Social and Mobile Apps: The Escalating Cost of Non-Compliance
You’ve most likely seen the recent headlines: Big Bank X fined for use of WhatsApp, Global Bank Y fined for malicious text messages, broker-dealer firm fined for lack of oversight of a rogue broker operating under the alter ego of “Roaring Kitty” on Reddit…
Maybe you’ve also noticed the increased focus and scrutiny from the SEC, FINRA, CFTC and other regulatory bodies via Regulatory Priorities letters. Or you’ve seen increased, expensive regulatory enforcement for improper or unauthorized use of digital communications.
How are financial services firms re-evaluating in this environment?
We see a confluence of factors at play:
- A plethora of new communications tools that are familiar and easily accessible to a new generation of clients and staff
- A distributed workforce, where the activities of remote staff are more difficult to detect and monitor
- Market conditions (until events of the past few days) that are attractive to a segment of investors who are less experienced and more susceptible to fraud, schemes and market abuse
Buried underneath this is the analysis that firms have historically made in evaluating new communications tools in terms of assessing the business benefits against the risks and costs associated with those tools. Since the onset of the pandemic, the arrival rate of requests to support new tools has accelerated significantly. For any firm, large or small, this represents a tax upon compliance staff who fight to keep up with tools that they’ve already chosen to support.
Additionally, in weighing the potential risk and cost of regulatory action resulting from the misuse of these technologies, some may have relied upon previous enforcement patterns since the passage of the original FINRA 11-39 rule on social media, or the latter amendment to include text and other messaging formats under FINRA 17-18. Here are a few enforcement examples from the last few years for reference:
- In January of 2016, FINRA fined an investment bank $1.5 million for electronic communication failures including failure to retain electronic records in WORM format and failure to retain text message communications from company-issued devices
- In July of 2016, FINRA fined a brokerage firm $50,000 for failing to retain business-related communications including Bloomberg messages and WhatsApp instant messages
- In September of 2020, FINRA fined a brokerage firm $100,000 for willfully violating recordkeeping rules by allowing prohibited text message communications
- In December 2021, the SEC and CFTC fined a global bank $200 million for failure to preserve records after the bank admitted that its employees often communicated about securities business matters on their personal devices and for using text messages, WhatsApp and personal email accounts
- In February of 2022, a UK-based bank alerted investors in their 2021 results that they are under investigation by the CFTC over the use of unapproved messaging platforms for business communications, including WhatsApp
With the recent announcement that the SEC opened a broad inquiry into how Wall Street banks are keeping track of employee’s digital communications, particularly whether these banks have been adequately documenting employees' work-related communications such as text messages and emails, with a focus on their personal devices, we expect to see more fines in the coming year.
This is not to imply that all firms are behaving negligently. It is more to suggest that the time and expected negative outcome could have easily been lower on the investment priority list than items with a higher probability or history of larger regulatory fines. With the most recent regulatory actions in mind, it may be time to revisit that analysis.
Since the onset of the pandemic, the arrival rate of requests to support new tools has accelerated significantly. For any firm, large or small, this represents a tax upon compliance staff who fight to keep up with tools that they’ve already chosen to support.
What firms can do now
The simple starting point is for firms to ask themselves these questions:
Do you really know what tools are being used by your employees to communicate with the market and collaborate internally?
The pandemic and hybrid work have reduced visibility into how individuals are getting their jobs done and makes tools that are familiar and comfortable like mobile apps more likely to cross over from personal lives into business activities. This caught some firms off guard, but others had already been experiencing a shift as younger employees and clients had been pushing firms toward supporting new communications tools such as WhatsApp and other social apps.
Is your benefit/risk/cost equation still accurate?
In comparison to the $200 million fine, regulators have not previously identified deficiencies for social media and text with such ferocity. Fines have historically been much smaller and centered on email, WORM format, text, or generally “electronic communications.” Larger fines were typically seen with long-running deficiencies in recordkeeping. Since 2021, fines have spiked, and the SEC is conducting sweep exams. The combined effect of more retail investors in the market, who prefer using newer tools, which attract scammers and fraud, has gotten the attention of regulators.
Most firms will evaluate the benefits they would gain by allowing use of new tools against the cost and risk of them being used inappropriately. They need to reign in unapproved channels and tackle policies and procedures for the channels they’re using.
How frequently and systemically are you monitoring for use of prohibited networks?
Many firms have defined processes to periodically inspect for the use of prohibited tools (e.g., looking for breadcrumbs indicating that a specific platform like Discord is being used), but practices remain ad-hoc and semi-automated. Every firm should have front-line policies to look for outside business activities (OBA) or other potential conflicts of interest that are likely happening on dark-corner platforms. The adage holds that those with intent on wrongdoing will go where they believe they can avoid detection (just ask my teenagers).
When was the last time you updated your acceptable use and retention policies?
For many firms, reviewing retention policies is not the most exciting way to spend one’s day, but communications policies can easily become out of date or even unintentionally biased towards central IT-controlled tools that we used back in the office. Additionally, firms may not be updating those policies based upon new features or capabilities of tools that they already support (e.g., auto-generated transcripts, whiteboards, bots, etc.). It may be time for firms to make sure that policies are aligned with how business is being conducted today
What training and attestation programs are in place to ensure employees know what to do?
Training on the appropriate use of emerging tools should not be static – it should be specific to the tools being used, the role of the individual using them, with clear consequences laid out for activities that are prohibited. Many firms did not have the ability to take this step at the outset of the pandemic, but with the likely future of hybrid work lying ahead of us, now is the time.
How Smarsh can help
Financial firms must come to terms with many mitigating factors. The workplace has changed, and the regulators expect due diligence in a digital world. Fortunately, there’s good news. With a scalable, end-to-end solution for capturing, archiving, supervising and making sense of digital communications data, firms can ensure compliance and manage risk comprehensively. And avoid being the next headline.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.