Big Wall Street banks are being reprimanded for employees’ widespread use of unmonitored communication channels like WhatsApp.
In December, the Securities and Exchange Commission accused JPMorgan Securities of “widespread and longstanding failures by the company and its employees to maintain and preserve written communications.” JPMorgan agreed to pay $200 million in fines to the SEC and the Commodity Futures Trading Commission. The SEC said bank employees used WhatsApp, personal email and text messages to discuss business matters, and those interactions were not archived as required by federal securities laws.
“Supervisors, including managing directors and other senior supervisors – the very people charged with implementing and ensuring compliance with JPMS policies and procedures – used their personal devices to communicate about JPMS securities activities. ‘company,” the SEC said in its announcement. He launched an industry-wide investigation that has now engulfed HSBC Holdings, Goldman Sachs and Citigroup. Deutsche Bank last week said it was carrying out an internal investigation into the extent to which staff used private messaging channels such as WhatsApp, suggesting it could also be part of a regulator’s crackdown.
The regulations have been in place for years: anyone dealing with securities transactions must communicate in such a way that they can be recorded, checked and archived. So why are so many big banks breaking the rules?
How WhatsApp Became Normal in Banking
Many factors have converged to make the use of WhatsApp so widespread in the industry.
“In many cases, employees are likely to respond reflexively to their customers who contact them on unapproved channels, because their customers are not subject to the same requirement to store all conversation history as banks. “, noted Caitlin Long, a veteran. of Wall Street banks and now CEO of Custodia Bank in Wyoming, a special-purpose deposit-taking institution to launch in the second quarter. “If a customer reaches out through unapproved channels, one could see how this happens accidentally, but it is the responsibility of the compliance department of these banks to ensure that the laws are followed and to ensure that employees are trained not to reply in unapproved channels.”
In some cases, traders may have deliberately used back channels so that their conversations with counterparties weren’t archived, she noted.
“Banks just have to keep practicing over and over and over,” Long said. “If the customer contacts you outside of approved communication channels, you cannot respond.”
It’s a compliance gap between banks’ policy controls and what their employees actually do, said Robert Cruz, vice president of information governance at Smarsh, a compliance software company in Portland, Oregon.
Banks have well-defined policies governing how employees can communicate, “but chances are there are things they aren’t aware of or are happening in corners of the business on which they just don’t have visibility,” Cruz said.
The vast majority of banks work hard and want to do the right things, said Shiran Weitzman, CEO and founder of Shield, a Tel Aviv-based compliance software company.
But other regulations seemed more pressing and more harshly enforced, he noted, including anti-money laundering rules.
“I don’t think it was negligence, or someone doing something on purpose,” he said.
Some banks’ policies do not cover all forms of communication. For example, some did not specify what individuals can and cannot do with text messaging, Cruz said.
The pandemic has made monitoring employee communications more difficult as more people use personal phones and personal computers for work activities. Before the pandemic, sitting among co-workers led to a certain social pressure that enforced bank policies, such as not using personal devices to communicate with customers. Remote work erased this app.
“When you’re home and just want to text someone, it feels natural,” Weitzman said. “I’m just making sure you got my email.” It’s a shortcut. And that’s human behavior, but it’s not allowed in the financial markets.
The pandemic has transformed Zoom and WhatsApp, technology big banks wouldn’t have considered letting employees use two years ago, into widely adopted channels, Weitzman said. Regulators were tolerant for the first six months of the pandemic, understanding that things had changed.
There’s also been an evolution in mobility that started with enterprise devices, said Brandon Carl, executive vice president of product strategy at Smarsh and a former executive at Nomura and Bank of America. Employees didn’t want to carry two phones, and companies started allowing people to bring their own devices to work. This led to people downloading messaging apps onto their devices even though their companies hadn’t approved the software.
Wall Street firms do a lot of due diligence on what software they officially allow employees to use. Major banks typically verify and support more than 100 different communication programs, Carl said. But now, he says, companies are receiving requests to support new communication channels at a rate of more than one a week because customers want to use these tools.
“The thinking is that if we don’t support it, we risk losing that client to someone else who will support it,” Carl said. “So the business imperative is there.”
When it comes to enforcing policies, banks weigh the benefits to the business against the potential risks and costs, Cruz noted.
“If a [communications] tool is used in the wrong way and the bank is subject to regulatory action, the calculation has been, the probability is low and the potential fine is not material to prioritize this at the top of the pile,” said Cruz said.
Recent fines have changed this equation.
What are the banks doing about it
Banks don’t need to ban WhatsApp altogether, according to Cruz.
“It’s a channel that bank customers demand some form of access to,” he said. “And realistically, banning this stuff on personal devices is quite difficult.”
What banks need to do, in addition to employee training, is ensure that all of their communications are covered by compliance software that monitors and archives relevant employee communications and looks for red flags. Vendors of such software include Digital Reasoning, now owned by Smarsh; Shield; SteelEye; and Symphony.
Early versions of these programs searched for suspicious words and phrases. Today, because people who engage in market manipulation and other illegal behavior know they are being watched and know what words to avoid, the software has become more sophisticated.
“In the case where people are colluding to drive up a market rate, you want to find evidence that people are bragging about what they’re doing or secretly coordinating or that sort of thing,” Carl said. “If they’re sharing inside information, likewise, you want to find evidence of spreading rumors or information that shouldn’t be shared.”
As banks increase their use of surveillance, they must also consider employee privacy. More and more states and cities are writing new privacy laws.
“I suspect there will be a lot of lawsuits over the next five years regarding privacy rights,” said Brad Levy, president and chief commercial officer of Symphony. “You see it in health care. You see it in government employees. You’re going to see it on Wall Street now.