Back to Blog

Financial Services’ Inconvenient Need for WhatsApp Archiving

Sean Stapleton

In September 2022, the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CTFC) reached settlements totalling around $1.8 billion with 12 of Wall Street’s leading investment banks. The prominent institutions, which included Morgan Stanley, Citigroup, Goldman Sachs and Bank of America, were penalized for failing to monitor employees’ use of unauthorized messaging apps, like Whatsapp, with colleagues and clients.

The probe followed on from JP Morgan’s $200 million fine in December 2021, with the floodgates apparently opening. Authorities seem to have used that initial $200 million settlement figure as a yardstick for the industry, signifying the end of an unofficial grace period afforded firms adapting to the pandemic. 

Such monumental penalties have of course had a seismic impact on the financial services landscape, with the repercussions reaching far beyond the behemoths evidently being made an example of. But how did we get to this stage, and how can firms address the employee behaviors which are clearly no longer going to be tolerated?

What’s up with WhatsApp?

The SEC mandates that banks maintain records of all communication between clients and brokers. Private exchanges, like those occurring through WhatsApp, are far more difficult to monitor, and the likelihood of data being compromised only increases as personal devices are introduced to the equation.

It’s important to note that the issue here is not with WhatsApp itself; the same concerns apply with WeChat, Telegram, and other ‘ephemeral’ messaging apps. It is the difficulties in documenting communications on these encrypted platforms, and the subsequent contravention of record-keeping requirements, that is problematic.

Phone Call Fatigue

Until relatively recently, consumers had limited options available to them if they wanted to reach out to a regulated firm. To discuss their bank account, for instance, they’d need to either get on the phone or head over to their local branch for a personal discussion. Now, they are able to communicate with the organization through a multitude of digital channels.

It’s not just an option, but a preference. WhatsApp, Facebook Messenger and Telegram were among the most downloaded apps in Q1 2022, and WhatsApp itself has an astronomical 2 billion active users worldwide. According to Forbes, 93% of US consumers want to communicate via text message, with speed, ease of use and (consumer) familiarity with the platforms proving decisive advantages. 

This works both ways; it’s also easier and more efficient for employees to communicate through tools that they’re familiar with using in their day-to-day life, than one provided by their employer.

Remote Channels

The disruption of the Covid-19 pandemic led to far greater reliance on messaging apps, as physical proximity, even with colleagues, was prohibited. In 2019, 68.1 million U.S. mobile phone users accessed WhatsApp to communicate. This figure is projected to grow to 85.8 million users in 2023. A by-product of this reliance on new digital channels was an escalation in the number of workers using personal phones or tablets for business, as lines began to blur and professional and personal lives intertwined.

Employees are more likely to act casually when working remotely, whether that means taking longer breaks or messaging clients or colleagues through an unauthorized channel. Having allowed these communication habits to set in over a sustained period, they’re now very difficult to shift back to a pre-Covid level, given the inherent convenience and usability that employees have become accustomed to.

Paying the Bill

JP Morgan’s $200 million dollar fine in December 2021 was the first significant penalty in a probe that has also impacted the aforementioned dozen leading investment banks to the tune of $1.8 billion. The SEC’s crackdown has since continued to expand, as Wall Street’s private equity giants have revealed that they’re under investigation. 

The enforcement unit has also launched enquiries about smaller Registered Investment Advisor (RIA) protocols for ‘off-channel’ business communications. RIAs are subject to the same regulations as the larger firms that were previously penalized, so while they may have been spared the ambush of the initial investigations, they should be mindful that they’re in the regulators’ crosshairs nevertheless.

What Now?

The situation leaves business leaders and compliance teams in a quandary. Should they sacrifice convenience and operational efficiency in the pursuit of compliance, banning messaging apps outright and instead relying on the tried and tested solutions of email, phone calls and, to a lesser extent, social media?

This is probably a tempting option given the enormity of the penalties being administered. It has certainly been the more popular approach given that, in July 2022, just 15% of financial firms were monitoring WhatsApp.

But it’s not quite that simple. Banning employees from using particular channels doesn’t necessarily mean that all risks are eliminated. The prohibition of helpful tools will probably lead to disgruntled employees and “compliance gaps” in the workplace. The safer option is for business leaders to understand the platforms that employees and consumers prefer to use, then developing suitable policies accordingly. 

Ultimately, if employees want to use unauthorized apps, they will do so, unless a supervisory procedure is in place to police it correctly. This has had immense repercussions for the likes of Goldman Sachs, Bank of America et al, who have not succeeded with this step, despite their resources.

Can WhatsApp be Monitored?

The preferable option here is surely to empower staff to utilize the platforms with which they’re most comfortable, minimizing limitations wherever possible. 

To achieve compliance on encrypted platforms like WhatsApp, business leaders must ensure they can capture, preserve, and monitor conversations. This is easier said than done, and the process has historically been a source of great difficulty. However, in recent years, new solutions have been developed specifically to tackle this emerging necessity. 

Much as they had previously for social media platforms, leading digital archiving vendors have built the technology to capture and archive communications data from apps like WhatsApp, WeChat, Signal and Telegram. This rescues business leaders from the frustration of having to choose between efficiency and compliance; both can now co-exist very peacefully.

Crucially, firms can also allocate secondary numbers on personal devices, allowing employees to differentiate between business and non-work-related contacts, and capture pertinent data accordingly. This means that privacy can also be maintained despite heightened levels of professional scrutiny.

It would be counter-intuitive to ignore the rising demand for encrypted messaging apps in the workplace. Thankfully, businesses no longer have to.

How MirrorWeb Can Help

We capture and archive communications across the leading personal messaging apps, including WhatsApp, WeChat and Telegram, and enable personal and professional communications to be separated. What’s more, our product evolves with regulatory demand as platforms proliferate.

Book a demo above to protect your business and empower your workforce. 

More from the Blog

Connector Spotlight: Vimeo

We're now able to capture Vimeo content through MirrorWeb Insight. Read on for more details!

Read Story

UPDATE - How the SEC Keeps Raising the Stakes on Mobile Messaging

Following August 2024's wave of enforcement, an updated overview of the SEC's three year probe into off-channel communications.

Read Story

The Generative Generation - AI, Chatbots and Financial Compliance

AI tools have undoubtedly transformed modern working practice across most industries. What does this mean for financial regulators?

Read Story

See what we can do for you.

Let us show you why MirrorWeb is trusted by organizations across the globe for their compliance and digital preservation needs.