Banks concerned about employees' use of WhatsApp have options

WhatsApp, Signal, and Telegram are three examples of apps that support end-to-end encryption, which makes monitoring messages on the platform hard for employers that are required to do so, such as banks. However, there are technical solutions to this problem.
Brent Lewin/Bloomberg

As banks continue to struggle with employees' use of unapproved messaging platforms like WhatsApp, they've often had to choose between letting people use their own devices or forcing them to use work computers. But there are other options, including one that involves virtualization.

That is according to experts who provided their analysis of financial institutions' response to a regulatory crackdown by the Securities and Exchange Commission this year on bankers using unmonitored messaging apps, particularly WhatsApp. The SEC has assessed over $2 billion in fines so far this year for such violations.

The U.S. has long required people who deal with securities trades to communicate only in ways that can be recorded, monitored and archived. The proliferation of secure messaging platforms designed to thwart monitoring has improved privacy while sacrificing the ability of banks to monitor all work communications, but some banks have still found a way to support some of these platforms in a compliant way.

Employees violate communication monitoring rules when they send messages through an unauthorized app, even if in reply to a client who messaged them first. Oftentimes mistakes or a lack of education lead to the violations; sometimes, traders violate the rules with malice or gross negligence.

Experts have divergent opinions about what banks ought to do about the crackdown on unauthorized messaging. Shelli Clarkston, an associate attorney at the law firm Lathrop GPM who has worked in financial services for more than 20 years, says the regulators' actions indicate that letting bankers do work from personal computers is not appropriate.

"I think, realistically, banks need to get away from expecting their employees to conduct business through the employee's own devices," Clarkston said. By providing employees with work devices, she said, banks can ensure the apps on that work device meet the firm's security and privacy standards, and importantly, that they are appropriately monitored.

Providing a work device sends a clear signal to employees that what happens on the device belongs to the bank. And this can be an effective strategy for employees who don't want to carry around two phones all day or use two computers.

But merely providing a company-issued device does not guarantee the employee will avoid working from their personal device, especially if that work device is inferior to their personal smartphone or desktop computer.

Several large banks are being investigated for employees’ use of unmonitored messaging software, despite prohibitions that have been in place for years.

March 11

And the expense of providing high-end devices makes less secure alternatives appealing to banks, according to Rupert Brown, chief technology officer and founder of Evidology Systems, a London-based regulatory technology company.

"Unless the company device is significantly more attractive, both feature- and price-wise, then banks will be forced by peer pressure to allow users to use their own devices," Brown said.

Regulators would be wise to increase the fines banks face when bankers break rules on the monitoring of messages, according to Brown.

"The cost of managing an in-house device platform is more expensive than the current set of fines, so to fix this, regulators need to change the balance of financial risk in order to give the banks a good economic reason to operate an in-house platform," Brown said.

Clarkston said there are alternatives that give employees the benefits of using their own device and the employer the benefits of controlling and securing the work environment. One example she cited was software that disables all unauthorized applications on the employee's personal laptop to effectively turn the computer into an approved workstation. This kind of creative solution tends to only be accessible to larger players

But there is a technical solution that is within reach for even small players, according to Lou Steinberg, managing partner at the cybersecurity research lab and incubator CTM Insights. That alternative is virtualization.

Virtualization is common in cloud computing. Cloud providers can spin up many virtual machines on a single server, each isolated from the other, allowing the provider to sell access to those virtual machines to others.

The same principle can be used on personal computers. With a virtual work environment installed on their personal device, an employee can continue using the hardware to which they are accustomed, and their employer can save on the cost of buying electronics for the employee while managing the software they are using.

With virtualization, employees also get the assurance that any monitoring that happens on their computer is constrained to the virtual environment — a key tenet of virtual machines — giving them the peace of mind that, even if their employer wanted to see what they were saying to friends and family, they would not be able to.

A similar alternative to virtualization is separate logins, a feature of all major laptop and desktop operating systems, including macOS, Windows, and Linux distributions. For employees who wish to use their personal computers for work, if their computer supports multiple logins, banks can set up an account on the device to keep work data and applications separate from the employee's personal account.

Mobile devices also support virtualization, to an extent. Steinberg said that a bank can create a simple experience for employees by providing a single application that houses all their work applications, leaving no question of when the employee is using their personal WhatsApp account or their work account.

Virtualization does not fix all problems. For example, installing a virtual machine on an employee's laptop does not guarantee their home wi-fi network is secure. An employee can also work outside the virtual work environment on their personal web browser and applications, perhaps not even knowing they left the virtual walled garden.

Virtualization also may not be the best option for all employees, whether that is because the employee does not want to use their own device for work, they do not trust the virtualization software, or any other reason. According to Steinberg, banks can maximize compliance by giving employees options. If they would prefer to use a work device, let them do so, he said.

Whatever banks do to ensure they appropriately monitor employee communications, they will face some forces that are out of their control and make monitoring applications hard even on a company-owned device — particularly a mobile device.

"Most new messaging platforms will evade effective surveillance, and there is little the banks or regulators can do, and the users know it," Brown said. "This would require collaboration with Apple and Google to build deeper hooks into iOS and Android in order for it to be achievable."

For reprint and licensing requests for this article, click here.
Regulation and compliance Technology
MORE FROM AMERICAN BANKER