Will the UK and EU catch up with the US on recordkeeping?
At the time of writing, the majority of regulatory movement around the recordkeeping of communications has come from U.S. regulators and government departments.
As well as proving the dominant theme in the majority of U.S. enforcement actions, from both the SEC and FINRA, the U.S. has published changes to numerous existing rules and regulations, tailoring them specifically for compliant comms.
These changes sit against a backdrop of pre-existing and well-rooted regulations and guidance for the use of business communications in the U.S.
In January 2023, the SEC made substantial amendments to recordkeeping Rule 17a-4, which obliges firms to ensure the retention and preservation of all transactions and official business records, including all communications. This is the first time the SEC has amended the Rule in 25 years, and has done so with a view to modernize the Rule and give firms “flexibility to address new technologies, such as the cloud, that firms use to store records”.
In March 2023, the U.S. DOJ unveiled “significant” changes to its Evaluation of Corporate Compliance Programs (ECCP), expanding them to focus on “the use of personal devices as well as various communications platforms and messaging platforms”. Among other things, the DOJ said that, in the course of criminal investigations, it will be looking at how business-related electronic data and communications “can be preserved and accessed”. It will also be asking probing questions in the event of potential criminal activity, including whether the company is able to access third-party communications, where these communications are stored, and whether they meet applicable privacy and local laws.
At a Global Relay roundtable for U.K. Hedge Funds, one Chief Compliance Officer expressed a desire to see enforcement action from the FCA, noting that he sounds unconvincing when telling employees to behave in their messages, but having little factual backing or precedent to suggest that the regulator will take punitive action if they do not.
In October 2022, CityAM reported that the FCA was holding discussions with a number of City firms in light of regulatory action in the U.S. A spokesperson for the FCA said:
We asked the industry whether, in light of these actions, they were worried about increased regulatory action in the U.K. Almost 50% said that they were anticipating action from U.K. regulators, but were acting in different ways to manage this expectation.
In April 2023, the Prudential Regulation Authority (PRA) censured a bank who failed to monitor WhatsApp for business. Industry critics have suggested this is a warning shot.
When considering what might happen next for compliant communication, 38.5% of respondents said that they are anticipating a change in direction from the FCA, and are taking proactive steps accordingly. 10.3% are also anticipating action but expressed concern that they are not prepared.
This broadly echoes comments made by some compliance practitioners at Global Relay’s U.K. Hedge Fund roundtable, some of whom said they are yet to put record retention policies in place.
I don’t think the U.K. and E.U. regulators are going to be as aggressive as the U.S.
Anonymous, Bank
Business monitoring on personal devices in the U.K. will not gain traction, in my opinion. We need to allow all chat platforms on work devices, which is likely the smartest play by capturing all chats.
Looking at the cadence of FCA visits, the last two rounds took place in 2014 and 2018. If it is to be assumed that the regulator was delayed by COVID-19, it is likely then that firms could see visits in 2023 or 2024. It is also anticipated that the FCA will first look to make an example of a firm, before moving on to others.
While there is a general sense of certainty that U.K. regulators will be next to act for compliant communications, there is skepticism about how far that regulatory action will go.
Regulatory experts predict the future of compliant communications in EMEA.
It’s a matter of time until the FCA fines someone for using off-channel comms.
Saying that, I think the fine that would be issued would be more aligned to comms and record-keeping breaches, and the use of personal devices would be one of several reasons for the fine.
Given some of the recent FCA fines in the AML and Trade Surveillance space, I think we can expect similar fines in the comms and record-keeping space in the near future, although I don’t see fines being as large as the recent SEC/CFTC fines issued for use of WhatsApp and Signal. The U.S. tends to fine higher than U.K. or Europe.
Eren Erman, Global Head of Compliance Technology, TP ICAP
It would be fair to assume that any U.K. regulatory visit would include some questions about complete comms capture, surveillance, and storage.
Given the high-profile nature of U.S. fines, it is a reasonable expectation of the regulator that firms will have directed some focus at this risk, and that a solution or enhancement has been deployed or is in flight.
Rob Mason, Director of Regulatory Intelligence, Global Relay
