Recent regulatory sanctions against some banks, such as the fine of $200 million for JPMorgan Chase & Co for using WhatsApp, have caused many firms and individuals to reflect on their use of communication channels for business purposes. Other large banks expect similar fines and have made provisions of over $1 billion to cover litigation and regulatory action.
Mark Steward, the executive director of enforcement and market oversight at the FCA, has called the use of such apps "self-evidently suspicious". He has told Financial News: "All of these encrypted apps and their use potentially by people in the workplace is enormously… something on our radar."
The root of the problem lies in that the regulators want firms to take reasonable steps to record telephone conversations and other electronic communications related to regulated activities. Firms must identify calls and communications that are within scope and ensure that they are "recorded and auditable".
1. Why record business communications?
Recital 57 of the MiFID II explains the need to record communications:
"…records should ensure that there is evidence to prove the terms of any orders given by clients and its correspondence with transactions executed by the investment firms, as well as to detect any behaviour that may have relevance in terms of market abuse, including when firms deal on own account."
In practice, firms that carry out in-scope activities must record business-related communications or risk getting slapped with massive fines, among other penalties.
2. What are the consequences of getting it wrong?
Failing to record in-scope conversations properly can be financially devastating for firms, as the $200m fine handed to JP Morgan shows.
In this case, the fine issued by US regulators was because the firm knew that individuals were using unapproved channels - WhatsApp - to discuss regulated activities. There was a known gap in their recording and surveillance, which remained unaddressed.
From disclosures made in company results, we know that several other banking giants, such as Goldman Sachs, Credit Suisse, and Bank of America, are also expecting prosecutions for what may be similar gaps in their recording systems.
3. What are in-scope activities?
Activities in-scope, which firms must record, involve carrying out any of the following:
- Bringing about deals in investments
- Dealing in investments as an agent or principal
- Managing investments
- Managing a UK UCITS (Undertakings for the Collective Investment in Transferable Securities), when this involves investment management
- Managing an AIF (Alternative Investment Fund), when this involves portfolio management
- Establishing, operating or winding up a collective investment scheme, when this involves scheme management
4. What business communication gets recorded?
Firms mainly need to record activities that directly relate to the conclusion of a transaction or are likely to result in a transaction concerning financial instruments.
They also need to identify communications intended to lead up to these activities. In addition, firms need to record if there is a reasonable prospect of such activities being performed. Depending on the circumstances, this may also include internal conversations concerning in-scope activities.
5. How to conduct work business on work systems?
The most important thing to keep in mind is that firms can only fulfil recording obligations on equipment permitted to be used for business purposes. Such equipment needs to be able to ingest data from them for recording and surveillance purposes.
Some firms have started approving WhatsApp and other channels for business use because software can now record those channels. But not every firm on the street has that capability. It takes considerable time and money to record these channels, so recording them to enable their use will ultimately be a commercial decision.
This could mean you find yourself on a channel for which only one or two parties are recorded. Always clarify with other parties on channels you are using that the communication is being recorded for business purposes and switch channels if any party is not recorded.
Want to learn more about FCA Compliance?
To help you plan and execute compliance in your organisation, we have created a comprehensive SMCR roadmap.
We also have 80+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
If you'd like to stay up to date with FCA best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast FCA Compliance Bulletin.
Last but not least, you can interact in person with thought leaders and your peers at one of our popular live webinars and face-to-face events.
If you've any questions or concerns about compliance or e-learning, please get in touch.
We're happy to help!