WhatsApp is off-limits to bankers. So why do they keep using it?

Large Wall Street banks are being brought to task for widespread employee use of unmonitored communications channels like WhatsApp.

In December, the Securities and Exchange Commission charged JPMorgan Securities with “widespread and longstanding failures by the firm and its employees to maintain and preserve written communications.” JPMorgan agreed to pay $200 million in fines to the SEC and the Commodity Futures Trading Commission. The SEC said the bank’s employees used WhatsApp, personal email and text messages to discuss work matters, and those interactions were not archived as required under federal securities laws.

“Supervisors, including managing directors and other senior supervisors — the very people responsible for implementing and ensuring compliance with JPMS’s policies and procedures — used their personal devices to communicate about the firm’s securities business,” the SEC said in its announcement. It began an industrywide investigation that has now engulfed HSBC Holdings, Goldman Sachs and Citigroup. Last week, Deutsche Bank said it was conducting an internal probe into the extent to which staff used private messaging channels such as WhatsApp, which suggests it may be part of a regulator’s crackdown, too.

The regulations have been in place for years: anyone dealing with securities trades must communicate in a way that can be recorded, monitored and archived. So why are so many big banks breaking the rules?

How WhatsApp became normal in banking

Many factors have converged to make the use of WhatsApp so widespread in the industry.

“In a lot of cases, it’s likely employees are reflexively responding to their clients contacting them on unapproved channels because their clients are not subject to the same requirement to store all of the conversation history as the banks are,” noted Caitlin Long, a veteran of Wall Street banks and now CEO of Custodia Bank in Wyoming, a special-purpose depository institution that will launch in the second quarter. “If a client reaches out through unapproved channels, one could see how that happens accidentally, but it's the compliance department's responsibility in these banks to ensure that the laws are complied with and to be sure that the employees are trained that they can't respond in unapproved channels.”

In some cases, traders may have purposefully used back channels so that their conversations with counterparties wouldn't be archived, she noted.

“The banks just have to keep training again and again and again,” Long said. “If the customer contacts you outside of the approved communication channels, you cannot respond.”

This is a compliance gap between banks’ policy controls and what their employees are actually doing, said Robert Cruz, vice president of information governance at Smarsh, a compliance software company in Portland, Oregon.

Banks have well-defined policies governing how employees may communicate, “but there's a very good chance that there may be things that they're either unaware of or that are happening in the corners of the company that they just don't have visibility into,” Cruz said.

The vast majority of banks are hardworking and want to do the right things, said Shiran Weitzman, CEO and founder of Shield, a compliance software company based in Tel Aviv.

But other regulations have seemed more pressing and more heavily enforced, he noted, including anti-money-laundering rules.

“I don't think that is because of neglect, or anyone is doing something on purpose,” he said.

Some banks’ policies don’t cover all forms of communication. For instance, some have not spelled out what individuals can and cannot do with text messaging, Cruz said.

The pandemic has made monitoring employee communications more challenging, as more people have been using personal phones and home computers for work activities. Before the pandemic, sitting among colleagues brought some social pressure that enforced banks’ policies, such as not using a personal device to communicate with customers. Remote work erased that enforcement.

“When you're at home and you just want to text someone it just feels natural,” Weitzman said. “I'm just making sure you got my email. It’s shortcutting. And it's human behavior, but it's not allowed in the financial markets.”

The pandemic turned Zoom and WhatsApp, technology that big banks would not have considered letting employees use two years ago, into channels with widespread adoption, Weitzman said. Regulators were tolerant during the first six months of the pandemic, understanding things had changed.

There's also been an evolution of mobility that started with corporate devices, said Brandon Carl, executive vice president for product strategy at Smarsh and a former executive at Nomura and Bank of America. Employees didn’t want to carry around two phones, and companies started allowing people to bring their own devices to work. That led to people downloading messaging apps onto their devices even though their companies hadn’t approved the software.

Wall Street firms do heavy due diligence on the software they officially allow employees to use. Large banks typically vet and support more than 100 different communication programs, Carl said. But now, he says, firms are receiving requests to support new communication channels at a rate of more than one a week because clients want to use these tools.

“The thinking is, if we don't support it, we may lose that client to somebody else who will support it,” Carl said. “So the business imperative is there.”

When it comes to enforcing policies, banks analyze the benefit to the business versus the potential risk and cost, Cruz noted.

“If a [communications] tool is being used the wrong way and the bank is subject to some regulatory action, the calculus has been, the probability is low and the potential fine is not of significance to prioritize this on the top of the stack,” Cruz said.

Recent fines have changed that equation.

What banks are doing about it

Banks don’t need to prohibit WhatsApp altogether, according to Cruz.

“It is a channel that banks’ customers are demanding some form of access on,” he said. “And realistically, prohibiting these sorts of things on personal devices is fairly difficult.”

What banks do need to do, in addition to employee training, is make sure all their communications are covered by compliance software that monitors and archives affected employee communications and looks for red flags. Providers of such software include Digital Reasoning, which is now owned by Smarsh; Shield; SteelEye; and Symphony.

Early versions of these programs searched for suspicious words and phrases. Today, because the people engaging in market manipulation and other illegal conduct know they are being monitored and know what words to avoid, the software has become more sophisticated.

“In the event that people are colluding to drive a market rate higher, you want to find evidence of either people boasting about what they're doing or coordinating with each other covertly or those sorts of things,” Carl said. “If they're sharing inside information, similarly, you want to find evidence of rumor spreading or information that shouldn't be shared.”

As banks step up their use of monitoring, they also have to be mindful of employees’ privacy. More and more states and cities are writing new privacy laws.

“My guess is there will be a lot of lawsuits in the next five years over privacy rights,” said Brad Levy, CEO of Symphony. “You're seeing it in health care. You're seeing it in government workers. You're going to see it on Wall Street now.”

For reprint and licensing requests for this article, click here.
Compliance Technology
MORE FROM AMERICAN BANKER