top of page
  • Writer's pictureAndrew Arginovski

FCA Enters the Group Chat: Compliance Challenges of Using WhatsApp at Work



Back in August, I shared a BBC article on my LinkedIn that mentioned Morgan Stanley being fined £5.41 million pounds after energy traders discussed business over WhatsApp on their private phones. It's the first fine of its kind to be issued under transparency rules where Ofgem, the energy regulator, said the bank breached rules requiring firms to record messages linked to energy trading (to deter market manipulation and insider trading, of course). And in April, the Prudential Regulatory Authority issued a censure to a (now inactive) bank highlighting poor retention of WhatsApp messages as a key failure.


With WhatsApp's user-friendly interface and widespread adoption, it's become a preferred communication channel for finance professionals. The ease of sharing information, quick decision-making, and real-time updates make it attractive for use, and off-channel communication is now all too common after firm's staff and clients shifted online during the pandemic.


However, the very features that make WhatsApp popular also pose significant compliance challenges. With no specific regulatory restrictions on the types of technologies or apps firms can use for communications, is an FCA regulatory crackdown by on the horizon?


WhatsApp Use and Regulatory Scrutiny


The FCA has discussed the US' Securities and Exchange Commission crackdown on "unauthorised" messaging apps with officials, in a sign that the regulator could be probing how regulated firms in the UK use tools like WhatsApp.


The SEC has issued firms with more than $2 billion in fines over the last two years, and remain concern about a lack of audit trail when professional discussions are held outside of work protocols. Although the FCA and PRA in the UK have grown concerned about the potential risks associated with the use of messaging platforms like WhatsApp, a crackdown has yes to happen. The FCA fined an investment banker in 2017 for sharing client confidential information over WhatsApp, however it appears the issue related to the sharing of confidential information with a personal acquaintance and a friend, rather than the actual use of WhatsApp; it was the inappropriate use of WhatsApp that triggered the investigation.


Financial News (FN) London mentions a conversation with Matt Smith, Chief Executive of Market Surveillance firm Steel Eye; "In conversations with UK-based compliance professionals, we know that their US colleagues are feeling the heat from the SEC on WhatsApp record-keeping. It's also clear that if the same thing was asked of them by the FCA that they would also be unable to deliver."


So what are the key compliance challenges? Some include the following:


  • Record-keeping Issues: Regulators emphasise the importance of maintaining accurate and complete records of all communications related to financial transactions. The end-to-end encryption feature of WhatsApp complicates this requirement, as it limits the ability to capture and store messages for regulatory purposes.

  • Data Security Issues: The sensitive nature of financial information exchanged on WhatsApp raises concerns about data security. Regulated firms must ensure that client information remains confidential and protected from unauthorised access.

  • Lack of Compliance Training: Employees may not be fully aware of the compliance implications of using WhatsApp for business communication. Proper training and awareness programs are essential to ensure that staff members understand the regulatory landscape and adhere to compliance guidelines.


ComputerWeekly.com provides a case scenario of using WhatsApp for work and where it can go wrong; "... We both work at a bank and I mention to you on WhatsApp that the brass are considering the launch of a new mortgage offer, with a very unusual repayment scheme; you forward it to your friend Bill at another branch, but inadvertently send it to another Bill who you went to school with, and he works at a rival....There is also the issue of a cyber attack or scam issue, with threat actors infiltrating the app and abusing it for their nefarious ends."


WhatsNext?


FN London mentions that compliance experts in the UK have been expecting stricter oversight of messaging from the FCA, and in response to a question relating to the SEC’s crackdown on WhatsApp on finance messages, the FCA’s Sarah Pritchard acknowledged that keeping up with communications with the SEC is “something we absolutely do, and that is something we have been doing with the US authorities in relation to the concerns...highlighted".


Whilst we don’t know how much of a hard-line UK regulators may act and how intensely their focus will be, regulated firms should use the following steps to address the compliance challenges associated with WhatsApp use:


1. Update Your Compliance Policies:

  • Do you have compliance policies and procedures in place, such as Data Security and IT Security, Risk Management, Incident and Breach Reporting and Fraud Prevention, that cover the range of communication channels on business and personal devices? It's important that policies explicitly address the use of messaging platforms, outlining acceptable practices and potential consequences for non-compliance.

  • Regularly review and update these policies to reflect the latest regulatory guidance.

  • What steps are taken to monitor communications that are prohibited? These should form part of your policies and procedures.

2. BYOD and Secure Messaging Platforms

  • Have you got bring-your-own-device policies in place, or issue business devices for staff? And do you have the processes in place to record all business-relating communication and transactions?

  • Consider adopting messaging platforms designed specifically for business use, with built-in compliance features. These platforms often provide secure communication channels and facilitate record-keeping to meet regulatory requirements

3. Staff Training

  • Do your staff know what to expect when communicating through these channels in line with your firms policies and procedures?

  • Develop training programs to educate staff on the compliance risks associated with WhatsApp and similar platforms.

  • Perhaps ask for staff to sign attestations that they are communicating with current and prospective clients properly.


How can Compliance Angle help?


In all cases, Compliance Angle can help firms understand the recording obligations and assist with advising, drafting and reviewing the Record Retention and IT and Data Security policies, controls and oversight to ensure that these are met. Get in touch by sending an email to info@complianceangle.co.uk or calling 07427792594.


281 views

Comments


bottom of page