Swingeing penalties levied by the US SEC and the CFTC on financial firms for failures to maintain and preserve written communications made through unofficial channels should be a wake-up call for firms across the globe. The SEC is now undertaking a raft of additional investigations into record preservation practices at financial services firms, and other global regulators, including the UK FCA, are also taking an interest.
Even before lockdown blurred the lines between home and work, many global regulators had been raising concerns about employees' increasing use of different forms of mobile messaging applications such as WhatsApp, Telegram, WeChat, Signal and Slack, providing convenient, free, more immediate channels to communicate with colleagues, clients and business partners.
The SEC fines in September 2020 and in December 2021 related to failing to preserve business-related text or WhatsApp messages exchanged by employees (including senior management) with each other, customers and other third parties, on their personal devices, in breach of the firm's policies. Because the messages were not retained on the firm's sponsored systems, when the SEC requested records in relation to one or more ongoing investigations or inquiries, the firms failed to produce these messages even though the SEC found that senior management, including compliance personnel, knew that WhatsApp messages were being used for business communications.
1. Why do the regulators care?
Put briefly, regulators' concerns include:
- the risk that more informal quasi social contacts slide
inadvertently into business discussions, which engage legal
liabilities or regulatory obligations;
The FCA has confirmed taking action against individuals and firms for misconduct which involved the use of WhatsApp and other social media platforms to arrange deals and provide investment advice. This included transmitting lists of trades to copy ('trading signals') and making other investment recommendations to clients. The FCA stressed that without effective recording and monitoring, firms risked the loss of evidence to resolve disputes between a firm and its clients over transaction terms.
- the risk of data leakage, including of inside information,
client confidential information or personal data;
A Final Notice issued by the FCA to Christopher Niehaus in 2017 provides an example of a banker who disclosed client confidential information in WhatsApp conversations both with a personal acquaintance, and with a friend who was also a client of the firm. The information was not disclosed for the purpose of it being used by the recipients, but because the banker wanted to impress them. These instances were in fact recorded.
- data security risks:
In 2021, Check Point reported both that a rogue Netflix-bypass app on Google's Play Store was using Android's notification listening service to intercept incoming WhatsApp messages and automatically reply to them with malware-laced attachments and links; and also that it had tracked 130 cyber-attacks that used malware managed over Telegram. In addition, the fact that Telegram is not end-to-end encrypted by default has been called out as weakening its security.
- firms' inability to control and monitor for compliance and data loss;
- the concomitant risk that these channels may be being
deliberately used to facilitate collusion, market abuse, or other
misconduct by employees;
The advent of mass remote working prompted the UK FCA to warn firms of potentially increased risks from misconduct, calling out the potential for increased use of unmonitored or unencrypted communication apps for in-scope activities on business devices, and a reminder that such communications should be recorded and auditable. Whilst confirming there was no specific restriction on the technologies or apps firms can use for communications, the FCA stressed that firms need robust and effective policies, controls and oversight to ensure that their regulatory recording obligations are met.
- firms' inability to then provide regulators with complete
records, thus impeding effective supervision and/or regulatory
enquiries or investigations;
The FCA prosecuted former banker, Konstantin Vishnyak. Mr Vishnyak had deleted his WhatsApp chat history from his phone shortly after being arrested at his home on 2 September 2018. The FCA argued that Mr Vishnyak "knew or suspected" that FCA investigators would want to review the data held on his WhatsApp in connection with their insider dealing investigation. The jury found him not guilty in 2020. The FCA expressed disappointment with the outcome but stressed it would take action whenever evidence it needs is tampered with or destroyed. Currently, the FCA is prosecuting Craig Whyte for failing to provide passwords for various laptops and phones seized under warrant. In September 2020, the SEC fined a broker dealer for failing to preserve businessrelated text messages (including size of orders, timing of trades, pricing of securities) exchanged by several of its registered representatives, including senior management, with each other, customers and other third parties, on their personal devices, in breach of the firm's policies. Because the text messages were not retained on one of the firm's sponsored systems, when the SEC requested records in relation to an ongoing investigation of a third party, the firm failed to produce these messages - even though senior management, including compliance personnel, knew that text messages were being used for business communications (as they themselves sent and received them). It is also worth noting that the deletion of a message on a social messaging app on a personal device does not remove it from the correspondent device - the SEC's 2021 Cease and Desist order mentions that the SEC obtained communications from third parties that reflected numerous messages received or sent through unapproved channels on the personal devices of firm employees.
- the additional risk of losing access to relevant data held on personal devices used for work related purposes when an employee leaves the business; and
- where the practice is widespread, the potential for senior
personnel with responsibility for compliance to be implicated in
breach of firm policies.
The FCA's Market Watch 66 highlighted the important part that individual Senior Managers have to play in establishing and embedding the right culture and governance within firms to continuously improve the standard of conduct at all levels. Having identified extensive discussions between and among senior-level executives, employees, customers, clients, third party advisers and other market participants, the SEC's cease and desist order of 17 December 2021 mandated a comprehensive review of the framework for addressing non-compliance by employees with policies and procedures concerning the use of personal devices to communicate about business in the past, including an evaluation of whether penalties were handed out consistently across business lines and seniority levels.
To read the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
