Channel bans and unclear plans
How are firms reacting to increased fines and emerging communication channels?
In December 2021, the SEC, in conjunction with the CFTC, issued J.P. Morgan Securities LLC with a cumulative $200 million fine for “widespread and longstanding failures by the firm and its employees to maintain and preserve written communications”.
As technology had developed, J.P. Morgan failed to adapt its recordkeeping controls to keep up with employees using “text messages, WhatsApp and personal email accounts” for business purposes. None of these communications were preserved by the firm, as required by federal securities laws.
This landmark fine laid the foundation for a wave of ensuing regulatory action, which has caused financial service organizations to take stock of the way they manage compliant communications. We asked compliance officers how they had adapted their approaches in light of the news.
In the wake of J.P. Morgan’s $200 million fine, a number of attendees at Global Relay’s roundtables confessed that they had banned certain communication channels, including WhatsApp, as a quick-fix way to show compliance with applicable recordkeeping rules.
One respondent said that, in light of recent enforcement activity, their firm was moving away from a bring your own device (BYOD) policy and was now bringing back the use of corporate phones.
WhatsApp and WeChat are prohibited for business purposes, but our firm will be rolling out dedicated devices to ensure surveillance for these communication channels.
Anonymous, Bank
We allow users to use WhatsApp and similar apps for communication. But email is the official channel for the organization.
Anonymous
Banning WhatsApp works if you provide alternative communication methods that are accepted internally within the company and externally with customers.
That being said, some industries such as Energy and Commodities rely more heavily on the use of WhatsApp, so banning in certain sectors may not be pragmatic. On the other hand, if you are able to find a technology vendor that provides stable technology to record/archive WhatsApp and you properly train, onboard, and monitor WhatsApp activity, there is no reason (budget aside) that you could not offer a compliant solution to record WhatsApp.
A trader can and will always have the option to use unrecorded applications to conduct business in violation of company policy, so providing a solution (even if not used frequently) to record WhatsApp in a compliant way should not be a ‘nice to have’ but a ‘must have’, even if you are not a regulated investment firm. I have seen corporates who are not regulated investment firms investing in this space, and this trend will only continue to grow as proliferation of WhatsApp use for business communications grows.
Eren Erman, Global Head of Compliance Technology, TP ICAP
Despite more than 50% of respondents having banned WhatsApp, WeChat, and other digital messaging channels, only 2.6% said that they strongly believed that channel bans are an effective solution for compliant communications, with 12.8% somewhat agreeing that they can be effective, and 28.2% remaining unsure about their efficacy.
56% of respondents said that they do not believe channel bans to be an effective solution. One respondent said that they had imposed bans on certain channels, but were unsure and unable to monitor whether that ban was effective.
We ban the use of personal devices, but we have no way of monitoring whether this is being adhered to.
Channel bans are often touted as a solution for emergent digital communication because they provide the compliance team with a degree of control, and it shows clear and tangible action in the event of regulatory investigation. Despite showing action, however, these bans are often flawed or easy to circumnavigate, as recent regulatory enforcement has demonstrated.
In December 2022, FINRA issued a $1.5 million fine to an investment bank in which employees had “routinely exchanged text messages about firm business with each other”, despite text messages being prohibited as a communication channel.
In April 2023, FINRA again issued a fine to a firm that had ineffectively implemented a system to block iMessages on corporate devices. When the system failed, iMessages had been sent and received, but had not been captured or retained.
In March 2023, the U.S. Department of Justice said, in regard to communication channels and the use of third-party messaging applications, that it will soon be asking about “the electronic communication channels used by the business and their preservation and deletion settings”.
The DOJ is looking beyond blanket bans and hoping to see a degree of engagement with all methods of communication, even those that are restricted.
This is a commonly discussed theme within Global Relay’s roundtables, with many pondering the lengths to which a compliance officer must go to prove that they are managing compliant communications and channel bans. One attendee, a U.K-based Hedge Fund, said that they had received legal advice that channel bans were “not ok” and that the compliance team will need further proof of efforts to prevent illicit communications.
During the investigation, if a company has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value.
They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things.
A company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability.
Kenneth A. Polite Jr, Assistant Attorney General, United States Department of Justice
It is generally accepted that bans alone will not withstand regulatory scrutiny and that extra steps must be taken to show a viable compliance solution. Active steps that go beyond channel bans include setting up lexicon searches for terms such as “WhatsApp”, providing clear evidence that you have taken action where bans are not adhered to, or asking employees to take and disclose screenshots where off-channel comms do occur.
Opening up active lines of internal communication with employees, and fostering an environment of open information sharing, is another means to empower compliant communication.
In some instances, firms ask employees to sign attestations that they are not using certain channels. In another example, some run “communication amnesties” in which employees are encouraged to self-disclose any off-channel communications to the compliance team.
Anecdotally, some roundtable attendees have said that, when asking employees to sign attestations that they have not conducted business on off-channel messaging apps, some employees have said they are unable to sign.
In my experience, banks are managing this risk broadly in two ways.
Either they are seeking to prohibit by:
Implementing stricter policy, training, and a breach framework so consequences are clear
Conducting dip sampling and checking trader devices
Making sure front office employees are always in the office, so greater physical supervision can be undertaken
Or they are accepting WhatsApp will be used and capturing it by:
Installing software on personal devices and capturing the entire landscape of channels including WhatsApp/WeChat
Maintaining prohibition of other, non-approved comms channels
Issuing separate business devices with relevant apps captured in a hark back to the BlackBerry era – but at a cost
Checking a transaction so that all relevant comms are captured
Ultimately, in the second instance, individuals are given no excuses not to use compliant channels, and teams are given no excuses for not capturing a communication regardless of communication medium. All of these lead to being able to demonstrate to a regulator that every effort has been undertaken to comply.
Rob Mason, Director of Regulatory Intelligence, Global Relay
