5 Steps to Prevent WhatsApp Compliance Fines

Posted by

David Mangion

on 24 Aug 2022


Firms are facing scrutiny over their use of unapproved messaging apps like WhatsApp, Signal and Telegram. Learn how to stay on the right side of the regulators.

5 Steps to Prevent WhatsApp Compliance Fines

It follows a crackdown by regulators in the US and sanctions against Wall Street banks. In a wide-ranging investigation, dozens of banks - including Citi, Bank of America, Goldman Sachs, JP Morgan Chase & Co, and others - have been given fines totalling $2 billion by the Securities and Exchange Commission (SEC) and the Commodities Futures Trading Commission (CFTC).

Regulators found that bankers routinely sent private messages to clients and colleagues, between January 2018 and September 2021, without those conversations being properly logged and captured, in breach of their record-keeping obligations.

Bad habits that began during the pandemic apparently continued back in the office. Investigations revealed that over 2,400 messages were sent in one year alone by one of JP Morgan's most prolific WhatsApp users.

Meanwhile, at Bank of America, a trading desk head advised colleagues to delete messages and switch to Signal instead during the CFTC investigation. Other banks expect similar fines and have made provisions of over $1 billion to cover litigation and regulatory action.

Mark Steward, the former executive director of enforcement and market oversight at the FCA, has called the use of such apps "self-evidently suspicious". He told Financial News: "All of these encrypted apps and their use potentially by people in the workplace is enormously… something on our radar."

With more fines expected and the focus now shifting onto hedge funds, regulators are reminding firms of their obligations and urging them to take reasonable steps to monitor and capture telephone conversations and other electronic communications related to regulated activities.

Firms must identify calls and communications that are within scope and ensure that they are "recorded and auditable".

Free COCON Breaches Desk Aid

1. Why record business communications?

Recital 57 of the MiFID II explains the need to record communications:

"…records should ensure that there is evidence to prove the terms of any orders given by clients and its correspondence with transactions executed by the investment firms, as well as to detect any behaviour that may have relevance in terms of market abuse, including when firms deal on own account."

In practice, firms that carry out in-scope activities must capture all business-related communications in a durable medium or risk getting slapped with massive fines, among other penalties.

Compliance Fines & Settlements

2. What are the consequences of getting it wrong?

Failing to record in-scope conversations properly can be financially devastating for firms, as the $2 billion+ fines show.

In all cases, the fines were issued by US regulators because the firm knew that individuals were using unauthorised channels - such as WhatsApp - to discuss regulated activities. There was a known gap in their recording, monitoring and surveillance, which remained unaddressed.

There can be personal consequences too. From media reports, we know that Morgan Stanley, Deutsche Bank, Citigroup, Barclays, and others, are now clawing back bonuses or docking future pay from individuals to help recover the cost of fines for unauthorised use of messaging apps like WhatsApp and Signal.

Free FCA Business Plan Desk Aid

3. What are in-scope activities?

Activities in-scope, which firms must record, involve carrying out any of the following:

  • Bringing about deals in investments
  • Dealing in investments as an agent or principal
  • Managing investments
  • Managing a UK UCITS (Undertakings for the Collective Investment in Transferable Securities), when this involves investment management
  • Managing an AIF (Alternative Investment Fund), when this involves portfolio management
  • Establishing, operating or winding up a collective investment scheme, when this involves scheme management

In practice however, you need to ensure that any business communications with clients take place on approved channels only so they can be properly logged, captured and monitored. 

4. What business communication gets recorded?

Primarily, firms mainly need to record activities that directly relate to the conclusion of a transaction or are likely to result in a transaction concerning financial instruments.

They also need to identify communications intended to lead up to these activities. In addition, firms need to record if there is a reasonable prospect of such activities being performed. Depending on the circumstances, this may also include internal conversations concerning in-scope activities.

In Wealth, personal or logistical messages (such as "See you at 2pm" or "Document received, thanks") may be permitted (check company policy), but you need to be vigilant as there is often the potential for such messages to escalate and stray into high-risk areas and advice.

Free FCA Inspections Webinar

5. How to stay compliant & conduct business on approved systems?

The most important thing to keep in mind is that firms can only fulfil recording obligations on equipment that is authorised and approved for business purposes. Such equipment needs to be able to ingest data from them for recording and surveillance purposes.

Increasingly, firms are adopting compliant tools (such as Movius, Symphony, LeapXpert, Voxsmart, etc.) which integrate third-party communications software in one system, enabling everything to be captured.

However, not all firms have this capability, so check whether your own firm has rolled this out or recommends alternatives (such as the messaging functions on the Bloomberg Terminal).

Obviously, this could mean you find yourself on a channel for which only one or two parties are recorded. Always clarify with other parties on channels you are using that the communication is being recorded for business purposes, and switch channels if any party is not recorded.

Be aware that if a client sends you a message on an unapproved or ephemeral messaging app (e.g. Snapchat, Signal or Telegram), you must move the conversation back to your firm's authorized channels right away.

Click me

Want to learn more about FCA Compliance?

We have created an SMCR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of FCA Courses.

We also have over 100 free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.

FCA Compliance Bulletin

FCA Compliance Bulletin

Our monthly email provides best practices, expert opinions, industry insights, news and key trends in FCA regulatory compliance training, digital learning, and RegTech.