Crackdown on big bank chat apps reveals policy flaws and monitoring issues

U.S. financial regulators have hinted that they will focus on employees who utilize unauthorized electronic communication channels to discuss business-related concerns in an upcoming extensive enforcement sweep against Wall Street banks. Collectively, the incidents highlight how financial services companies must strengthen their monitoring and record-keeping responsibilities.

More than a few institutions, including Bank of America, Barclays, and Morgan Stanley, have reported agreements to pay up to $200 million in relation to employees' work interactions on unauthorized messaging platforms and recordkeeping errors. According to a Wall Street Journal story, the fines should be made public by the end of the government's fiscal year on September 30. Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs, and UBS are some of the other institutions targeted by the investigation.

In public remarks made in October of last year, Gurbir Grewal, the director of the Securities and Exchange Commission's (SEC) Enforcement Division, cautioned financial institutions to "be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps."

Failures to preserve and produce electronic communications "delay and obstruct investigations," and "raise broader accountability, integrity, and spoliation issues," he continued.

In response to its employees' use of messaging services like WhatsApp and personal email accounts to communicate about securities business matters, JPMorgan Chase became the first bank to pay $200 million—$125 million to the SEC and $75 million to the Commodity Futures Trading Commission (CFTC)—two months after Grewal's speech.

The SEC expressed its displeasure with JPMorgan's recordkeeping shortcomings in particular because they hindered the staff's "ability to carry out its regulatory functions and investigate potential violations of the federal securities laws across these investigations," according to the agency's order. "The commission was often deprived of timely access to evidence and potential sources of information for extended periods of time and, in some instances, permanently."

According to the directive, SEC officials could only find proof and information sources through intermediaries.

According to John Lukanski, a partner at the law firm Reed Smith, "If you read the JPMorgan order, you can tell the regulators were upset about how things went down." According to him, regulators want to be sure they have all the information necessary to carry out a complete inquiry.

Regulators will not be pleased if staff members are interacting through forbidden channels and they are only made aware of the presence of specific papers through the subpoenaing of third parties, Lukanski continued.

"That is a big driver in all of this," he continued. It is "low-hanging fruit" on an industry-wide scale.

Grewal emphasized in his remarks that "a proactive compliance approach requires market participants to not wait for an enforcement action to put in place appropriate policies and procedures to preserve these communications and anticipate these emerging challenges."

Prudent financial organizations already have established policies and procedures that expressly ban personnel from communicating with clients and customers via unapproved technological channels. This was the situation with JPMorgan Chase and several other banks who were preparing for SEC and CFTC enforcement.

The key takeaway for compliance professionals is that policies and procedures alone cannot solve the fundamental issue, which Ken Joseph, managing director and head of Kroll's financial services compliance and regulation practice for the Americas, defined as a "inherent and ongoing tension" between financial firms' recordkeeping requirements and the realities of how people actually prefer to communicate today.

According to Joseph, global banks are at increased risk of regulatory action because foreign-based advisers and clients frequently favor messaging apps like WhatsApp and WeChat. Because of this, he added, financial institutions must walk a regulatory tightrope, finding the correct balance between adhering to recordkeeping standards and remaining aware of commercial realities.

Companies cannot realistically stop all employees from communicating off-book securities business issues through unauthorized methods. According to Lukanski, "what firms can do is set up reasonable supervisory systems to catch it."

It would be prudent for a company to take steps to enforce any policies and procedures that forbid employees from using a certain channel of communication, Lukanski continued. He said that companies would be doing themselves a disservice if they told workers, "You’re only allowed to use these [communication channels]’ and then put their head in the sand about what employees are actually doing."

For instance, the SEC's order against JPMorgan stated that despite having supervisory policies in place that "tasked supervisors with ensuring that employees completed training in the firm’s communications policies and adhered to JPMorgan’s books and recordkeeping requirements," the bank "failed to implement a system of follow-up and review."

Supervisors must set the tone, said Joseph. "To the extent they themselves are noncompliant with the firm’s policies related to use of approved channels to communicate, that is problematic not only for themselves but the entity involved." 

In addition to outright barring some channels, recordkeeping difficulties can also be more successfully addressed by implementing systems capable of recording and archiving electronic communications. To deal with these regulatory problems, several financial institutions have started using more modern monitoring systems.

According to the Movius website, a few companies require their employees to download Movius, a mobile app that enables compliance departments to monitor calls and texts, including WhatsApp conversations, across mobile and desktop devices. JPMorgan, Deutsche Bank, UBS, Julius Baer, Jefferies, and Cantor Fitzgerald are just a few of the companies that do this.

JPMorgan put $45 million into Movius because it had such a strong belief in the product.

Financial services companies are discovering that both clients and staff want to be able to connect easily on mobile devices. According to Larry Feinsmith, managing director and head of global technology strategy, innovation, and partnership at JPMorgan, this strategic investment in Movius will help reduce friction and better enable employees to be more productive and interact securely via their mobile devices.

Financial institutions should be aware of all the different messaging apps available today when working with third-party vendors because they need to be archived as well as monitored and evaluated for regulatory compliance.

Other well-known messaging services besides WhatsApp and WeChat include Element, Google Chat, LINE, Signal, Snapchat, Telegram, and Wire. Remember to use well-known social media communication platforms like Twitter, LinkedIn, Facebook Messenger, and Slack.

According to Rieko Moody, a surveillance subject matter expert at Shield, a provider of communication compliance platforms, "there are all these other new ways of communicating."

Because no monitoring or surveillance system is flawless or error-free, Joseph advised that you "c“consider asking for periodic certifications from firm personnel attesting they’re using only firm-authorized systems to communicate business matters." This inquiry might also be asked in yearly staff surveys.

The possibility of personal culpability is expected to increase as financial authorities increase their pressure on businesses to comply with their regulations. Consider the HSBC trader who was let off in June after the company's compliance team discovered messages on his phone showing a broker had purchased the trader tickets to a sporting event, according to the Financial Times.

Another instance was a senior Credit Suisse investment banker who was fired for communicating with clients via prohibited messaging apps, despite the fact that the bank had not discovered any improper information being shared, according to several sources.

The main conclusion is that regulators are now more focused than ever on these compliance lapses. According to Lukanski, if a company learns that one of its employees is using an unauthorized electronic communication channel to discuss business, "it has to have strict processes to shut it down. You can’t let it go on with a wink and a nod knowing this shouldn’t be happening."

By fLEXI tEAM