Will the FCA crack down on WhatsApp? What happened and what’s next

Multiple U.S. and U.K. regulators have taken enforcement action against firms for off-channel communications on WhatsApp, however, the primary U.K. regulator is yet to make it a clear priority. What can we expect from the Financial Conduct Authority (FCA) going forward?

28 November 2023 9 mins read
Profile picture of Kathryn Fallah By Kathryn Fallah

In brief:

  • Following enforcement action from several other regulators on communications compliance related to platforms like WhatsApp, industry players are questioning whether the FCA might be next to act
  • Over the last few years, the FCA’s focus has been on other areas, such as ESG, crypto, market competitiveness, and consumer trust
  • Previous statements and comments from the FCA suggest that more direct involvement for off-channel comms, including WhatsApp, could be on the regulator’s agenda in the future

Enforcement actions and stricter regulations around communications compliance have spurred financial organizations to action to get internal policies and retention processes under control.

As seen from regulatory enforcement results, such as those recently published by the U.S. Securities and Exchange Commission (SEC), fines for noncompliance continue to steepen, and it appears that no one is exempt from inquiry – even if their specific governing regulator hasn’t carried out investigations just yet.

The FCA and WhatsApp – what’s the deal?

So, what’s up with WhatsApp and the Financial Conduct Authority (FCA)? Amidst a string of enforcement actions from other regulators against firms and individuals alike for off-channel messaging and recordkeeping failures, the U.K.’s primary regulator has yet to focus its attention on communications compliance in the same way as its counterparts.

Regulators internationally – most notably the SEC in the U.S. – put their foot down on communications noncompliance and have been on an off-channel comms and recordkeeping enforcement pursuit. In August 2023, the U.S. regulator charged 11 Wall Street firms for recordkeeping failures on personal devices related to messaging applications like WhatsApp, iMessage, and Signal.

Since the SEC kicked off its series of enforcements at the end of 2021, financial organizations have been anticipating similar movements from the FCA. Considering the FCA’s mission to maintain fair conduct and consumer protection, it would make sense for the regulator to carry out its own investigations into firms’ communication policies and recordkeeping systems to ensure compliance with regulatory guidelines, as it relates to safeguarding market integrity, identifying misconduct, and upholding consumer protection.

Last year, we expected action from the FCA based on reported regulatory discussions about off-channel communications. Earlier in the year, it had been reported that it was hosting discussions with a number of City firms regarding the use of personal devices. Despite expectations that the U.K. regulator would follow in the footsteps other regulators’ books and update guidelines around communications and recordkeeping rules, such as with the SEC’s updates to Rule 17a-4, Rule 18a-6, and the Marketing Rule, the regulator has instead focused its attention on other topics.

Surprisingly, other U.K. regulators, including the Prudential Regulation Authority (PRA) and Office of Gas and Electricity Markets (Ofgem) have taken measures to counter off-channel communications before the FCA.

In April 2023, the PRA issued a censure for regulatory failures over the span of several years, which included “poor retention of WhatsApp messages” as a main issue.

In August 2023, Ofgem issued a £5.4 million ($6.8 million) fine against Morgan Stanley & Co. International for recordkeeping failures related to electronic trading communications. These communications included messages on personal WhatsApp accounts.

Considering that the Ofgem fines were made in response to violated Regulation on Wholesale Energy Market Integrity and Transparency (REMIT) regulations, which aim to protect the integrity and transparency of energy markets, it leaves firms wondering if the FCA will do the same in the name of U.K. financial market soundness. Will this move from Ofgem set the cadence of what’s to come, especially with the new year approaching?

A common trend in SEC enforcement actions has been assessing communication records over the years, including during the pandemic when remote work and instant messaging (IM) platform use were at an all-time high. The FCA did comment on remote and hybrid working expectations and emphasize recordkeeping and communications compliance at the beginning of the pandemic, but has not yet acted on conducting related investigations. Still, this could be a notable inclination of what’s in prospect for the future.

The word on WhatsApp and other comms channels

Previous statements have established the FCA’s acknowledgement of WhatsApp, such as when it issued a fine in 2017 for personal misconduct related to sharing confidential information over the messaging platform. Although the focus was more on data privacy than the specific use of the WhatsApp channel, it goes to show that the regulator recognizes the role IM plays in functional financial operations.

In January 2021, the FCA also released a newsletter on market conduct and communications expectations, especially concerning remote working, and said it expects applications monitoring and enforcements against off-channel communications to “remain an area of focus” – including telephone conversation records.

In the newsletter, the regulator echoed the sentiment of several others in stressing the significance of policies and training by hinting at off-channel communications and personal liability risks. It said that it expects firms to have a “rigorous monitoring regime, commensurate to the increased risks, where in-scope activities may be conducted outside the controlled office environment.”

Further, FCA officials have commented on personal device use before, such as in October 2022 after a sequence of regulatory action related to communication and private messaging in the U.S.:

“We are actively discussing personal device use with a range of UK authorized firms, not limited to those who may have been subjected to other regulatory enquiries.”

In terms of communications and record retention regulations, the FCA has laid out rules in its Handbook related to electronic communications. These rules state that firms are required to record and retain all relevant communications, including electronic communications between the firm and a customer. The Handbook also states that firms must take steps to prevent employees from sending or receiving communications on non-firm owned equipment, or on equipment that the firm is unable to record or retain.

Additionally, the regulator has released guidance on social media, as stated in its Social media and customer communications document, which details that firms must keep communications records in a secured archive:

Firms should also keep adequate records of any significant communications. As well as helping to protect consumers, these records enable the firm to deal effectively with any subsequent claims or complaints.”

The document mentions that firms should have an “adequate system in place to sign off digital media communications,” highlighting the criticality of an involved compliance team when it comes to communications platforms and policies. In the same vein, compliance teams are central to maintaining business operations and conformity with regulatory rules by overseeing proper policy management.

A regulatory rundown on communications compliance

Speeches from FCA officials have referenced global financial markets, as well as international collaboration and modernization in the industry, touching on themes around progressing technologies and industry transformations, including WhatsApp. Within these statements, however, the regulator mainly speaks to points like ESG related classifications, innovation, market competitiveness, artificial intelligence, and data privacy.

While all these topics encompass themes that could involve communications applications, such as financial crimes related to sharing confidential information, for instance, and even comment on market innovation and technological advancements, they do not address the point head-on. This leaves the industry wondering – will the regulator continue to focus on related topics without taking direct action to investigate communications compliance? Or is something bigger on the horizon?

The FCA has recently been the subject of scrutiny from financial players, who have questioned its industry impact. In response to these concerns, it has set out guidelines and given statements on its mission to become more effective and assertive, addressing topics like market integrity, international collaboration, data strategy, and misconduct hinderance. These attempts to restructure its approach could lead financial organizations to believe that heavier involvement in business operations is en route.

Communications compliance on the calendar

In preparation for potential FCA action, and to promote healthy business culture overall, documenting and monitoring communications is a step all firms need to take to conform with industry standards, which the FCA even emphasized in its Market Watch newsletter:

“Without effective recording and monitoring controls, there is a real risk of loss of monitoring and surveillance capability, and the absence of protection through loss of evidence to resolve disputes between a firm and its clients over transaction terms. It is also vital to help with supervisory work, help deter and detect market abuse and to facilitate enforcement.”

In conjunction, as per the FCA’s recordkeeping rules, storing all communications in a foolproof archive is another vital step that financial organizations must take. Other regulators like the SEC and Commodities Future Trading Commission have made it clear that they have a “zero-tolerance” stance on non-recorded conversations and data, and considering the tendency for U.S. and U.K. regulators to remain consistent with one another’s focuses, it is likely the FCA shares the same sentiment. 

While the FCA has not made definite moves quite yet, every new statement, speech, and guidance we’ve seen thus far imply a likelihood of further action, especially considering the regulators desire to pursue international collaboration and promote competitiveness. Regardless, it’s always better safe than sorry, especially when it comes to the financial industry, which means monitoring communications, storing data, and fostering a cooperative and transparent culture should be at the top of all firms’ lists.

As industry players speculate about the FCA’s coming movements based on recent developments and related action from other regulators, firms should cover their bases by utilizing a secure archive for data retention and employing a tool that captures all channels, such as WhatsApp, in preparation for what’s next.