Big bank messaging app crackdown exposes policy holes, monitoring struggles

Bank of America, Barclays, and Morgan Stanley are among more than a handful of banks to have disclosed agreements to pay as much as $200 million concerning employees’ business communications on unapproved messaging platforms and recordkeeping failures. The fines are expected to be announced by the end of the government’s fiscal year on Sept. 30, according to a report from the Wall Street Journal. Other banks ensnared in the crackdown include Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs, and UBS.

Gurbir Grewal, director of the Securities and Exchange Commission’s (SEC) Enforcement Division, in public remarks last October warned financial institutions “to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps.”

Failures to preserve and produce electronic communications “delay and obstruct investigations,” he added, and “raise broader accountability, integrity, and spoliation issues.”

Two months after Grewal’s speech, JPMorgan Chase became the first bank to pay $200 million —$125 million to the SEC and $75 million to the Commodity Futures Trading Commission (CFTC)—regarding its employees’ use of messaging apps, including WhatsApp, and personal email accounts to communicate about securities business matters.

JPMorgan’s recordkeeping failures especially drew the ire of the SEC for impacting the staff’s “ability to carry out its regulatory functions and investigate potential violations of the federal securities laws across these investigations,” the agency stated in its order. “The commission was often deprived of timely access to evidence and potential sources of information for extended periods of time and, in some instances, permanently.”

SEC staff were only able to uncover evidence and sources of information through third parties, according to the order.

“If you read the JPMorgan order, you can tell the regulators were upset about how things went down,” said John Lukanski, a partner at law firm Reed Smith. Regulators want to know they have all the evidence they need to conduct a thorough investigation, he said.

If employees are communicating over unapproved channels and regulators find out about the existence of certain documents only through subpoenaing third parties, they’re not going to be happy, Lukanski added.

“That is a big driver in all of this,” he said. On an industrywide scale, it is “low-hanging fruit.”

The problem with policies

“A proactive compliance approach requires market participants to not wait for an enforcement action to put in place appropriate policies and procedures to preserve these communications and anticipate these emerging challenges,” Grewal advised in his remarks.

Prudent financial institutions already have written policies and procedures in place explicitly forbidding employees from using unapproved electronic communication channels to discuss business-related matters with clients and customers. This was the case with JPMorgan Chase and many of the other banks bracing for enforcement from the SEC and CFTC.

The compliance lesson there: Policies and procedures alone do not address the central problem, which most succinctly can be described as an “inherent and ongoing tension” between financial firms’ recordkeeping obligations and the realities of the way people prefer to communicate today, said Ken Joseph, a managing director and head of the financial services compliance and regulation practice for the Americas at Kroll.

This regulatory risk is further heightened for global banks because advisers and clients based in foreign jurisdictions often prefer communication channels like WhatsApp and WeChat, Joseph added. That leaves financial firms having to walk a regulatory tightrope, striking the right balance between satisfying recordkeeping requirements while still being mindful of business realities, he said.

Firms cannot realistically prevent all employees from using unapproved channels to communicate off-book securities business matters. “What firms can do is set up reasonable supervisory systems to catch it,” Lukanski said.

If a firm’s policies and procedures prohibit employees from using certain communication channels, it would behoove it to undertake measures to enforce that, Lukanski added. Firms would be doing themselves a disservice if they said, “‘You’re only allowed to use these [communication channels]’ and then put their head in the sand about what employees are actually doing,” he said.

“Supervisors have to set the tone. To the extent they themselves are noncompliant with the firm’s policies related to use of approved channels to communicate, that is problematic not only for themselves but the entity involved.”

Ken Joseph, Managing Director, Kroll

In the JPMorgan enforcement action, for example, the bank had supervisory policies in place that “tasked supervisors with ensuring that employees completed training in the firm’s communications policies and adhered to JPMorgan’s books and recordkeeping requirements,” but it “failed to implement a system of follow-up and review,” the SEC’s order stated.

“Supervisors have to set the tone,” Joseph said. “To the extent they themselves are noncompliant with the firm’s policies related to use of approved channels to communicate, that is problematic not only for themselves but the entity involved.”

Adopting technologies capable of capturing and archiving electronic communications is another way to address recordkeeping challenges more effectively than the outright banning of certain channels. Many financial institutions have begun utilizing newer surveillance technologies specifically designed to address such regulatory challenges.

JPMorgan, Deutsche Bank, UBS, Julius Baer, Jefferies, and Cantor Fitzgerald are just a handful of the businesses that require their employees to download Movius, a mobile app that enables compliance departments to monitor calls and texts, including WhatsApp conversations, across mobile and desktop devices, according to Movius’s website.

JPMorgan believed in the product so much it invested $45 million into Movius.

“Across the board, financial services firms are finding that customers and employees alike expect to communicate conveniently on their mobile devices. This strategic investment in Movius will help remove friction and better enable employees to be more productive and communicate securely via their mobile devices,” said Larry Feinsmith, managing director and head of global technology strategy, innovation, and partnership at JPMorgan, in a press release.

New communication landscape

When working with a third-party vendor, financial firms should be cognizant of all the new messaging apps that exist today that need to be not only archived but also monitored and analyzed from a regulatory compliance standpoint.

In addition to WhatsApp and WeChat, other prominent messaging apps include Element, Google Chat, LINE, Signal, Snapchat, Telegram, and Wire. Don’t forget popular social media communication channels like Facebook Messenger, LinkedIn, Twitter, and Slack.

“There are all these other new ways of communicating,” said Rieko Moody, a surveillance subject matter expert at Shield, a communication compliance platform provider.

Because no surveillance or monitoring technology is perfect or foolproof, “consider asking for periodic certifications from firm personnel attesting they’re using only firm-authorized systems to communicate business matters,” Joseph said. This question might also be included in annual employee questionnaires.

Looking ahead, as financial regulators turn up the enforcement heat on firms, the risk of personal liability continues to rise as well. Take, for example, the HSBC trader who was fired in June after the firm’s compliance staff uncovered messages on the trader’s phone revealing a broker bought the trader tickets to a sporting event, the Financial Times reported.

In another example, a senior Credit Suisse investment banker was fired for using unapproved messaging channels to communicate with clients, even though the bank did not find the sharing of any inappropriate information, according to multiple reports.

The bottom line is this: Regulators are more focused on these compliance failures than they’ve ever been before. If a firm finds out its employees are communicating about business matters over unapproved electronic communication channels, “it has to have strict processes to shut it down,” Lukanski said. “You can’t let it go on with a wink and a nod knowing this shouldn’t be happening.”