The Securities and Exchange Commission's assessment of $1.8 billion in fines against 11 Wall Street banks and their affiliates last week sent a message to all banks, even those on Main Street: You need to understand and monitor the communications platforms your employees are using for work.
While the SEC only fined broker-dealers and their affiliates, the magnitude of the fines and the findings of systemic violations indicate that more regulators may start asking the same questions the SEC asked, according to multiple experts in banking regulations and compliance.
Historically, violations of the SEC's recordkeeping requirements tended to be more technical in nature and not as systemic or widespread — nothing that warranted the $1.8 billion fines levied last week, according to Conway Dodge, managing director and deputy leader of the Americas for the IBM-owned consulting firm Promontory.
But that has changed.
"Here, we have an entirely new dynamic where the off-channel communications at a number of name-brand, Wall Street institutions seem to have been part of the culture — it's systemic," Dodge said. "I think part of what drove the seriousness with which the SEC took the matter was the fact that you had supervisors and senior officials at these institutions who appeared to know full well what the rules were, openly and notoriously violating those rules."
The investment banks are paying a price, and not just monetarily. The SEC ordered each of them to hire a compliance consultant to review the bank's policies and procedures related to off-channel communications and provide recommendations to the banks. Each bank will then have 90 days to adopt the recommendations or protest that they are too burdensome.
After one year, the consultants will reevaluate each bank on its progress. In the meantime, each bank must also implement a parallel internal audit to the third-party review and report to the SEC any kind of discipline they impose on employees as a result of these efforts.
According to Dodge and others, regulators may require Main Street banks to take similar actions. All are well-advised to get ahead of this.
The responsible executive, even in the absence of explicit regulatory requirements, should be taking a look at these issues.
What regulators expect from banks
Certain banking activities create exposure to record-keeping requirements, according to Doug Wilbert, banking and capital markets leader at the consulting firm Protiviti.
For instance, regulators expect lenders to maintain records of communication with potential borrowers to ensure compliance with fair-lending practices. If a borrower reaches out to a loan officer via an unmonitored channel, the lender should make a record of that conversation. That requirement alone implicates many credit unions and community banks.
But the written rules are only the start. The codified requirements governing any regulated industry including banking are merely "minimum passing grades," according to Constantine Boyadjiev, managing director in Protiviti's risk and compliance practice. That means banks need to do more than what is asked of them.
Devin Redmond, the CEO and a co-founder of Theta Lake, a communication security and compliance company, said that a compliance approach that seeks simply to check boxes is "insufficient" to deal with changes in communication technology and that the expectation of the SEC's enforcement division is about "proactive compliance."
Dodge said any "responsible executive" of a regional bank or credit union will look to understand where employees are engaging in business-related communications "even in the absence of explicit regulatory requirements."
The usage of WhatsApp is often a more general symptom of employee end users seeking easier, more feature rich communication channels.
What Main Street banks should do
One way to understand how employees are communicating is to mimic what the SEC did in its investigation — a risk-based approach. Dodge said firms can take a sample of the larger transactions that took place over the past six to 18 months and look at all details of the transaction "from cradle to grave."
What firms need to look for in these investigations are documentation of significant decision points during the course of those transactions. If a firm finds that there are communications missing, Dodge said, that gives it the opportunity to ask further questions: "How was this decision made? Who spoke to whom? Through which channel?"
That might lead to finding employees are using channels like WhatsApp or Signal for work. For banks that serve certain markets, that should come as no surprise, but banks need to ensure they are monitoring those channels.
"In many jurisdictions, usually outside the United States — Latin America is a good example — [WhatsApp is] the common mode of communication, and in order to engage in business in those jurisdictions, you have to figure out a solution," Dodge said.
In some instances, employees may be drawn toward channels that the bank currently leaves unmonitored for practical reasons beyond the fact that its clients are on those channels, according to Redmond.
"Aside from small groups of employees that may be specifically evading monitoring, the usage of WhatsApp is often a more general symptom of employee end users seeking easier, more feature-rich communication channels than what their organization allows," Redmond said.
WhatsApp and Signal are two examples of apps designed for privacy that were not originally meant to be monitored, and the SEC named each in the orders it released last week. However, there are other such applications, including Telegram and Element, that promise secure messaging without surveillance.
What to do about personal devices
A question small banks will inevitably face in the process of confronting off-channel communications is the use of personal devices for work. The conflict arises over the question of whether to let employees continue using their personal devices but monitoring their use or issuing employer-owned devices and requiring employees to use them.
One way to address that question is to let employees answer it themselves, according to Chris Lehman, CEO of SafeGuard Cyber, a communication security and compliance company.
"There's real power in giving optionality to employees," Lehman said. "As much as employees might balk at the idea of the employer putting monitoring technology in place, if they're given a choice, that at least shows some flexibility and draws the lines in terms of what is required with either choice."
According to Wilbert at Protiviti, giving employees work devices is a step that banks can take to reduce the risks associated with unmonitored channels, and for many, it is far cheaper to furnish devices than to take on fines for off-channel communications. That will increasingly be the case for firms as regulators continue to levy larger fines over time, he said.
What not to do
Something banks should not do in response to the SEC's orders is to treat the issue as a one-dimensional problem. Buying a tech solution is not sufficient for most banks to solve the problem of understanding and monitoring how their employees communicate; banks also need competencies in how to handle the data they get from monitoring conversations, according to Boyadjiev.
After a yearlong investigation by the Securities and Exchange Commission, large investment banks including BofA, Citi and Deutsche admitted they failed to monitor their employees on certain messaging channels such as WhatsApp.
Boyadjiev said there are many challenges to monitoring employee communications. One is sorting out who owns the data taken from employees' communications and how stakeholders like the chief technology officer and chief risk officer will want the data handled. Another is leveraging the data collected — extracting value from it by looking at it through different lenses.
For credit unions, regional banks and other small financial institutions, there is assuredly a lesson from the SEC's actions, and inaction for these firms is not an option.
"The worst thing you could do is to do nothing about your own program, to ignore the fact that these enforcement actions are out there and that the SEC is on the beat," Dodge said. "You do that at your own peril."