Financial services firms can expect UK regulators to follow their US counterparts in imposing significant penalties in cases where they fail to monitor and record staff communications on platforms such as WhatsApp, an expert has said.
Melanie Ryan of Pinsent Masons made the prediction at the recent Global Investigations Review (GIR) Women in Investigations conference, where she highlighted how concerns over so-called ‘off-channel’ communications have already led to regulatory sanctions in US financial services – as well as in other regulated sectors in the UK.
Off-channel communications are communications on non-company platforms, such as text messages and other instant messaging platforms, private email, or social media posts, that are beyond employers’ and regulators’ scrutiny. The communications are not monitored and nor are they recorded – in some cases, features of the platform can be set so that the communications automatically delete.
Ryan said regulators are increasingly concerned about off-channel communications because it can allow for potential misconduct, including market abuse or anti-competitive behaviour. These risks have been prevalent since the trend towards businesses operating ‘bring your own device’ policies began more than 10 years ago, Ryan said – policies that freed employees to use their personal devices for performing work tasks under certain conditions. She said, though, that the risks have been heightened since the Covid-19 pandemic, which accelerated the increase in remote working on work and personal devices.
In the US, there have been several cases in recent years where regulators have clamped down on off-channel communications. Ryan highlighted cases involving JPMorgan, Morgan Stanley, and Goldman Sachs among other examples, where firms have been served multi-million-dollar penalties.
The JPMorgan case, where regulatory action was announced in December 2021, was the first major case in which the issue of off-channel communications was considered by US financial regulators. It revolved around employees – including managers and senior personnel responsible for compliance – using personal devices to communicate about company business. JPMorgan agreed to pay fines totalling approximately $200 million to regulators. Ryan said the slew of off-channel communications cases that have followed it have generated billions of dollars of fines in the US.
“The fines reflect the pervasive use of off-channel communications in each case but are also designed to serve as a deterrent to others,” Ryan said.
“Regulatory expectations on this issue also appear to be increasing, according to a recent case handled by the US Securities and Exchange Commission (SEC) – one reading of its decision is that the SEC now expects firms to access employees’ personal devices to ensure that they aren’t using off-channel communications. That approach is hugely problematic on privacy grounds – and would be unlawful if adopted by regulators in the UK, or EU,” she added.
Ryan said UK financial regulators discussed a crackdown on off-channel communications with US counterparts late last year. She said financial services firms that enable communications on regulated business activities that are neither recorded nor auditable risk breaching rules overseen by the UK’s Financial Conduct Authority (FCA) or Prudential Regulation Authority (PRA). To date, the FCA has not taken any enforcement action on the issue, though Ryan said its push for firms to adopt a ‘compliance or consequence’ culture, relayed in recent visits to key UK financial institutions, is likely to change that.
“With the FCA you can expect at some point, and it may not be immediately in the future, there will be some adverse findings around off-channel communications,” Ryan said, in comments first published by GIR.
According to Ryan, the FCA has already warned firms about risks pertaining to off-channel communications. She cited an update it published already in 2021 in response to the trend towards more homeworking during the Covid-19 pandemic.
At the time, the FCA said homeworking gives rise to the risk that “unmonitored and/or encrypted communication applications (apps) such as WhatsApp” are used “for sharing potentially sensitive information connected with work”. It said firms need to ensure that where such apps are “used for in-scope activities on business devices”, like dealing in investments, for example, that they are “recorded and auditable” – and it said firms must “proactively review their recording policies and procedures every time the context and environment they operate in changes”.
Firms’ policies and controls should also address the risk of employees using their own personal devices to access “work-related systems and potentially sensitive or confidential data”, the FCA added. If permitted, that activity must also be recordable, it said.
“We expect firms to have a rigorous monitoring regime, commensurate to the increased risks, where in-scope activities may be conducted outside the controlled office environment,” the FCA said.
“Without effective recording and monitoring controls, there is a real risk of loss of monitoring and surveillance capability, and the absence of protection through loss of evidence to resolve disputes between a firm and its clients over transaction terms. It is also vital to help with supervisory work, help deter and detect market abuse and to facilitate enforcement,” it said.
Ryan highlighted that the PRA has already taken action in respect of failings identified in the retention of WhatsApp messages. In April 2023, the PRA censured wound-down institution Wyelands Bank Plc for what it described as “poor retention of WhatsApp messages”, among other regulatory failings. In January this year, former chief executive of the bank Iain Hunter was fined more than £118,000 by the PRA for failing to “act with due skill, care and diligence, and to take reasonable steps to ensure that Wyelands had adequate systems and controls in relation to the large exposures regime and PRA record keeping requirements”, the regulator said at the time.
Ryan also said it was notable that Ofgem, the regulator of gas and electricity markets in Britain, had taken action of its own to penalise an energy trading firm for not recording and retaining electronic communications in breach of record keeping obligations in that industry. In that case, determined in August 2023, the firm was fined £5.4 million after traders used WhatsApp to discuss transactions. The firm did have a policy prohibiting the use of WhatsApp for trading communications, but the regulator considered it failed to have sufficient steps to ensure compliance.
Contact an adviser
