Illicit communications and where to find them
Regulators are tightening their net to catch firms who fail to prevent the use of illicit communications. We look at where off-channel communication channels are hiding, and how to find them.
While regulatory enforcement for the use of illicit communications has been a continual hot topic for financial regulators, the last few months have seen a notable increase in the pace and strength of regulatory action.
Given the swathe of enforcement action and recent media attention surrounding recordkeeping failures, we’ve taken a look at the commonly found areas in which illicit communications thrive, and what you can do once you find them.
Where to find illicit communications
WhatsApp and texts
Illicit communications are often an inevitable consequence of compliance-implemented, company-wide channel bans. The journey toward off-channel communication is easily mapped; staff use WhatsApp to speak about business-related matters, the compliance team tells them to stop, this isn’t convenient and can be a hurdle to conducting business, so staff continue to use WhatsApp. The same is true of text messages.
The most striking example of this of course lies in the now-infamous action taken by the U.S. Securities and Exchange Commission (SEC) in September 2022, in which 15 broker-dealers were found to have “widespread and longstanding failures” surrounding their obligation to maintain and preserve electronic communications.
All 15 broker-dealers (and one affiliate investment adviser) had allowed “pervasive off-channel communications” to thrive on platforms such as WhatsApp and text messages. These communications happened underground, away from the prying eyes of the compliance team, meaning they weren’t able to be captured, retained, or monitored.
If you’re looking to weed out illicit communications, your banned and restricted messaging platforms should be the first place to look.
Corporate phones, once commonplace, are now considered a legacy hangover from the pre-digitization of the workplace. Bring Your Own Device (BYOD) has proliferated most workplaces, including financial services.
While BYOD policies can save costs, they can also present new risks for financial institutions – especially when it comes to meeting requisite recordkeeping, capture, and monitoring rules. This is especially true because, without enabling a compliant communications application that keeps business and personal communication separate, the distinction between work and play can be easily confused.
In almost all of the above 15 SEC enforcements, employees had conducted business communications on personal devices. In the landmark case of JP Morgan, the SEC found that, for at least two years, its employees had “often communicated about securities business matters on their personal devices, using text messages, WhatsApp, and personal email accounts”. Because they were made on personal devices, none of these records were preserved.
What was particularly interesting in JP Morgan’s case is that these practices “were not hidden within the firm” instead, they were “firm-wide”. Because JP Morgan could not find a solution to off-channel communication, it ran rife.
Personal devices are a headache for the compliance team, but will likely harbor numerous illicit communications. They should be the second place you consider.
Sometimes, it is not about where illicit communications can be found, but indeed who it is that may be using them. Astonishingly – or perhaps not – it is often the senior managers or executive team who are the most prolific offenders of off-channel communications. In a recent roundtable, hosted by Global Relay, a number of the attendees confessed that it was their CEOs or executive directors with whom they had the most trouble for compliance.
Looking again at JP Morgan, the SEC noted that “supervisors, including managing directors, and other senior supervisors – the very people responsible for implementing and ensuring compliance” were using personal devices to communicate about business activity.
In another instance, FINRA took enforcement action against two senior managers in December 2022, for their continued use of off-channel communications despite several and ample warning from the compliance team.
It may not be where you’re looking, but instead who you should be looking at.
How to find illicit communications
Of course, the above all sounds good in theory, but when it comes to practically weeding out illicit communications, the reality is not as simple. How can a compliance team access an employee’s WhatsApp chat, for instance? How can you surveil their personal device? And how can you tell senior managers to stop using SMS when they don’t seem to care?
All of these questions were considered in the above-mentioned roundtable. Among other things, attendees said that they have used the following tactics:
Remind staff that they could face personal action for their use of illicit comms, or that the regulator could seize their personal phones in an investigation.
Look at emerging accountability rules and remind staff (including senior members) of their fiduciary duties and the potential for them to receive fines, disbarment, and potentially prison time if they are found to have enacted compliance failures.
Some attendees had set up lexicon searches within their communication archives to search for terms like “WhatsApp” or “take this offline” – to identify where conversations may have switched to an off-channel platform.
While none of the attendees issued corporate devices, they had heard of firms who issued corporate devices and then monitored calls/SMS on those devices.
While helpful, none of these solutions created a watertight preventative solution for illicit communications.
Can you prevent the use of illicit comms?
In short, yes. However, the only way to prevent the use of illicit communications – which may appear counterintuitive at first – is to lift bans on messaging channels such as WhatsApp and enable employees to communicate in the way that works for them, and their customers.
By implementing tools, such as those provided by Global Relay, you can plug all business-related communication channels into one unified platform, whereby all communications data is captured, stored, and can be monitored and supervised. No channel is off limits, but all business-related communication is compliant.