widely used text-messaging programs for business use
December 2015: Hong Kong SFC suspends former trader who took orders over WhatsApp - breaching company internal control policy
The large WhatsApp record keeping failure
The unusually large record keeping fine of £200m for a WhatsApp compliance breach was given to the Tier-One Bank because employees had, since 2015, carried out work-related communications with clients on WhatsApp despite the corporate policy prohibiting its use. These failures were firm-wide and were not hidden. Even managing directors and other senior supervisors who were responsible for implementing and ensuring compliance used their personal devices to communicate about the firm’s securities business.
“[the bank] admitted that from at least January 2018 through November 2020, its employees often communicated about securities business matters on their personal devices, using text messages, WhatsApp, and personal email accounts. None of these records were preserved by the firm as required by the federal securities laws.” – SEC press announcement about the enforcement action taken against the bank.
To comply with relevant communications record keeping rules, financial firms need to:
Monitor new channels Firms need to monitor new communication channels used by regulated representatives.
Define and enforce what is permissible and prohibited Firms must have in place clear policies that permit or prohibit the use of digital communication channels.
Where a channel is prohibited, the firm needs to be able to demonstrate adherence to that policy.
Implement supervision Firms must have in place supervisory procedures tailored to each digital communication channel.
Train internal staff on digital communications compliance This should be offered before providing access to firm-approved digital channels and should include expectations for digital communications and guidance around permitted and prohibited channels.
Demonstrate enforcement action Firms need to act where certain channels or registered representatives do not comply with policies and set out remedial actions.
However, while it is possible to monitor data from channels like WhatsApp, iMessage, and other eComms platforms through modern technologies, many firms feel that they cannot justify the large investment it would require.
In these situations, the standard practice has become to ban the use of these channels through a corporate policy. However, this has its own set of challenges as well as risks. Just because a platform like WhatsApp is prohibited, it does not mean that the platform isn’t being used, as evidenced by the recent news stories.
There is no golden rule or easy way to comply with digital communications rules within financial services given the continuously evolving landscape. However, there are some key steps firms can take to make sure they have comprehensive procedures in place for digital communications, and one of the most important factors is combining policy with technology.
Combining policy and technology
Policies will always have an important role to play in compliance. However, policies on their own without enforcement or monitoring of policy breaches are not sufficient.
To do this, firms require a platform that can generate alerts when words like “ill msg you on WhatsApp” or “Got a tip, I’ll ping you on Signal” are used together. The good news is that this can be done through a surveillance lexicon, which is a piece of technology financial services compliance and supervision has relied on for decades.
Modern lexicons enable firms to set up alerts and watches for phrases that include "WhatsApp" and other eComms channels. However, it is worth noting that not all lexicons have this capability as some are not up to date with modern ways of communicating
WhatsApp compliance and the ability to supervise the use of eComms channels, both new and existing, has never been more important. Thankfully, technology has evolved and there are new options for how firms can address their WhatsApp compliance challenges.
Technology can be used to ingest eComms channels like WhatsApp, Signal, or Telegram, but it is also possible to overlay policy with lexicon technology to monitor the intent among employees to use unauthorized communication platforms. The most important thing is that firms don't purely rely on a policy when we know, through experience, that this alone doesn't work.
How can SteelEye help?
Our platform helps firms comply with record keeping and monitoring rules under SEC 17(a), SEC 31a-2 and 204-2, and FINRA Communications Rules (2210, 2212–2216). The SteelEye platform captures electronic records and communications from a wealth of eComms, vComms, and traditional channels and stores those records compliantly in a tamper-proof WORM (write once, read many) format. With SteelEye, firms can monitor, manage, and control all their data and communications data globally on a single platform. We also provide advanced surveillance algorithms that identify early warning signs of misconduct whilst reducing false positives, so that bad actors can be stopped before any financial crime or misconduct has taken place.