The FCA, WhatsApp, and recordkeeping
The FCA surveyed UK banks on the use of encrypted and unmonitored messaging apps like WhatsApp and Signal, with no specific enforcement action currently in the works. Firms must still ensure compliance with recordkeeping rules, regardless of technology used.
Written by a human
Against a backdrop of billions of dollars of fines in the U.S. for off-channel communications and recordkeeping breaches by financial services firms, it was reported that the U.K. Financial Conduct Authority (FCA) had surveyed a number of banks about the use by employees of communications such as WhatsApp, Telegram, and Signal.
The firms were asked to “provide a list of confirmed breaches of unmonitored and/or encrypted applications policies that have been recorded in the UK over the last 12 months”. In addition, firms were asked for specific details of how senior the individual concerned was, what business area they were in, and how the breach was picked up. The FCA also wanted to know the “disciplinary outcome or impact on compensation and promotions”.
The reported upshot of the survey was that no specific action regarding the use of encrypted messaging systems was likely to be forthcoming. That is not the same as the regulator saying there will be no enforcement action.
Technology neutral
The FCA is a technology-neutral regulator. The regulatory approach being that it is up to the firm to choose what means of communication is deployed but whatever systems are utilized, the firm must be able to comply with all relevant rules and requirements. The FCA does not regulate any particular messaging system or app but rather requires compliance with the associated record-keeping and other rules.
| FCA SYSC 9.1.1 A firm (other than a common platform firm) must arrange for orderly records to be kept of its business and internal organization, including all services and transactions undertaken by it, which must be sufficient to enable the FCA to monitor the firm’s compliance with the requirements under the regulatory system, and in particular to ascertain that the firm has complied with all obligations with respect to clients. |
Firms should also be aware that the regulatory approach to the recording of telephone conversations and electronic communications with regard to investment business is also covered in the European Securities and Markets Authority’s (ESMA) FAQs which were carried over into the UK requirements post-Brexit.
Again, technology neutrality is made clear because, among other things, technology moves on so quickly. As part of the response to a question on the electronic communications within the scope of the requirements “ESMA will not produce an exhaustive list of electronic communications because of the continuing innovation and advancement in technology which would mean the list frequently becomes out of date.”
Encryption and disappearing messages
A central feature of messaging apps such as WhatsApp is the end-to-end encryption. Other messaging apps such as Telegram have features whereby messages can be set to ‘disappear’ after being viewed. Both need careful consideration in terms of compliance for financial services firms given the overarching requirement for recordkeeping. The U.S. Department of Justice tackled this issue directly in its Evaluation of Corporate Compliance Programs (ECCP), stating that:
“During an investigation, if a company has not produced communications from these third-party messaging applications [including ephemeral messages], our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws.”
Again, it is not about the messaging app being used but rather how a firm (or individual) can evidence compliance with its regulatory obligations. It is a supervisory expectation that if firms choose to allow the use of encrypted messaging then they should have the organizational and administrative capabilities to convert any encrypted data into an unencrypted format. At a general level firms are expected to be able to deliver or make available copies of any records in an unencrypted and easily analyzable format or provide the means that such data can be unencrypted when requested by the client, competent authority, or other competent third party. For the FCA, SYSC 9.1.4 states that “the records required under the Handbook should be capable of being reproduced in the English language on paper” – so, by definition, unencrypted.
It is unclear how investment or other regulated business conducted with ‘disappearing’ messaging could be made compliant.
Enforcement
The use of WhatsApp (and similar) has been cited in a number of UK enforcement, and potential enforcement, cases. The enforcement actions make clear that the corporate and personal accountability was due to breaches of regulatory and legal requirements rather than because a specific method of communication was used.
In 2017, Christopher Niehaus, a former investment banker, was fined £37,198 for sharing client confidential information over WhatsApp – the crux of the enforcement was the non-compliant sharing of confidential information rather than the means by which it was shared. The FCA found Niehaus failed to act with due skill, care, and diligence.
In 2023, Morgan Stanley was fined £5.41m by Great Britain’s independent energy regulator, Ofgem, for not recording and retaining electronic communications between January 2018 and March 2020. It was the first-ever fine issued in Great Britain under legal requirements to record and retain electronic communications relating to trading wholesale energy products.
In December 2024, it was reported that Credit Suisse is being investigated by the FCA over allegations that former employees shared confidential information over WhatsApp. Specifically, it would appear that staff in the London office were communicating about business matters on personal devices and sharing price-sensitive information about the companies they covered.
Recordkeeping must be a priority
Recordkeeping is a core competency for financial services firms and, if it is not already, it must become, and remain, a priority. Recordkeeping has often been something of a poor relation when it comes to investment, but the stark truth is that firms are utterly reliant on their records to be able to act, plan and execute business.
For firms, robust and comprehensive recordkeeping should inherently be technology-neutral. If recordkeeping requirements are applicable, they should be complied with regardless of the technology or systems being used. Without a comprehensive and robust approach to recordkeeping and the associated data governance, firms will simply not be able to evidence corporate and individual compliance with all relevant obligations.
