Wall Street banks have been hit with more than $2 billion in fines for using unauthorized communications channels – a number that may rise further as regulators clamp down on unmonitored and unauthorized communications. The risk of bank employees using channels such as WhatsApp and other social media has proliferated given the shift to hybrid working that accelerated during the COVID-19 pandemic.
But banks are failing to act fast enough. While 41% of firms highlight communications surveillance as a top investment priority over the next 12 months, only 15% currently monitor WhatsApp, according to SteelEye’s 2022 Compliance Health Check report.
Monitoring, compliance and culture go hand-in-hand, Acin’s Rupal Patel advises.
Regulators started ramping up fines in December 2021, when a major Wall Street bank was slapped with a $200 million penalty – $125 million imposed by the Securities and Exchange Commission and $75 million by the Commodity Futures Trading Commission – for failing to keep records of communications made on personal devices. The SEC said the problem was widespread within the bank; even supervisors were communicating on unmonitored channels via text message, WhatsApp and personal email accounts.
While the risk has become more acute, due to the pandemic and the shift to remote working, the SEC’s investigation stretched back to 2018 – underscoring that the issue predates the pandemic and banks have still not caught up with their controls. More banks have since either been fined or have set aside provisions because they expect to receive similar fines.
Step Up Surveillance and Manage the Risk
Over the past year, regulatory alerts tracked by Acin on the theme of unauthorized communications jumped to 16, from four in 2021. Mapping these to risks and controls, it is clear that surveillance controls on their own are insufficient to mitigate the potential risk.
The increase in unauthorized communications from personal devices is often a behavioral issue. For example, employees could be deliberately circumventing controls to avoid detection of misconduct. It could also be down to inadequate training or poor control monitoring that could provide early warning signs of suspect employee behavior. Ineffective business continuity planning may also push employees to use unauthorized communication channels if official channels are not working.
To that end, Acin’s Risk Intelligence team has identified the following areas of focus to manage these problems:
- Four categories of controls
- Training and supervision
- Employee monitoring
- Business continuity planning
- 28 controls mapped to eight themes
- Chatroom monitoring
- Trade surveillance
- Audio-communications surveillance
- Training and procedures
- Unauthorized trading
- Segregation of duties and access
- Business continuity management
While Acin’s anonymized network data shows that more than 50% of the identified controls within those categories are present, there are several missing controls under the surveillance and training and supervision themes that banks must adopt to prevent and monitor for unauthorized communications use.
On average across all four categories, 24% of preliminary controls are missing. Analysis of these suggests a third of them are missing and not operated or missing and not documented.
Furthermore, a fifth of these banks (18%) operate their e-comms controls on a less frequent basis than their peers, while just under a third (31%) don’t even report the frequency, making it very unclear how those banks are monitoring e-comms risk. The data suggests that control design standards also require improvement.
All of this comes against a backdrop of increased regulatory scrutiny as banks adapted to new ways of working amid the pandemic. In July 2020 the Financial Markets Standards Board provided examples of controls to be implemented across key hybrid working risks, including controls around communication.
In October last year, the Financial Conduct Authority said the risk of misconduct has been impacted by the shift to remote and hybrid working where employees are sometimes out of supervisors’ line of sight.
The industry is playing catch-up with the impact of working from home and must ensure that the risk presented by e-comms is managed in a better way. Without addressing these issues, we could enter a cycle of billions being lost to fines each year.
Immediate Steps to Reduce E-Comms Risk
We believe that implementing the following steps will ensure a robust set of controls and management systems to better mitigate e-comms risk.
- Network intelligence
Banks need to review their controls that monitor non-business applications such as WhatsApp and to ensure their risk control framework is well designed. Using Acin network data, banks can benchmark themselves against their peers to identify gaps in their e-comms risk controls and where they need to improve. This will ensure banks have a well-designed risk control framework in place to manage the risk of unauthorized communications.
Furthermore, risk intelligence provides ongoing dynamic risk management capability of regulatory and market news as well as changes in controls, all mapped to risk and control to continuously stay on the front foot and conduct dynamic risk and control self-assessments (RCSAs). Currently, analysis highlights that improvements can be made to the design of controls, improving control standards to support future and ongoing regulatory enquiry and to demonstrate that firms are doing the right thing – that they have a structured, well designed risk control framework in place to manage the risk of unauthorized comms going forward.
- Compliance culture
Banks must ensure they are not only recruiting the right individuals, but that those individuals also understand the culture of the bank. In a world of hybrid working with employees based remotely, banks must ensure that a culture of compliance and risk management is maintained. That includes fostering a speak-up culture where employees are encouraged to flag poor behavior.
- Monitoring apps
The use of unauthorized communications can increase if employees are stressed, overworked and under pressure to close deals. For instance, to get a transaction over the line outside of work hours, or when a client is out of the office, it might be easier to use a personal device. Therefore, personal devices should always have a monitoring app installed to provide a detective control.
- Remote tech
In addition to ensuring monitoring apps are installed on personal devices, banks need to ensure employees have access to operating systems such as recorded phone lines and other tech tools, no matter where they are located and whenever they need them. Poor business continuity planning, for where authorized communications channels are unavailable, can result in employees switching to unmonitored channels to get the job done, as can periods of market disruption where traders might be tempted to use unauthorized channels because they need to act fast.
Rupal Patel is Head of Risk Intelligence at Acin, which works with banks and asset managers to address operational risk issues through the use of data and technology. The organization helps some of the largest investment banks convert reams of control documentation into quantitative, calibrated, actionable data, enabling confidential peer comparisons of operational risk controls across both front and back office.