top of page

Crackdown on big bank chat apps reveals policy flaws and monitoring issues

U.S. financial regulators have hinted that they will focus on employees who utilize unauthorized electronic communication channels to discuss business-related concerns in an upcoming extensive enforcement sweep against Wall Street banks. Collectively, the incidents highlight how financial services companies must strengthen their monitoring and record-keeping responsibilities.

More than a few institutions, including Bank of America, Barclays, and Morgan Stanley, have reported agreements to pay up to $200 million in relation to employees' work interactions on unauthorized messaging platforms and recordkeeping errors. According to a Wall Street Journal story, the fines should be made public by the end of the government's fiscal year on September 30. Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs, and UBS are some of the other institutions targeted by the investigation.

In public remarks made in October of last year, Gurbir Grewal, the director of the Securities and Exchange Commission's (SEC) Enforcement Division, cautioned financial institutions to "be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps."

Failures to preserve and produce electronic communications "delay and obstruct investigations," and "raise broader accountability, integrity, and spoliation issues," he continued.

In response to its employees' use of messaging services like WhatsApp and personal email accounts to communicate about securities business matters, JPMorgan Chase became the first bank to pay $200 million—$125 million to the SEC and $75 million to the Commodity Futures Trading Commission (CFTC)—two months after Grewal's speech.

The SEC expressed its displeasure with JPMorgan's recordkeeping shortcomings in particular because they hindered the staff's "ability to carry out its regulatory functions and investigate potential violations of the federal securities laws across these investigations," according to the agency's order. "The commission was often deprived of timely access to evidence and potential sources of information for extended periods of time and, in some instances, permanently."

According to the directive, SEC officials could only find proof and information sources through intermediaries.

According to John Lukanski, a partner at the law firm Reed Smith, "If you read the JPMorgan order, you can tell the regulators were upset about how things went down." According to him, regulators want to be sure they have all the information necessary to carry out a complete inquiry.

Regulators will not be pleased if staff members are interacting through forbidden channels and they are only made aware of the presence of specific papers through the subpoenaing of third parties, Lukanski continued.

"That is a big driver in all of this," he continued. It is "low-hanging fruit" on an industry-wide scale.

Grewal emphasized in his remarks that "a proactive compliance approach requires market participants to not wait for an enforcement action to put in place appropriate policies and procedures to preserve these communications and anticipate these emerging challenges."

Prudent financial organizations already have established policies and procedures that expressly ban personnel from communicating with clients and customers via unapproved technological channels. This was the situation with JPMorgan Chase and several other banks who were preparing for SEC and CFTC enforcement.

The key takeaway for compliance professionals is that policies and procedures alone cannot solve the fundamental issue, which Ken Joseph, managing director and head of Kroll's financial services compliance and regulation practice for the Americas, defined as a "inherent and ongoing tension" between financial firms' recordkeeping requirements and the realities of how people actually prefer to communicate today.

According to Joseph, global banks are at increased risk of regulatory action because foreign-based advisers and clients frequently favor messaging apps like WhatsApp and WeChat. Because of this, he added, financial institutions must walk a regulatory tightrope, finding the correct balance between adhering to recordkeeping standards and remaining aware of commercial realities.

Companies cannot realistically stop all employees from communicating off-book securities business issues through unauthorized methods. According to Lukanski, "what firms can do is set up reasonable supervisory systems to catch it."

It would be prudent for a company to take steps to enforce any policies and procedures that forbid employees from using a certain channel of communication, Lukanski continued. He said that companies would be doing themselves a disservice if they told workers, "You’re only allowed to use these [communication channels]’ and then put their head in the sand about what employees are actually doing."

For instance, the SEC's order against JPMorgan stated that despite having supervisory policies in place that "tasked supervisors with ensuring that employees completed training in the firm’s communications policies and adhered to JPMorgan’s books and recordkeeping requirements," the bank "failed to implement a system of follow-up and review."

Supervisors must set the tone, said Joseph. "To the extent they themselves are noncompliant with the firm’s policies related to use of approved channels to communicate, that is problematic not only for themselves but the entity involved." 

In addition to outright barring some channels, recordkeeping difficulties can also be more successfully addressed by implementing systems capable of recording and archiving electronic communications. To deal with these regulatory problems, several financial institutions have started using more modern monitoring systems.

According to the Movius website, a few companies require their employees to download Movius, a mobile app that enables compliance departments to monitor calls and texts, including WhatsApp conversations, across mobile and desktop devices. JPMorgan, Deutsche Bank, UBS, Julius Ba