WhatsApp is the most popular instant messenger (IM) in the UK, and predictably, it has become indispensable for workplace communication. Since 79% of internet users and most of the working-age population spend a significant amount of time on the app, regulators are working overtime to ensure that business-related communication on the platform is compliant.
Taking a cue from their US counterparts, financial regulators in the UK, especially the UK Bank of England’s Prudential Regulation Authority (PRA), are ramping up their operations to ensure WhatsApp conversations are monitored to safeguard investors and the integrity of the financial markets.
While the UK is yet to see anything close to the hundreds of millions of dollars in WhatsApp-related fines levied by the U.S. Securities and Exchange Commission, there have been significant developments that indicate serious trouble for both the firms and individual employees engaged in compliance violations.
PRA’s Directive on Recordkeeping
One of the most notable developments from the UK’s financial regulators was the censure of Wyelands Bank for myriad violations in areas, including financial reporting, transparency, and recordkeeping of business communication.
Notably, a substantial aspect of PRA’s crackdown on the bank included a massive fine for the former CEO. The fine reflected a lack of policies and procedures to:
- Regulate the use of unapproved communication channels, such as personal emails and WhatsApp by employees
- Retain business-related messages on company-issued and employee mobile devices and the IMs
- Retrieve the business conversations required by the regulator promptly
It is recommended to retain messages captured as part of WhatsApp monitoring and other recordkeeping measures for five years when it comes to PRA compliance and up to seven years to be in alignment with Financial Conduct Authority (FCA) message retention mandates.
Ensuring PRA compliance: Strategic steps for WhatsApp communication alignment
To ensure that regulated entities are ready for investigations and information requests from the PRA and even the FCA, which has been ramping up its operations, they need to implement comprehensive communication compliance measures that include all the relevant stakeholders, from the management to new joiners to remote employees.
- Creating awareness regarding the WhatsApp complianceefforts of the organization and the expectations from each employee is the most important step in avoiding action from the UK’s top prudential regulator and supervisor. Irrespective of whether you are a bank, building society, credit union, insurer, or an investment firm, your employees need to know:
- not to use unapproved channels of communication
- what to do in case of a violation
- what is the reporting mechanisms if they come across a non-compliant co-worker
- and the penalties for conducting business-related communication on an unsupervised device or application.
- Compliance officers, HR, IT departments, and even the legal wing of the financial firm need to be aware of the latest communication trends and regulator expectations about them. They can take a cue from US financial firms that are engaging technology specialists to monitor employee video callson platforms, including WhatsApp to prevent the sharing of non-public information illegitimately.
- While the management has a major role to play in WhatsApp PRA compliance, employees also need to be made responsible for maintaining authentic records of their conversations and calls, especially since WhatsApp messages can be edited or deleted. Notably, the records must include everything, from texts to calls to files and images and even emojis, which is a key conveyor of a conversation’s context. There needs to be regular audits to verify whether employees are in alignment with company policies when it comes to text retention, professional communication with clients and prospects without sharing sensitive company information, and the use of approved devices, email accounts, and IMs, especially for remote/ hybrid workers. The effort to ensure individual accountability is especially important because the PRA has been known to act on individuals for failures under the Senior Managers and Certification Regime. Case in point, the regulator levied fines worth £81,620 on the former Chief Information Officer of TSB Bank in April 2023 for IT-related violations.
- Given the sheer volume of devices and individual messages sent daily, regulated firms need a centralized repository of all their employee communication, which WhatsApp archivingcan do as and when the conversations happen. Implementing such a system can be a game-changer for compliance teams, since it can capture communication over the network, covering all the required devices and messaging applications, and retain the information in a tamper-proof manner with all the relevant context, including sender info, receiver info, date, etc.
Balancing compliance monitoring and employee privacy
WhatsApp monitoring for PRA compliance needs to be undertaken in a manner that ensures employee privacy and data protections guaranteed by regulations, such as the GDPR. Firms have the responsibility to keep the archived messages encrypted and safe from unauthorized access. Crucially, they also need to ensure employees are aware of the retention of their messages and have given consent for the same. Other than that, companies are supposed to proactively notify employees of how their data is handled or processed for compliance purposes.
Conclusion
Compliance experts have long argued that banning employees from using a versatile and highly popular tool, like WhatsApp, is counterproductive and ineffective. Instead, regulated firms must strive to cultivate a workforce that puts compliance first, irrespective of their device, application, or whether they work remotely or in an office setting. To facilitate the transition to a firm that monitors communication in real-time and is always ready to demonstrate compliance by retrieving accurate copies of their employee conversations, a WhatsApp archiver is the need of the hour.
With a solution, like TeleMessage, regulated entities can mitigate the compliance challenges posed by hybrid working and the emergence of new communication technology and steer clear of trouble with the PRA and FCA. Apart from archiving all the employee communication with an audit trail, the solution also helps ensure compliance with privacy and data security rules due to its SOC2, Type II, and ISO 27001 credentials.
Contact us for a detailed discussion of how TeleMessage can serve your PRA compliance needs.
About TeleMessage
TeleMessage captures and retains mobile content, including mobile SMS messages, voice calls WhatsApp, and WeChat conversations from corporate or BYOD mobile phones to ensure compliance with various data protection regulations. The messages are securely and reliably retained within TeleMessage servers or forwarded to your choice of archiving data storage vendor.
Our mobile archiving products securely record content from mobile carriers and mobile devices for various ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:
