The Securities and Exchange Commission (SEC) recently announced that J.P. Morgan Securities LLC agreed to pay $125 million after admitting to widespread and longstanding failures to maintain and preserve written communications over WhatsApp, personal email, and other message applications. On top of this, the Commodity Futures Trading Commission (CFTC) fined the bank a further $75 million for permitting unapproved communications since at least 2015.
Both fines are proof of the complex nature of business communication today. With a wide variety of different messaging applications and social media in the market, companies can easily run into compliance issues. The use of personal devices for business communications remains a battlefield between regulators, banks, and employees. Unofficial channels have become the latest target for regulators looking to ratchet up enforcement of recordkeeping rules. This comes as traders have migrated to encrypted messaging platforms such as WhatsApp, Signal, and Telegram.
These third-party apps are much harder to surveil than company devices and software platforms. Companies ‘allowing’ their employees to use these apps for businesses communications has increased since the shift to remote work triggered by the pandemic. Yet the fines handed to J.P. Morgan Securities are a sign of things to come for those organizations who are not focused on remaining compliant.
Not An Isolated Failure
The SEC stated in the announcement of its fine that companies who believe they may have similar compliance issues should root them out before the SEC discovers them.
The CFTC similarly found that J.P. Morgan Securities employees “communicated both internally and externally on unapproved channels”. Both organizations found that this problem wasn’t just at an employee level, however, and extended to supervisors, and even those responsible for implementing compliance.
But this aberration does not just apply to J.P. Morgan, or to banks, and is likely to become an endemic issue at broker-dealers, asset managers, and arguably across the financial services sector. The SEC has itself acknowledged that the use of unapproved messenger apps is an industry problem that requires a deeper dive.
The Rise and Risks of Third-Party Apps
Business communication is as essential as it has ever been, especially with a workforce no longer under the same roof. Many organizations have adapted to this new world through Bring Your Own Device (BYOD) policies, although for some firms, particularly in the financial services industry, security concerns can reduce its perceived viability.
Encrypted instant messaging apps like Signal, Wire, and Telegram have been around since the early part of the last decade, with Telegram reaching 35 million users by 2014. Since 2016, these apps have grown even further in popularity, with WhatsApp now leading the category with over 2 billion users worldwide.
Unfortunately, mobile messaging for business comes with certain risks, not limited to compliance.
- Data security challenges: Confidential business information sent through unsecured networks and via personal accounts poses a major risk with regard to security.
- Recordkeeping: Third-party apps can be a challenge when it comes to retaining and preserving mobile messages and phone calls. Not only does this conflict with internal recordkeeping, but it can also put an organization at a significant disadvantage with external investigators.
- Compliance issues: Employees using unmonitored devices and accounts for work leaves companies exposed to compliance gaps. The SEC found that messages by J.P. Morgan Securities employees hadn’t been preserved, and this meaningfully impacted the SEC’s ability to investigate.
Avoiding Compliance Issues
In order to avoid compliance issues, organizations need to lay out clear policies about how their employees communicate business-related information and ensure these policies are enforced. The CFTC noted that J.P. Morgan Securities had policies and procedures that prohibited the use of unauthorized communication methods by its employees, but that it had continually breached these. Disciplining violators and giving adequate training about compliance can help prevent similar issues.
Another major contributor to the fines was a subsequent lack of recordkeeping. The ability to separate and archive business communications, whether on a company or employee-owned device, helps ensure an organization avoids SEC and CFTC compliance infractions.
It is technologies that enable such separation of business and personal communications on a single device that are enabling compliance teams to now overcome the challenges of supervising personal smartphones – and a costly violation.
Combining policy enforcement with recordkeeping that properly reflects the broadening range of tools and devices used for business communication these days will help firms mitigate such actions. For those organizations in the financial markets, and amid intensifying regulator action, working with compliance technology experts who can help them adapt to the changing nature of client-advisor communications while still remaining compliant is a great place to start.
On Thin Ice: Navigating WhatsApp Compliance
Time to take WhatsApp compliance seriously.