Regulatory Update

The Implications and Next Steps for WhatsApp Compliance Violations

September 29, 2022by Robert Cruz

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Yesterday, the SEC released a broader list of firms that violated electronic communications recordkeeping requirements. These violations were due to the use of personal devices and specific applications such as WhatsApp. As we have previously written, there are several takeaways that firms should consider to better manage compliance gaps in this era of unprecedented regulatory focus on digital communications.

There are also three concepts mentioned in yesterday’s SEC release that merit further exploration:

1. Communications of business matters within only official channels

It can’t be stated too many times that this issue is NOT about WhatsApp; that is only a symptom of a larger challenge. Your compliance practices must stay in step with the communications tools that are demanded as the face of your business changes. New clients and employees are demanding to use tools that are familiar, accessible, and allows them to engage in a way that they’ve grown accustomed to as digital natives.

Put simply, the reality is that most firms will always have some form of compliance gap — defined as the difference between what tools are used by the business in practice and the current breadth of a firm’s compliance controls. WhatsApp will be soon replaced by TikTok, Telegram or whatever new tool that emerges that provides a more engaging, productive, and profitable experience for the business. The fact that these are happening on mobile devices will not change, only the capabilities of the applications.

It's also worth noting that the work-from-anywhere, post-pandemic world has done little to slow the arrival of new tools that users are seeking approval for use. We’ve heard some firms are now supporting over 100 different tools and continuing to add more than one per week.

So, staying up with the channels to anticipate what’s next is now drawing more attention from firms than ever before. Many have implemented governance counsels and other forms of due diligence to weigh the benefits of new technology to the firm against the regulatory, security, privacy, and discovery risks.

However, what is also being pointed out here is that a simply ‘yes/no’ decision regarding the business use of a channel is clearly insufficient. Understanding the features of each tool, the existence and availability of unsupported versions of the tool, and identification of possible alternatives to prohibited tools should all be baked into the policy analysis.

2. Maintaining and preserving those communications

It’s likely that firms will examine the methods they use to capture and preserve these emerging communications sources given the sources’ dynamic nature and unique combination of features and modalities.

Relying upon internally built methods, or those provided by tool vendors, to manually ‘collect’ are likely to draw increased scrutiny of regulators. The ability to incorporate purpose-built technology innovation here is paramount to keeping up with the channels. This also includes the ability to quickly pivot when platform vendors roll out new features or change methods of data access (such as APIs), which happens frequently.

Beyond capture, preservation and playback of multi-modal social channels is also significantly impacted by the choice of storage technology that can make it either easy – or next to impossible – to meet SEC storage requirements. Under SEC 17a-4, firms need to preserve “complete and accurate” historical records of the activity happening on each of those networks. In this area, technology selected to achieve this objective is clearly a central consideration.

3. Failing to reasonably supervise communications

Many firms have already implemented policies and lexicons to spot off-network or change-of-venue activities, such as flagging “TOL,” “txt me,” “dm @PurpleYogi on Discord,” etc. to spot potential violations.

Clearly, the cost of false negatives has increased dramatically. Firms can explore how to expand their inventory of flags by understanding the unique taxonomy and nomenclature of networks that they are concerned about.

Talking to Gen Z employees and interviewing clients and prospects can also help expand your repertoire of accepted tools. For larger firms, artificial intelligence and natural language processing-based solutions could also be great additions to your supervisory routine., These can help identify other prohibited tool usage hiding amongst the approved network communications.

Final thought

While policy, training, and technology are necessary elements of the equation, they are not always sufficient in safeguarding against employees with intent on wrongdoing. But given the message from the SEC and FINRA, firms need to leverage all available resources at their disposal to help shrink the ever-present compliance gaps.

Share this post!

Robert Cruz
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.