In the wake of the global pandemic, there has been a prolific increase in remote and hybrid working among employees, making it the norm for numerous Financial Services and industries alike.
As more employees work remotely, employers grapple with monitoring challenges, leading to heightened regulatory worries. With virtual communication on the rise, there's a greater risk of misconduct via unmonitored messaging apps for business. Consequently, firms, including UK FCA-regulated ones, face increased regulatory scrutiny. The surge in remote work leaves financial institutions navigating communication strategies that are practical and compliant.
In this article, we consider into the impact on Financial Services firms and suggest measures to mitigate future regulatory risks from an employment perspective.
Why is this such a concern for regulated businesses?
Financial institutions are subject to strict regulations concerning the protection of confidential information and record-keeping. Regulatory bodies in the UK have sent a clear message that the unauthorised use of applications such as WhatsApp on unmonitored personal devices can pose significant risks to firms, and this was reconfirmed by the FCA through its Market Watch Newsletter. These risks flagged by the FCA include the rising use of unmonitored and encrypted communication apps like WhatsApp for sharing potentially sensitive work-related information. The FCA emphasised that this trend poses challenges and substantial compliance risks, as firms may struggle to effectively monitor communications through such channels.
Alongside this, the FCA have emphasised that the firms under its supervision must maintain compliant with their standard recording requirements. They state, 'firms must ensure that if such applications are utilised for in-scope activities on business devices, all communication is recorded and can be audited.'
Although the increase of remote and hybrid working arrangements has only become prominent in recent years, the FCA's focus on regulating the communication of confidential information is longstanding. The FCA first acted in relation to social messaging and employment in 2017, where the regulatory body fined an investment banker £37,198, after discovering that he had divulged confidential client information over a WhatsApp chat with friends. This enforcement action set the precedent that it is imperative for Financial Services to regulate and train their employees on the use of confidential information via unmonitored or encrypted messaging applications.
Whilst there is a risk of enforcement action for employers that are regulated by the FCA, banks have also taken their own measures against their employees involved. In 2023, HSBC dismissed a London-based trader following an investigation by the bank's compliance team into the use of inappropriate messaging applications with clients. Similarly, a Credit Suisse investment banker in the US had been dismissed from his role in 2022 after he was found to have used unapproved messaging apps with clients. Banks have struggled to maintain compliance when communicating virtually with clients as they noted that 'certain clients love chat channels' and prefer to communicate on apps on their personal mobiles. Employees at JP Morgan and UBS have navigated this barrier by starting to use an app called Movius on their phones, which records all calls and logs text messaging.
Practical considerations to ensure employers maintain compliance
Appropriate training for employees
Employers should ensure that they are engaging in regular training sessions. With technology continuing to evolve, new systems and forms of communications will continue to present new challenges to staying compliant. Employers could also consider implementing an annual compliance certification where employees certify to their understanding of and compliance with their firm's policies on applications such as WhatsApp.
The importance of providing regular and appropriate training to employees was heightened in September 2022 where the FCA took enforcement action against Sigma Broking Limited, along with individual action against two of the company's Directors in relation to marker abuse reporting failures. The FCA found that the broker had no policies or training in place which covered restrictions around the use of personal devices and encrypted messaging applications for business purposes, and also noted that a number of broker's employees without prior authorisation had been using encrypted chat applications on their person mobile devices to communicate with and take orders from clients.
Providing employees with work devices
Providing employees with work devices, such as mobile phones and laptops allows employers to establish ownership over these devices. In the event that firms suspect that an unmonitored and unauthorised messaging application has been used for business purposes on a personal device, firms will not be able to force employees to hand over their own devices in order to engage in a formal investigation. However, with work devices employers will be able to require these to be delivered on request. However, it should be noted that employers tread carefully to ensure they maintain a reasonable expectation of privacy.
It is therefore important that employees are also notified that they may be subject to work-related monitoring and surveillance which will extend to their use of IT, email and other electronic devices.
Display leadership by example
Firms must ensure that those in senior management level positions are setting the tone for their staff and should lead by example. Where those in senior positions are failing to comply with off-system communication policies, the processes are severally undermined.
Express provisions in employment contracts
Employers should include an express clause into employee's contract of employment to make it clear what the employer expects and requires of staff in relation to navigating communications with confidential information. The provisions should be mirrored, whether the employee is working from home or in the office. In addition to this, a clause could be included which imposes a contractual obligation on an employee to report any wrongdoing, with the intention that this will act as a deterrent against non-compliance for all employees.
Implement a disciplinary framework
Firms should consider implementing a specific disciplinary framework for off-system communications which should be widely circulated to all employees in order to promote compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
