UK Data Recording Obligations – Have You Got The Message? -

In recent weeks, the use of encrypted messaging applications for business purposes has returned to the spotlight. In July 2023, legal challenges surrounding the disclosure of messages on devices used by former Prime Minister Boris Johnson made headlines in the context of the Covid-19 Inquiry. And only last week, the UK's energy regulator, the Office of Gas and Electricity Markets (Ofgem), issued a fine in respect of communications relating to wholesale energy trading made via an instant messaging platform on privately owned phones that were not appropriately recorded or retained – the first fine of its kind in the UK. In light of the augmented media attention, it may be that Ofgem and other UK regulators now look to apply additional scrutiny on the use, recording and retention of electronic communications, particularly via encrypted messaging applications such as Signal, Threema and WhatsApp.

Background

This is not a new area of interest for UK regulators. For example, the Financial Conduct Authority (FCA) took action against an investment banker in 2017 for sharing client confidential information via an instant messaging platform. There has, however, been a spike in regulatory activity in this regard following the Covid-19 pandemic, and the resulting shift towards remote/hybrid working. In particular:

In January 2021, the FCA issued 'Market Watch 66', which warned regulated firms that they must continue to comply with the recording requirements in the FCA's Senior Management Arrangements, Systems and Controls sourcebook (SYSC) – specifically, SYSC 10A. The FCA also announced last year that it was holding discussions with a number of UK authorised firms regarding their private device practices.

In July 2022, the Information Commissioner to Parliament (ICO) issued a report entitled "Behind the screens – maintaining government transparency and data security in the age of messaging apps" which found there to have been extensive use of private correspondence channels by Ministers, and staff employed by the Department of Health and Social Care. The report recommended that a further review be established (in addition to that being undertaken by the Covid-19 Inquiry in respect of issues specific to the pandemic) to look at how different, non-corporate communication channels are being used across the government.

More recently, in April 2023, the Prudential Regulation Authority (PRA) imposed a substantial fine relating to one firm's failure to (amongst other things) implement adequate policies and procedures surrounding the retention of business-related correspondence and records, in particular those messages exchanged between senior executives, directors and external parties via an instant messaging platform.

This increase in regulatory activity is not limited to the UK. In September 2022, U.S. regulators imposed fines on 16 financial firms following an industry probe that uncovered routine use of applications on staff personal devices such as text messages and other messaging platforms, to discuss business matters with colleagues, clients and other third parties.

What are the recording obligations for regulated firms in the UK?

Although the use of messaging platforms is not strictly prohibited (in fact there are legitimate business reasons that may require the use of encrypted call or messaging platforms), regulated firms often have obligations with regards to data recording and retention. For example:

Regulation 8(3), the Electricity and Gas (Market Integrity and Transparency) (Enforcement etc.) Regulations 2013 (the REMIT Regulations): Regulated persons must take reasonable steps to ensure that any communication relating to wholesale energy products is recorded and that a copy is retained (i.e., stored in a medium that is accessible by Ofgem). Regulation 8(6) also requires regulated persons to take reasonable steps to prevent the making, sending, or receiving of any relevant communication (including on privately owned equipment) that it cannot ensure is recorded or retained in accordance with the REMIT Regulations.

SYSC 10A: Regulated firms must take all reasonable steps to retain a copy of electronic communications that relate to in-scope activities, and that are made with, sent from, or received on, equipment either provided or permitted for business use by the firm. A firm must also take reasonable steps to prevent its employees or contractors from communicating on privately owned equipment that the firm is unable to record or copy. Records of communications must be kept for a period of five years (or seven years, where requested by the FCA).

Record Keeping Rule 2.1 of the PRA Rulebook: Capital Requirement Regulation (CRR) firms and CRR consolidation entities must, in respect of in-scope activities, arrange for orderly records to be kept of its business and internal organisation, including all services, activities and transactions undertaken by it, such that the PRA can fulfil its supervisory tasks and ascertain that the firm has complied with all obligations under the regulatory regime. A firm must retain all records kept by it under this Rule in relation to its Markets in Financial Instruments Directive (MiFID) business for a period of at least five years.

Regulation 40 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (Money Laundering Regulations): A relevant person must keep records of any documents and information obtained to satisfy the customer due diligence requirements in the Money Laundering Regulations, as well as sufficient supporting records in respect of a transaction that is the subject of customer due diligence measures or ongoing monitoring to enable the transaction to be reconstructed.

The management of records by UK government departments and public authorities should be guided by practice recommendations on data recording and retention, including relevant Codes of Practice presented to Parliament pursuant to the Freedom of Information Act 2000.

What does compliance look like in practice?

The starting point for compliance with relevant regulatory requirements is for firms to have in place clear policies and controls for the use, recording and retention of telephone conversations and electronic communications by employees or contractors. The key questions are, however, (i) what can firms do to ensure that their policies are effective, and (ii) what additional steps can firms take to ensure compliance with those policies?

Firms should consider the following:

Regular Review of Policies: Existing policies should be reviewed regularly and updated to address new risks, including developments in software and technology. These policies should make clear the consequences of any breach. Any gaps in data retention or recording should be addressed without delay.
Training: Appropriate training should be provided to employees/contractors both at induction and at regular intervals to ensure that the relevant policies are known and understood. Refresher training should be required when policies are amended or updated. Completion of any training could include a declaration by employees/contractors that the relevant policies have been followed.
Monitoring: There is always a risk of inadvertent or deliberate breach. It is therefore important for firms to have procedures in place to monitor business communications such that irregularities and any potential malpractice are detected at an early stage.
Internal Investigations and Disciplinary Action: To the extent that potential breaches are identified, appropriate internal investigations should be conducted, with findings sufficiently escalated so that lessons can be learned and policies updated as necessary. Should the investigation result in any findings of wrongdoing or breach of policy, appropriate disciplinary action should be considered.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.