Banks kept hanging on WhatsApp record-keeping probe

IFR 2513 - 09 Dec 2023 - 15 Dec 2023
3 min read
Americas, EMEA
Christopher Spink

Banks and other financial institutions are still waiting to see if UK and European regulators will follow the lead of their US counterparts and apply fines for failing to properly monitor and record staff electronic communications.

The Securities and Exchange Commission and the Commodity Futures Trading Commission have between them levied more than US$2.5bn in fines over the past two years on 18 different firms, banks, fund managers and intermediaries, but the UK’s Financial Conduct Authority has yet to take action.

The fines have largely related to record-keeping failures for chat apps, such as WhatsApp, Signal or simple texts. Such apps tend to be used on employees’ personal devices, making it harder to monitor their use.

Major Wall Street banks – Wells Fargo, JP Morgan, Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, Barclays, Deutsche Bank, UBS and Credit Suisse – have each had to pay the SEC US$125m and varying amounts to the CFTC. Smaller players have also paid fines to both the SEC and CFTC.

Shortly after the first suite of fines in September 2022, the FCA was reported to be seeking information from several firms. And in October Sarah Pritchard, director of markets at the FCA, said the regulator remained in contact with firms on the issue. It has not made any comment since.

Experts said even though the technology was new the legal principles behind the investigations remained the same.

“In the UK firms have always had to record messages for business communications. The FCA have reminded institutions of their obligations regarding this,” said Helen Carter, senior counsel at law firm Macfarlanes.

She said the issue came to the fore during the pandemic when employees were working at home but that didn’t change the legal situation. “This became a heightened concern when more people worked remotely. The rules haven’t changed,” she said.

UK regulators have cited improper use of personal electronic communications in other actions lately, for instance in relation to the winding down of Wyelands Bank, part of the Gupta Family Group.

And in August energy regulator Ofgem fined Morgan Stanley £5.3m for failing to record messages made by staff over WhatsApp on their personal devices. A former Jefferies banker was also fined £37,000 by the FCA in 2017 for using WhatsApp to share confidential information.

One issue institutions have with regard to such record-keeping is that asking for files on a personal device to be stored by an individual’s employer might breach data privacy guidelines. The Information Commissioner’s Office is currently assessing responses to a consultation in this area.

“Any organisation seeking to monitor unauthorised apps or personal devices for work communications needs to take particular care that they do not breach applicable data protection requirements,” said Katie Hewson, partner at law firm Stephenson Harwood.

On Friday the National Audit Office criticised the FCA for taking too long to act on issues. "The NAO found that there can be a significant delay between the FCA identifying an issue and it taking action," it said.