A number of major American and European-headquartered banks have set aside a combined amount of over $2 billion to cover anticipated fines for the use of unauthorised messaging apps to exchange confidential communications amongst employees. Regulatory authorities have been investigating and are now clamping down on the use of communication channels used by bankers and clients on messaging platforms like WhatsApp.

In July 2022, one multinational bank reached a resolution to pay U.S. regulators – the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) – fines amounting to $125 million and $75 million, respectively, for their employees using unofficial communication tools. A multinational investment bank agreed to pay fines of $200 million to the SEC and CFTC for civil investigations into the bank's failure to comply with records preservation rules applicable to broker-dealers, swap dealers, and futures commission merchants. The investigation discovered that the bank did not hold copies of certain communications required to be maintained under their respective record-keeping rules, essentially because such communications were sent or received by employees over electronic messaging channels that had not been approved for use by employees for business purposes.

These investigations have served as a wake-up call to all financial institutions dealing with market-sensitive information, to review the adequacy of their data governance and data retention policies.

Why is this happening now?

Since the pandemic, the world has seen a shift toward home and remote working, which brought certain record-keeping issues into sharper focus due to the increased use of personal emails, social media and messaging apps by employees to maintain communication. However, remote working has resulted in a blurring of the boundaries between some aspects of professional and private lives which has been most pronounced where personal devices and messaging platforms have been used for the communication and exchange of official and confidential information. This has alerted regulators, and some financial institutions are facing investigations focused on their workers using text messages and personal emails to conduct business.

Warnings by regulators

The UK's financial regulator, the Financial Conduct Authority (FCA), has previously warned banks that risks from misconduct may be enhanced as people continue working from home, and turn to unmonitored forms of communication such as WhatsApp to share potentially sensitive information in a work context.

United States' financial services regulators SEC and CFTC claim that between January 2018 and September 2021, bank employees of 16 Wall Street firms often used messaging apps like SMS text and WhatsApp to discuss business topics, including debt and equity dealings with co-workers, clients and other third-party consultants. Most of those private conversations were not retained by the institutions, which is a violation of federal regulations that mandate the preservation of business communications by broker-dealers and other financial institutions.

The CFTC released a public statement about these recordkeeping and supervision failings, indicating that it would firmly investigate and hold accountable registrants who fail to comply with their key regulatory obligations. Similarly, the SEC published a press release on the same issue, emphasising that the record-keeping requirement is sacrosanct, since the Commission cannot be prevented from accessing off-channel communications during different investigations.

Importance of data governance in financial institutions

Financial institutions collect and manage vast amounts of confidential and sensitive data, which includes price and market-sensitive transactional data and potential personal data such as consumer transactions and purchase information used to round out customer profiles. These financial institutions may also deal with confidential trading, or insider information, that can be misused to cause large-scale market effects and constitute market abuse. This is where the importance of effective data governance and controls comes in.

A data governance policy is a framework of established principles for guaranteeing that the data and information assets of an enterprise are handled uniformly and used appropriately. Typically, such rules include separate policies for data quality, access, security, privacy and usage, as well as roles and responsibilities for implementing and monitoring compliance with those policies.

The data governance policy must consider data handling principles that limit access through approved communications routes, which can be subject to proportionate monitoring. Robust access controls should be put in place to limit access to authorised employees who have access to price or market-sensitive data.

Communications on personal devices

Financial institutions dealing with sensitive regulated transactions need to clearly state which of their employees can and cannot use personal devices for communicating information. It becomes more challenging to monitor and apply data retention policy when communications take place on personal devices using instant end-to-end encrypted messaging apps like WhatsApp and Telegram. If a bank monitors the communications of its employees on their personal devices, there can be a significant risk of privacy violations unless ring-fenced "BYOD" applications are used for accessing business emails.

In light of these concerns, one bank instructed some employees to download a mobile app that enables the compliance team to monitor user phone calls, text messages and WhatsApp conversations. They also cautioned employees not to erase any work-related WhatsApp communications in light of the intensifying U.S. crackdown on banker communications.

Need for a data retention policy

An essential element to compliance in this area is maintaining accurate and up-to-date records in line with regulatory retention periods and reporting requirements. All aspects of an organisation's record-keeping operations, from initial storage to subsequent retrieval and auditing, are governed by various regulatory requirements. A data retention policy should clearly specify which records and data should be stored, the period they will be retained and the system used for retention. Once the data retention period ends, it should be subject to appropriate deletion.

Financial services firms are obligated to keep their books and records in order and to monitor internal communications (including emails, messages, meeting notes and, in certain jurisdictions, phone calls) in order to identify any instances of possible misconduct or instances of market abuse.

When sensitive and confidential data is shared through unauthorised personal messaging apps, private social media channels or via personal mobile devices, it becomes difficult for organisations to follow their record retention policies and ensure they are identifying relevant business-related conduct, including monitoring for potential market abuse and manipulation risks amongst their workforce.

The FCA's Senior Management Arrangements, Systems and Controls Sourcebook (SYSC) specifies, in SYSC 9.1.1A, that firms must maintain records which are sufficient for the FCA to discharge its duties as a regulator and carry out enforcement actions under the regulatory system, which includes MiFID, MiFIR and the Market Abuse Regulation. In particular, the FCA needs to be able to ensure that firms are meeting all their regulatory obligations, including those related to clients or potential clients in order to protect consumers and safeguard the integrity of the wider financial system.

Is employee monitoring the solution?

A Data Protection Impact Assessment (DPIA) is mandatory under GDPR in certain circumstances, including where the large-scale processing of personal data is undertaken or for more intrusive monitoring and surveillance activities. This is a highly effective tool for assessing the impact of any proposed monitoring activities and should be undertaken at the earliest possible stage to ensure suitable compensating controls can be put in place. When banks and other regulated financial institutions are monitoring some or all of their employees, it may trigger the requirement to conduct a DPIA. Whether mandated by GDPR or as an internal risk management tool, undertaking such impact assessments not only gauges personal data handling activities but also provides documented records that the firm has reviewed and quantified the potential privacy and data compliance risks involved.

Caution is advised

Intrusive or disproportionate monitoring of employees on their work and personal communication channels could lead to potential data protection and employment law concerns and should therefore be carefully assessed prior to deployment. With the advent of the use of artificial intelligence-based predictive analytics and data mining to support the identification of market abuse type behaviours, even greater care must be taken with assessing the potential privacy and ethical risks associated with machine-based decision-making, including combinations of data sets drawn from business and potentially public data sources. Financial institutions can look to reduce their exposure to risk by enforcing strict standards through staff training, strict policy enforcement, and technical restrictions and monitoring regarding the use of unauthorised email and messaging systems for business purposes.

Before implementing such monitoring activities, firms must ensure that regulations and standards are communicated to their employees and also must update their privacy, data governance and compliance policies. Where necessary, firms should consult with local workers councils if the monitoring will be rolled out across locations such as continental Europe. There is a careful balance that needs to be struck between ensuring regulatory compliance and demonstrating that market abuse obligations are being effectively managed, whilst also not falling foul of data protection obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.