Financial Firms Pay Steep Price for WhatsApp and Other 'Off-Channel' Messaging

In mid-November, the U.S Securities and Exchange Commission revealed its financial tally from 784 enforcement actions during fiscal year 2023: $4.949 billion, second only to the $6.4 billion (including penalties, disgorgement and pre-judgment interest) from 760 actions the year before.

Some of the charges, settlements and legal judgments stung more than others. Cases against Danske Bank and Wells Fargo & Co. were “old news,” respectively resolving major anti-money laundering and investor-disclosure improprieties from prior years. But standing out amid a litany of often emphatic crackdowns was one yielding a total of $289 million in penalties from 11 firms, including Wells Fargo as both broker-dealer and investment adviser.

That August ruling spotlighted “widespread and longstanding” failures to maintain and preserve records of electronic communications – a compliance pitfall recently exacerbated by the popularity of so-called off-channel communications through WhatsApp and certain other social media. At the time of that announcement, SEC Enforcement Division Director Gurbir S. Grewal said, “To date, the commission has brought 30 enforcement actions and ordered over $1.5 billion in penalties to drive this foundational message home. And while some broker-dealers and investment advisers have heeded this message, self-reported violations, or improved internal policies and procedures, today’s actions remind us that many still have not.”

For fiscal 2023, those and other cited violations of federal securities laws’ recordkeeping requirements resulted in “25 advisory firms, broker-dealers and/or credit rating agencies, including Wells Fargo, HSBC and Scotia Capital, agree[ing] to pay combined civil penalties totaling more than $400 million to settle charges,” the SEC stated.

“Significant Regulatory Challenge”

Communication-monitoring deficiencies can fester for years before financial firms pay penalties. In November, a Financial Industry Regulatory Authority (FINRA) letter of acceptance, waiver and consent with TD Private Client Wealth cited failure to properly supervise and review “approximately 3.5 million emails related to 691 employee email accounts” between February 2013 and July 2022. In addition to a censure and $600,000 fine, the TD Bank subsidiary agreed to certify implementation of “a supervisory system including written supervisory procedures” and a “risk-based retrospective review of email sent or received by its associated personnel” during that period.

While stressing investor-protection and market-integrity mandates, the market regulators lately are clamping down on personnel conducting business on personal devices using platforms such as Apple’s iMessage, the encrypted email app Signal and Meta’s WhatsApp. “By failing to maintain and preserve required records,” the SEC said, “certain of the firms likely deprived the commission of these off-channel communications in various SEC investigations. The failures involved employees at multiple levels of authority, including supervisors and senior executives.”

The enforcement message is landing, and technology solutions can fill the breach. LeapXpert, for one, launched a “comprehensive enterprise solution” for iMessage in May, and in July, an alliance with governance, risk and compliance advisory firm ACA Group to deliver “expanded enhancements to archival, workflow and surveillance features across WhatsApp, iMessage, SMS, WeChat, Telegram, LINE, and Signal.”

“We can offer a highly unified solution to many leading financial institutions and enterprises worldwide, precisely where the fractured multi-channel work experience poses a significant regulatory challenge,” said ACA chief product officer Annie Morris.

Nearly three-fourths of more than 400 respondents in the 2023 Investment Management Compliance Testing Survey said they trained employees on approved communication methods and record-retention policies. About half began asking employees to certify that they only use approved communication methods.

Still, off-channel communications are inherently difficult to rein in. Even as HSBC reportedly blocked texting from employees’ work phones, outright bans are generally regarded as futile, as was the case with instant messaging earlier in the digital era.

According to a U.S. criminal indictment and related SEC complaint in September, a former Goldman Sachs employee allegedly passed insider tips to friends using off-channel apps and the Xbox chat function, which he believed would go undetected.

Networks Not Tracked

Client lifecycle management firm Fenergo has been tracking a global downtrend in monetary penalties for compliance violations. However, 83% of $189 billion in fines in the first half of 2023 were paid by U.S. financial institutions. The Fenergo report covered anti-money laundering regulations including Know Your Customer (KYC), client due diligence (CDD) and sanctions violations.

Integrated surveillance vendor SteelEye, which partners with LeapXpert, surveyed 170 senior compliance decision-makers for its 2022 Compliance Health Check report. It found that while 41% of firms viewed communications surveillance as a key investment priority for the next 12 months, only 15% were currently monitoring WhatsApp. Even lower were Slack (9%) and Signal (3%).

In a 2023 survey by Global Relay, a firm specializing in compliant communication solutions, 59% of respondents said they banned WhatsApp, WeChat and similar apps, but that didn’t necessarily appease regulators. Just 2.6% felt that bans were effective in meeting compliance scrutiny.

According to Global Relay’s annual compliant communications report this month, only 8% of financial firms were tracking WhatsApp messages between employees. Email, LinkedIn and Instant Bloomberg were the most-captured channels, by 89%, 33% and 25% of firms, respectively. Among broker-dealers, 47% were capturing LinkedIn, 29% X (formerly Twitter) and 11% Facebook.

“Regulators have been closing in on the issue of off-channel communications for quite some time, and LinkedIn appears to be a likely next focus area,” Global Relay director of regulatory intelligence Rob Mason commented.

Awareness and Self-Reporting

Ryan Farnsworth, senior vice president of insurance brokerage Alliant Insurance Services, says the SEC fines carry a strong message: “All our clients are concerned about this risk and how past behavior and communication may be viewed by regulators. Until the SEC and other regulators believe that the prevention and preservation of off-channel communications have been addressed, it will continue to be a top priority for financial institutions.”

 Ryan Farnsworth of Alliant Insurance Services

With senior-level employees among those in the crosshairs, he expects the focus on this type of securities-law violation “will continue into the foreseeable future as more firms try to comply with the takeaways from the SEC’s enforcement actions.”

Short of total prevention, firms can help their cause by self-reporting potential or suspected violations.

The SEC indicated in its September 29 release that “there are real benefits to self-reporting, remediating and cooperating,” Farnsworth notes.

A 1% Problem?

 Jay L. Hack of Gallet Dreyer & Berkey

Jay Hack, a partner of the New York law firm Gallet Dreyer & Berkey, believes that the off-channel communications risk is insignificant – as long as most people are honestly and efficiently going about their business.

“Some clients want to use, for example, WhatsApp,” he acknowledges. “However, 1% of the time, the off-channel communication is used because one side or the other wants to hide something, and that can be the tool that allows, for example, insider trading to occur. Enforcement will grow as technology improves to allow increased enforcement.”

Hack shares the view that prohibition is not viable. “Creative crooks will always beat that system by hiding it deeper underground.”

The attorney says the most effective response boils down to solid policies, procedures, training and verification.

“Annual certifications of compliance by employees, coupled with increased due diligence in the hiring process,” Hack says. “Do you want to use lie detectors and truth serum? I don't think so. If there is a gap in an information trail on any transaction, there needs to be follow-up to determine if the gap is the result of something off-channel.”

He recommends that all transactions be checked and filtered using software designed to ferret out suspicious transactions. “We have to remember that there is nothing inherently wrong with using WhatsApp or WeChat . . . It is the transactions that are conducted using off-channel communications.”

Finding Other Weaknesses

If the current “off channels” are somehow removed, “then the crooks will just use everything from anonymous re-mailers to burner telephones and public computers at the local library,” Hack contends. “That will just result in more intrusive surveillance of everything that everyone says to everyone else using any communication channel. The focus, as I said, needs to be on the illegal transaction itself."

Going forward, says Farnsworth at Alliant, regulated firms can reinforce compliance via their “tone from the top” and hiring an independent compliance consultant to review policies and procedures.

Christy Goldsmith Romero of the Commodity Futures Trading Commission, in a statement accompanying its concurrent finding with the SEC against Interactive Brokers, underlined “a pervasive culture of evasion” at the firm. The commissioner asserted that IB “should not be able to just pay the penalties, fix this one problem, and continue to operate business as usual. The ‘tone at the top’ of this broker should change immediately to a tone of continued compliance with the law.”

“Financial institutions may also prevent violations by conducting effective training in connection with the preservation of electronic communications,” Farnsworth says. “Most have already explored and implemented acceptable software or other technology solutions that will effectively prevent unacceptable off-channel communications. It is clear that the SEC and other regulators believe that is also a necessary step in order to be in compliance with federal securities laws.”