Regulatory Update

WhatsApp on FINRA’s Regulatory Radar

June 23, 2022by Marianna Shafir Esq.

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

The issue

A broker-dealer firm was fined $50,000 for failing to capture, review and retain business-related WhatsApp messages.

The firm’s written supervisory procedures (WSPs) prohibited the use of instant messages for business purposes unless the firm granted individual permission. If granted, the firm’s procedures would have obligated the firm to capture, retain, and monitor that individual’s instant messages. In this case, the firm did not grant permission.

Moreover, the firm had no procedures to ensure that its representatives were complying with the prohibition policy. In fact, the firm was aware that multiple representatives were using their personal mobile devices to communicate with their customers via WhatsApp — and that these communications were often business-related. Yet, the firm failed to take any action to either stop this practice or preserve and monitor business-related communications sent or received in this manner.

The rules

As a result, between 2016 and 2019, the firm failed to capture, review or retain
more than 10,000 business-related WhatsApp messages sent or received by 20 different firm representatives. The messages were deemed business-related because they included information about customers, accounts, investments or other aspects of the firm’s securities business.

In this case, the following rules would apply:

FINRA Rule 4511 requires each FINRA member to make and preserve books and
records as required under FINRA Rules, the Exchange Act, and the applicable Exchange Act rules.

Exchange Act Rule 17a-4(b)(4) requires each FINRA member to preserve all communications relating to its business for a period of not less than three years, including instant messages.

FINRA Rule 3110 requires each member to establish and maintain a system to supervise the activities of each associated person, that is reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules.

FINRA Rule 3110(b)(4) requires a firm to review incoming and outgoing digital correspondence of its registered representatives relating to its securities business.

FINRA Rule 2010 provides that a member, in the conduct of its business, shall observe high standards of commercial honor, and just and equitable principles of trade. Violations of FINRA Rule 4511 and Exchange Act provisions also violate FINRA Rule 2010.

Firms should enlist a third-party provider to assist with the retention of Whatsapp to comply with the regulatory obligations. Third-party provider solutions place software on an individual’s cell phone that captures IMs — including those sent via WhatsApp and WeChat — and sends the IM to an email address specified by the firm.

The takeaway

Clearly, regulators are cracking down on the review and retention of business-related digital communications. Here are a few considerations for staying compliant.

WSPs are non-negotiable
One of the most frequently cited violations is the failure to implement and follow WSPs. Firms must be consistent with their WSPs when it comes to retaining and reviewing digital communications. Not following policies and procedures is just as bad as not having any in the first place.

Prohibition policies aren’t the solution
As exemplified in the enforcement case above, prohibition policies for communications channels are not effective. Instead, firms can enable these convenient channels by enlisting a compliance-focused technology solution that can capture, preserve and monitor communications through all popular channels  including encrypted applications such as WhatsApp and WeChat.

Supervision technology is key
Instant messages and other communications should be reviewed with a risk-based approach through targeted supervision technology, using lexicons, random sampling, and machine learning for precision. With the right solution, messages can be flagged for review by compliance to determine if they are in violation of communications policy or reveal possible customer complaints, employee misconduct or malfeasance, or a violation of FINRA rules.

The financial services industry and how people conduct business within it continues to evolve. Firms must leverage innovative compliance technology to enable staff and customers to communicate, meet regulatory compliance obligations, avoid public mishaps, and stay ahead of the competition.

Share this post!

Marianna Shafir Esq.
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.