As regulators hand out hundreds of millions of dollars in fines for record-keeping failures related to the use of social messaging platforms such as WhatsApp, the finance industry faces a choice: properly enforce bans on the use of these apps or find ways to make them compliant.
“The explosion of new electronic communications channels — and the pervasive use of these — raises lots of red flags for the regulators,” said Anthony Diana, a partner at law firm Reed Smith’s Tech & Data Group. “The fear is that, if bad things are happening, they're happening on these personal apps, not on the sanctioned communication channels that are surveilled.”
Apps such as WhatsApp have been around for years, but their use in the financial sector grew during the COVID-19 pandemic as financial advisers and traders worked from home and sought ways to keep in contact with colleagues and clients.
Banks typically banned such consumer apps outright, but that stance has begun to shift for some firms who are now opting instead to capture conversation data for compliance purposes. That allows staffers to use the communication tools they prefer — and, most importantly, the tools their clients prefer — while staying on the right side of regulators.
"Addressing regulatory requirements around capturing, archiving, and monitoring the use of mobile communications is a difficult problem,” said Raúl Castañón, senior analyst at 451 Research, a division of S&P Global Market Intelligence.
“The shift to hybrid work and the growing use of mobile communications post-pandemic make it increasingly relevant for organisations to enable compliant communications.”
Said Diana: “There's recognition that people are still going to use some email, but there has to be other ways of communicating. Now, the rush is on is to identify the channels that make the most sense from a business perspective, and then make sure the technology is in place to make sure it's captured and surveilled correctly.”
With two billion active users, WhatsApp is the most popular consumer messaging tool, though it’s far from the only one. iMessage, Facebook Messenger, WeChat, Telegram, and Signal have all made their way into the workplace as smartphones have proliferated and corporate “bring your own device” schemes mature.
It comes down to simplicity and convenience, said Ari Lightman, distinguished service professor, digital media and marketing, at Carnegie Mellon University's Heinz College of Information Systems and Public Policy.
“Why would you use a platform that's theoretically not provided by your company? Because of ease of use. We spend so much time in email that it becomes a time sink; everybody becomes horribly inundated so they go to messaging apps.”
While the use of unsanctioned communication apps can be a headache for any company, the problem is more acute in highly regulated industries. Banks are compelled by regulators to keep a record of employees’ business-related communications to help tackle fraud, insider trading, market manipulation, and other forms of misconduct.
Even if the vast majority of messages sent are harmless, the use of social messaging apps means regulators lose visibility into what’s being said. “That's the crux of it: if you don't know what's happening on those platforms, there's suspicion associated with it,” said Lightman.
Regulators target tier-one firms
It’s not a new problem in the finance sector. Fines have been levied for un-compliant use of various communications technologies for years, but regulators have begun to take an even tougher stance around personal messaging apps in recent months.
Most notably, JPMorgan was hit with a combined $200 million in fines from the US Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) in December for failure to monitor and store electronic communications between 2018 and 2020.
The SEC cited the use of WhatsApp, text messages, and personal email accounts for business matters — a common practice even among senior staff members tasked with enforcing compliance with corporate policies.
And it’s proved to just be the start: Citigroup, Goldman Sachs, and HSBC were among the banks that announced cooperation with an SEC investigation in annual financial results statements earlier this year.
Reports have since emerged that Citi, Bank of America, and Goldman Sachs are in talks with regulators to pay around $200 million due to a failure to monitor unauthorised messaging apps. Barclays and Morgan Stanley have both reportedly set aside a similar amount for related fines.
But while it’s the large banks that have drawn the ire of regulators so far, the issue is widespread across the industry. “Every financial institution that’s subject to these regulations is in the crosshairs of the regulators,” said Diana. “They’re starting with the big [banks] because that sends the message to the entire industry that this is a focus.”
Capturing WhatsApp messages
Banks have long been able to access software and services from compliance technology vendors that enable the recording of SMS and voice data. As the use of social messaging apps has become more pervasive, some vendors have added capabilities to track social messaging apps in recent years too.
There are different approaches to achieve this. For some, it involves provisioning a separate, corporate version of WhatsApp on user’s phone, with a different phone number to hand out to clients.
A WhatsApp “wrapper” can be deployed via a mobile device management (MDM) or enterprise mobility management (EMM) platform to provide archiving for WhatsApp messages on iOS and Android devices, as well as desktop versions of the app. “Other options include the use of virtualisation technology that enables co-hosting of two or more secure virtual environments on a single mobile device,” said Castañón.
It’s typically possible to capture instant message data from direct messages and group chats, as well as voice and video calls, shared links, files and other attachments.
Some of the main vendors offering WhatsApp capture include Guardec, LeapXpert, Movius, Symphony, TeleMessage, and Voxsmart.
Movius, which also sells software to monitor and record voice calls, SMS, and WhatsApp messages on mobile devices, counts JPMorgan Chase and UBS among its customers. The Financial Times recently reported that German lender Deutsche Bank has told its staff to install the app on smartphones.
Movius declined to comment on its customers. but Movius CEO Ananth Siva said banks are increasingly aware of the need to provide staff with whichever tools they use to conduct business.
“If you don't equip them with a channel that the clients of the firm are asking to interact on, then you're going to have all these challenges [with regulators],” said Siva.
“All the firms we're working with right now are very, very conscious of this. Some of them have been working at it for a number of years and are better equipped to address these challenges, others can be fast followers.”
Movius’ approach is to provide an app that can be downloaded on an employee device, creating a separate phone number that is used for business-related communications. All messages sent or calls made via the number can be automatically recorded.
With the app installed, finance professionals can send WhatsApp messages to clients, who receive a notification asking them to “opt in” to monitoring on of the conversation — though clients don’t need install the app on their own device.
The prospect of monitoring messaging apps inevitably raises privacy concerns, even in an industry that’s already subject to extensive monitoring. A requirement that employees install monitoring apps on their personal smartphones could lead to some difficult conversations, not least with senior executives.
However, Siva said the Movius app siloes communications from the rest of a user's smartphone, enabling them to have an independent WhatsApp profile for personal use. In that case, personal messages should — theoretically, at least — be exempt from monitoring.
“Our technology facilitates that work/personal separation on the same device,” he said. “The instances are completely separate.”
Once conversation data has been captured, it can be treated like any source of communication data that’s monitored for compliance purposes.
Bank staff rely on a variety of authorised digital tools to communicate internally and externally, such as chat functionality within Bloomberg and Thomson Reuters Eikon terminals, as well as widely used collaboration platforms such as Microsoft Teams, Slack, and video platforms including Zoom.
By capturing WhatsApp conversations, the data can be made available for e-discovery and monitoring, just like any other channel, said Shiran Weitzman, CEO of Shield, a communication compliance software vendor. “In the same way that we're doing this for Bloomberg chat or an email, it's being done also on WhatsApp,” he said. “We basically make the channel irrelevant for the compliance work.”
In addition to collating and archiving communications for audits, natural language processing can be applied to the conversation data to flag signs of potential misconduct. It’s also possible to monitor and raise alerts when employees try to shift a conversation to unapproved channels, highlighting phrases such as “let’s move the conversation to Telegram,” that might appear in an email exchange or Teams chat.
“We have a module in our surveillance platform that looks specifically for words like, 'Let's move this WhatsApp, or to Telegram,’ ‘Ping me on Signal,’ or whatever it might be,” said Brian Lynch, president of US operations at SteelEye, a compliance monitoring and reporting software vendor. “It gives an indication in the existing monitored channels that might belie some use of WhatsApp.”
Would an outright WhatsApp ban even work?
Despite the prevalence of WhatsApp as a business communication tool, relatively few actually monitor the app's use. Only 15 per cent of financial institutions currently monitor the platform, according to a survey of 170 senior compliance professionals conducted by SteelEye.
Even fewer track popular workplace collaboration app Slack (nine per cent), while Microsoft Teams (40 per cent), Bloomberg Chat (40 per cent) and Zoom (25 per cent) are more likely to be on the monitored. (The survey data covers finance firms in a range of sizes, so the results may not be representative of the stance taken by the largest, “tier one” firms.)
The SteelEye research also found that 41 per cent of financial services firms see communication monitoring as an priority in the next 12 months, indicating a potential shift in attitude.
It’s unsurprising that so few institutions monitor the use of WhatsApp, said Lynch, given that many rely on internal policies to enforce bans on the use of such tools. “There's a significant number that have decided that ‘policy’ is how they're going to manage [the use of messaging apps],” he said.
Even in the face of increased regulatory scrutiny, many financial services firms will be content to double down on enforcing policies to limit the use of messaging apps. But for those that choose this approach, it’s important to recognise that these apps are still likely to be accessed by staff, and to take sufficient steps to enforce policies.
“A firm can choose which way it wants to go, but it can't just be, ‘We're going to ban it,’ versus ‘We're going to allow it,” said John Lukanski, a partner in Reed Smith’s Financial Industry Group.
“If you're going to ban it, you certainly need a supervisory process in place to police that. I don't think you can say, 'We're not going to let you use this,' but then, with a wink and a nod, know that it's going on nevertheless.”
Whichever approach they take, financial institutions should be considering their strategy as regulators loom. “The regulators are looking to have a reckoning moment, so you've got to be smart enough to recognise that and do something about it,” said Lukanski.
Hybrid/remote work increases use of messaging apps
Whichever approach banks adopt, it’s clear that personal messaging apps aren’t going anywhere — and while WhatsApp is the most popular tool currently, the landscape can quickly change. “With the different ways that people can communicate, it's going to be an ever-present, evolving challenge to keep up,” said Lukanksi.
Beyond the proliferation of different mobile messaging tools, the frequency with which they're used is likely to have increased during the pandemic as staff worked from home and turned to a variety of digital tools. The UK’s Financial Conduct Authority warned last year that “the risk from misconduct or market abuse may be heightened by home-working” with increased use of unmonitored messaging tools.
“The use of all of these personal communications channels was certainly accelerated by the pandemic, because people needed a new way to communicate,” said Diana. “A lot of the control functions that have been used in the past — like limiting what they could do from the desktop — fell by the wayside."
Although there’s been high-profile pushback by some finance firms over employees working remotely, it appears that hybrid work is likely to remain commonplace across the financial sector.
A survey on behalf of technology vendor Riverbed indicated that most (83 per cent) of IT and business decision makers at financial services firms expect at least 25 per cent of their employees will continue working on a hybrid model post-pandemic, while almost half (42 per cent) of respondents expect half of their workforce will be hybrid.
If that’s the case, firms will be hard pressed to end the use of personal messaging apps entirely.
“We’re seeing a complete disruption of how we work, how we communicate, and how we engage; mechanisms that are much more convenient and usable have just exploded,” said Lightman. “The genie’s out of the bottle: you have to figure out how to live symbiotically with these types of platforms.”