Social and Mobile Apps: The Escalating Cost of Non-Compliance
Last updated: May 16, 2025
Off-channel communications are driving up compliance risk—and regulatory bodies are responding.
You’ve most likely seen the recent headlines: Big Bank X fined for use of WhatsApp, Global Bank Y fined for malicious text messages…
Maybe you’ve also noticed the increased focus and scrutiny from the SEC, FINRA, CFTC and other regulatory bodies via Regulatory Priorities letters. Or you’ve seen increased, expensive regulatory enforcement for improper or unauthorized use of digital communication tools.
Why regulatory risk is escalating for financial firms
A confluence of factors is forcing financial services firms to reevaluate their communications compliance strategies:
- Proliferation of new communications tools: New, easily accessible communication apps appeal to both employees and clients, especially digital natives
- Distributed workforce: Hybrid work makes the activities of remote staff more difficult to detect and monitor
- Market vulnerabiliy: Less experienced investors may be drawn to platforms that also attract fraud and abuse
Legacy compliance models aren't working
Historically, firms weighed the benefits of new communications tools against associated compliance risks and costs.
Many firms relied on previous enforcement patterns since the passage of the original FINRA 11-39 rule on social media, or the latter amendment to include text and other messaging formats under FINRA 17-18. Here are a few enforcement examples from the last few years for reference:
- September 2020: A brokerage firm was fined $100,000 for willfully violating recordkeeping rules by allowing prohibited text message communications
- December 2021: the SEC and CFTC fined a global bank $200 million for failure to preserve records and for using text messages, WhatsApp and personal email accounts
- January 2025: The SEC fined 12 firms a combined $63 million for failing to preserve electronic communications conducted via unauthorized channels like WhatsApp and LinkedIn
A new era of regulatory enforcement
Regulators are now aggressively targeting digital communication, especially on personal devices.
This is not to imply that all firms are behaving negligently. It is more to suggest that the time and expected negative outcome could have easily been lower on the investment priority list than items with a higher probability or history of larger regulatory fines. With the most recent regulatory actions in mind, it may be time to revisit that analysis.
How financial firms can improve digital communications compliance today
The simple starting point is for firms to ask themselves these questions:
1. Do you know what tools your employees are using?
Hybrid work have blurred the lines between personal and professional tools. Apps like WhatsApp or Signal are frequently used for business, even if prohibited. Firms need a real-time understanding of what tools employees use to communicate with clients and each other.
2. Is your benefit/risk/cost equation still accurate?
Previous enforcement patterns didn’t suggest high risk from texting or social media. That’s no longer true. Firms must reexamine the perceived value of new tools versus today's higher costs of misuse. They will need to reign in unapproved channels and tackle policies and procedures for the channels they’re using.
3. How frequently and systemically are you monitoring for use of prohibited messaging platforms?
Manual or ad-hoc inspections aren't enough. Every firm should be proactively monitoring for digital breadcrumbs indicating use of unapproved platforms like Discord or Telegram. Look for outside business activities (OBA) or other potential conflicts of interest that are likely happening on dark-corner platforms. The adage holds that those with intent on wrongdoing will go where they believe they can avoid detection (just ask my teenagers).
4. When was the last time you updated your retention and acceptable use policies?
Too often, policies are outdated or skewed toward legacy platforms. Firms should evaluate:
- Are policies aligned with how business is conducted today?
- Have supported tools evolved (e.g., auto-generated transcripts, whiteboards, bots, etc.)?
- Are retention settings configured for modern hybrid workflows?
5. Are your training and attestation programs current?
Training on the appropriate use of emerging tools should not be static. It should be:
- Specific to the tools being used and the role of the individual using them
- Updated frequently
- Clear about consequences for activities that are prohibited
Firms need attestation programs that require employees to confirm their understanding — and allow leadership to monitor gaps in compliance.
How Smarsh can help
The cost of non-compliance is no longer theoretical. With regulators escalating enforcement and the continued use of mobile and social platforms by employees, now is the time to act.
Don’t wait for the next enforcement wave to disrupt your firm. Smarsh helps financial services organizations proactively manage digital communications risk — before regulators come knocking.
FEATURED CONTENT
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US