Regulatory scrutiny of WhatsApp use for business communications

Published on May 5, 2022 by Rekha Narasimhan and Mahima Sahney

While it would seem convenient to share information with just the click of a button rather than by logging into a business system, the fact is that this would be an easy route to getting a penalty imposed by regulators. Over the past few years, we have witnessed enormous technological advancement, and with the current pandemic situation, the world has seen a shift away from legacy methods of communication. Social media platforms such as Signal, Telegram, V-Chat and WhatsApp have fast gained ground as effective modes of daily communication. On the flip side, employees have made WhatsApp and other text messaging applications a regular channel for business communication without being aware that the use of these for business is strictly prohibited. While, on the personal front, such applications have helped people stay connected, they have created a number of challenges on the professional front, particularly in relation to financial institutions’ compliance and governance requirements.

Why are we talking about WhatsApp?

Over the past few years, regulators have been taking stringent action against financial institutions for the use of WhatsApp and other texting and messaging applications. US regulators recently fined a leading financial firm USD200m for failure to preserve communication conducted through unapproved channels, including WhatsApp, text and other external chat platforms. US regulators have also been investigating other asset management firms and leading investment banks on the use of WhatsApp for business purposes. In 2017 and 2019, UK regulators levied fines on bankers and financial firms for exchanging business-related confidential information and securities-related communications over WhatsApp. In the past 10 years, WhatsApp has grown manifold in terms of its number of users, and the highest growth was recorded during the COVID-19 pandemic.

What do regulators want?

Financial institutions, especially broker-dealers and investment banks, are required to preserve records of all ongoing communications within the firm, outside of the firm and with clients. The record-keeping requirement includes a condition that firms should identify, store and maintain communications (at least for seven years) in a readable, non-editable format that can be presented and used for audit purposes (Securities Exchange Act Rules 17a-3 and 17a-4). Firms are expected to record all communications irrespective of the platform used to conduct business. Owing to recent progressions in messaging applications, such as the advanced features that allow the automatic deletion of messages after a certain period, it has become challenging for firms to maintain records. Regulators rely on firms’ approved channels of communication as these are secure and encrypted, ensuring easier surveillance. The use of external communication mediums is against policy and could lead to, but is not limited to, data loss, information leaks and malpractices such as insider trading, tipping and fraud.

What are the consequences of non-compliance?

Financial institutions need to keep an eye on all communication channels and develop centralised governance practices. Using unapproved channels of communication can obstruct a firm’s requirement to preserve records and produce data in answer to regulatory investigations and inquiries. Such non-compliance can lead to severe penalties from regulators, damage to reputation, leak of material non-public information (MNPI), insider trading, financial losses and other adverse effects to the firm.

Below are a few case studies that showcase the repercussions of the use of WhatsApp for business purposes:

A leading global financial asset manager was recently fined a total of USD200m by the US Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) for allowing its employees to conduct business through WhatsApp. The firm acknowledged that many employees, including senior leaders responsible for compliance, used personal devices and unapproved channels for business purposes. The firm also failed to preserve the communication from the staff on emails, personal mobile devices or other messaging apps.

In 2019, the UK’s Financial Conduct Authority (FCA) filed criminal charges against an investment banker of a leading investment bank, under the Financial Services and Markets Act. The banker had been under investigation by the FCA for insider trading; he deleted all the communication on his phone conducted through WhatsApp when he was asked to produce them as evidence in the case.

In 2017, the FCA imposed a fine of GBP53,140 on an investment banker for sharing a client’s confidential information over WhatsApp. He acknowledged that he had shared information related to clients and deals with unauthorised parties via WhatsApp. One of his friends, who was also a client of the firm, was a recipient of confidential competitor information.

What are the preventive measures firms can take to avoid non-compliance?

Firms’ policies and procedures play an important role in helping employees understand the dos and don’ts of its code of conduct. Each employee should be aware of the risk associated with their actions and non-compliance.

The following are key points a firm can use to ensure effective monitoring of business communications and compliance with regulatory stipulations:

• Send periodic reminders and conduct training sessions for employees on the rules and guidelines around approved channels and devices for business communication

• Use data loss prevention alerts and internal controls to avoid dissemination of internal, confidential and material non-public information to external parties

• Employees working from home or office should only use devices provided by their firms and should not take pictures and screenshots of information on personal devices. Firms should implement systems to block screenshots and not allow printing of documents that contain MNPI

• If firms are allowing employees to use text messaging applications such as WhatsApp for business purposes, they should adhere to all the record-keeping requirements listed by regulators

• Firms should use a mix of lexicon and random searches as part of their ongoing surveillance of employees’ communications, and these should include targeted keywords and phrases

• Firms should also conduct targeted searches for any high-risk individuals and scrutinise suspicious behaviour of employees

• Any business communication conducted through a platform meant for personal use should be notified to the compliance officer at the earliest and should not be deleted

It is always better to err on the side of caution than to be sorry in this fast-paced competitive corporate world. Every firm must closely watch regulators’ guidelines and ensure adherence to these policies. Firms should conduct repeated checks on employee communication and behaviour. It is the responsibility of not just the firm but also every individual connected with it to adhere to rules, avoid non-compliance and protect the reputation of the firm.

---

---