UK regulators take aim at WhatsApp: is this the first domino to fall?
The UK’s Prudential Regulation Authority has censured a bank for wide-ranging regulatory failings, including a lack of formal record keeping procedures to manage or retain WhatsApp messages.
The United States, over the past two years, has firmly positioned recordkeeping and compliant communication at the forefront of their regulatory agenda. In Fiscal Year 2022, U.S. regulators issued more than $2bn in regulatory fines for firms who failed to adequately monitor, capture and retain messages sent for business purposes across various different channels. U.K. regulators, in comparison, have been focussed on other things – Consumer Duty, and Operational Resilience to name but a few.
At a recent Global Relay roundtable for U.K. Hedge Funds, one Chief Compliance Officer said that they hoped to see enforcement action from U.K. regulators surrounding communication methods as it would give them a stronger standing to 1) get senior-leader buy in for compliance technology, and 2) encourage employees to comply with the policies and procedures they had in place.
In October 2022, CityAM reported that the Financial Conduct Authority (FCA) was holding discussions with a number of City firms regarding the use of personal devices for business communications. We subsequently asked compliance officers whether, in light of the FCA’s notice, they were worried about increased regulatory action in the U.K. Almost 50% said that they were anticipating action from U.K regulators, with almost 40% saying they are taking proactive steps ahead of predicted enhanced scrutiny.
The stars slowly aligned to suggest that U.K regulators would soon add recordkeeping and compliant communications to their priorities, and the industry has waited with bated breath. Until now…
Censure for “significant regulatory failings”
On April 4, 2023, the Prudential Regulation Authority (PRA) issued a now-inactive bank with a censure for “wide ranging significant regulatory failings” that occurred between December 2016 and May 2020. Among those regulatory failings, the PRA highlighted “poor retention of WhatsApp messages” as a key failure.
The seriousness of the breach, accounting to the PRA, was serious enough to justify a “substantial fine of £8,515,000” however, given that the bank is in wind down and has limited financial resources, the PRA instead issued a censure.
WhatsApp(ened)?
In the 3.5-year period between December 2016 and May 2020, the firm had not adopted or implemented policies or procedures surrounding the “retention of business-related correspondence and records”. Senior executives and directors within the organization had communicated “through formal and informal” channels.
In some instances, senior execs, directors, and external parties had used WhatsApp on personal and corporate-issued devices to discuss things such as potential transactions and business strategy. Despite the WhatsApp usage, the firm had “no formal record keeping policies or procedures in place to manage or retain” messages sent in the app.
The bank did keep minutes from Board and committee meetings, but where business-related conversations were then held on WhatsApp, the firm did not have a formal policy or procedural structure to capture or retain them. As well as not having policies and procedures for the retention of WhatsApp messages, policies and procedures around the ability to retrieve business-related messages on users’ devices were also not in existence.
The PRA found that, in the absence of an appropriate recordkeeping framework, the Board and the firm’s risk function were “hindered in their ability to exercise effective scrutiny and oversight of the firm’s business proposals and transactions”.
Moreover, the PRA found that the firm failed to comply with recordkeeping Rule 2.1 because it “failed to keep sufficient records to enable the PRA to both effectively supervise the firm and carry out its investigation into the firm”.
WhatsNext?
Following news that the FCA had sent information requests to some City firms regarding their use of off-channel communications, it is likely that this action from the PRA is the first domino to fall, with further regulatory action around the corner.
This may not come as a surprise to compliance teams who have watched across the water as U.S. counterparts face eye-watering fines for non-compliant communications. What remains unknown is how aggressively U.K. regulators might act. Will we see fines in their hundreds of millions, as seen in the US, or will we see a more sympathetic approach?
Either way, U.K.-based firms should use this action to take stock of their current position on communications:
+ Do you have policies and procedures that cover the gamut of communication channels on both personal and business devices?
+ Do you enable bring-your-own-device (BYOD) policies, or issue corporate devices? Either way, do you have a means of capturing all business-related communication?
+ Do your employees know what is expected of them when it comes to communicating in a way that is commensurate with your business policies and procedures?
+ What steps are being taken to monitor for off-channel or illicit comms, and what happens when illicit comms are uncovered?
+ Do you ask employees to sign attestations that they are communicating appropriately?
+ Do you run spot-checks to detect potential non-compliance within the workforce?
The time to act is now, to avoid becoming a future test case for the U.K. regulator.
Compliant communications are at the heart of our business. We have solutions for every stage of your communication journey – from capture and retention in our world-leading Archive, to AI-enabled supervision and monitoring.
The Global Relay App allows you to enable WhatsApp and empower employees to communicate compliantly for text, voice, and instant message across personal and corporate devices.
