—
The rise and fall
of Bring Your Own Device

Have Bring Your Own Device (BYOD) approaches changed in light of regulatory fines?

BYOD is more common now than ever

The operational benefits of Bring Your Own Device (BYOD) policies are well documented. From financial benefits, to ease of use, in a world that has seen considerable shifts towards more hybrid ways of working, BYOD prevails. In response to regulatory enforcement action for firms who failed to preserve business communications made on employees’ personal devices, industry speculation suggested there would be a sharp shift away from BYOD to corporate-issued devices. According to survey responses, however, this perception is incorrect.

Since our 2023 Industry Insights Survey, the number of organizations that offer a BYOD model for business communications has risen by 17.1 percentage points, from 35.9% to 53%. Similarly, the number of firms issuing staff with corporate devices has decreased, from 25.6% in 2023, to 21.7% in 2024.

I am a little surprised that BYOD usage is still topping a shift to corporate device policy. What I have noted in many of my roundtables is that many firms are separating their corporate populations into high-risk and not so high – it is the high-risk monitored population that are all being moved to corporate devices and BYOD is good enough for the rest.

Alex Viall, Chief Strategy Officer, Global Relay

When broken down by jurisdiction, there is a clear divide in how financial organizations approach BYOD vs. corporate-issued phones. Notably, 54.5% of firms based in EMEA favor corporate devices. This is also true of 50% of global firms. Firms based in North America have a clear proclivity towards BYOD policies, with 63.4% noting that they use a BYOD model and monitor business-related communication channels. Only 11% of North American firms said that they give staff corporate devices.

We have always operated on corporate devices only for those in scope and risk relevant. The reason this is our preferred option is I expect the same reason people are either moving away or refreshing, which I expect is a synonym for ‘tightening’ up the rules, it is plainly about control.

Our corporate devices give us control on the channels in use and what they are used for. There is a big decision to be made by the industry regarding the surveillance of personal mobile devices. Especially as we have seen the U.S. regulators subpoena personal devices in recent times. Also, there are DPO issues to be considered in this context which acknowledge the different country requirements.

Martin Gaterell, Associate Director: Private Side Advisory with Monitoring & Surveillance, Unicredit GmbH

I guess I’m not surprised that BYOD is more popular with financial services firms in the U.S. Corporate devices versus BYOD really boils down to Three C’s – Cost, Compliance, and Convenience.

Regarding ‘Cost’ – corporate devices are much more expensive than BYOD. With respect to U.S. broker-dealers, the choice can usually be segregated easily by business model. Your large employee-based firms have distributed corporate devices. Whereas your independent contractors have adopted BYOD policies. Given that there is no empirical evidence that corporate devices are more compliant than BYOD, firms will choose the device that works best for their business model.

Regarding ‘Compliance’ – I think there used to be a perception that corporate devices were more compliant than BYOD. This is simply just not the case and firms now realize that both corporate and BYOD devices can be equally compliant.

With a corporate device, investment professionals can distinguish easily between their work phone and personal phone. Due to technological developments and compliant communication apps, the same can now be said for BYOD.

Regarding ‘Convenience’ – The financial professional wants to do whatever makes it easier for them to communicate with their clients. Now that the SEC has focused the spotlight on these communications, financial services firms have driven the point home with their representatives that compliance in this space is extremely serious. Now the representatives understand the seriousness but are saying – “make it easy for me.” Well, it is much easier now. With the products and tools that have been developed by vendors such as Global Relay, it simply boils down to the fact that employees must be trained to use the correct phone number associated with the compliant business communications – whether that be a corporate or BYOD device.

Chip Jones, Executive Vice President, Compliance, Global Relay

All change, or no change for BYOD?

Given the strength of speculation around a potential shift away from BYOD, we asked firms whether they had seen the use of such policies change in light of regulatory enforcement surrounding personal devices. Fewer than expected said that they were moving away from BYOD by reason of regulatory action, at only 16.5%.

Instead, it appears that organizations are revisiting their existing BYOD policies to make them clearer, and stringent enough to meet shifting compliance expectations. 45.2% said that they were looking again at existing policies, while 38.3% had not noticed any change. This would suggest that, instead of ripping up the rulebook and investing in corporate devices – at huge cost to the organization – firms are taking the time to rewrite the rulebook and ensure it is clear and understood by staff.

From what I’ve seen, companies have been reassessing their BYOD and corporate phone policies over the past few years, most probably driven by COVID to some degree.

This shifted behaviors, and the challenge has been in resetting those behaviors again. For instance, when issuing corporate devices to client-facing teams, they don’t necessarily like it because they now have to have two phones, which is a pain. But it’s training that behavior of ‘work phone for professional life, personal phone for home life.’ And we’ve just had to adopt a very strong position with it.

Since the big fines in the U.S., I’ve definitely seen a shift towards even tighter policies, but also towards new investment in corporate devices – often at considerable expense. It makes a clear demarcation between personal and professional channels. People are definitely starting to get the message about the importance of comms governance since the fines.

Pankaj Anand, Head of Governance Technology Solutions, StoneX

Once again, changes – or apparent changes – to BYOD policies in response to regulatory scrutiny vary by jurisdiction. 45.4% of EMEA-based respondents, and 41.5% of North America-based respondents said that they had not noticed any change regarding BYOD.

Conversely, 22.2% of global respondents agreed. This is of particular interest given that North America has seen the most intense regulatory scrutiny around off-channel communications.

Again, only 9.7% of North American firms said they are moving away from BYOD, though 48.8% are revisiting their policies. EMEA, on the other hand, sees 27.3% of respondents moving away from BYOD policies, despite seeing the least regulatory messaging on this topic.

Industry insights

What's your approach to BYOD?

“We apply the same security metrics to BYOD as we do to corporate-issued devices.”

Chief Financial Officer,
Investment Bank, North America

“We require preapproval for BYOD to ensure we can monitor.”

Compliance Officer,
Hedge Fund, North America

“We use BYOD, but corporate ‘apps’ are ringfenced from the rest of their device and centrally monitored (i.e. MS Outlook, Teams).”

Chief Compliance Officer,
Hedge Fund, APAC

“If anyone contacts me personally on any social media site or on my personal cell phone, I explain we need to communicate on business platforms.”

President,
Insurance, Global