When Encrypted Messaging Goes Rogue

By June 25, 2017blog
3996A89A00000578-3859412-image-a-3_1477062691476

Encrypted messaging is an important feature for companies, as it can protect their data while being sent across multiple mobile devices. But in the financial industry, encypted messaging on private mobile devices are being used to circumvent compliance with industry regulation.

How is it done?

Some popular messaging apps, such as as Apple’s iMessage, routes conversations around most of the monitoring systems financial institutions have in place to monitor mobile communications. Some apps, such as Dust, Confide, and Signal, can be set to automatically delete messages as soon as they are read. Signal is the encrypted chat and call app that was recommended by Edward Snowden as a good app for circumventing government surveillance.

Some popular apps, such as China’s WeChat, are programmed in foreign languages, which poses difficulties for compliance monitors.

And of course, some employees simply use their personal devices for work-related purposes despite being issued a work-device and being expressly forbidden from using their personal phone for work matters.

What is being sent and why?

Some of it may start innocuously. A group of colleagues set up a WhatsApp group for social purposes but also send work messages because it is convenient. Bragging among colleagues after a deal goes well, or even more problematically – before a deal goes through – is not uncommon. In the case of Christopher Niehaus, a former Jeffries employee in the U.K., his bragging over WhatsApp, which included the sharing of confidential client information, landed him with a fine of $46,000.

In the case of Niehaus, and probably in many others, there was no vicious intent. He was not trying to trade secrets or bolster deals or increase his business in any way. It seems he was simply bragging about work without thinking about the consequences or the compliance issues involved. His bragging was discovered and led to a fine by U.K. regulators but with so many messages circumventing monitoring, how many of these incidents have gone unnoticed?

In other cases, messages are sent via popular messaging apps simply because the client prefers that method. Companies that ban apps such as iMessage and WhatsApp on company phones run the risk of driving work-related communications to personal devices because clients want the ability to communicate on familiar apps that they use on a daily basis with all their other contacts. In these cases, employees are caught between a rock and a hard place – their job is to work for the client and stay in touch with them, but regulatory concerns limit their ability to do so in the best way for the client.

Of course, there are more nefarious reasons for communicating through channels that employees know are off-limits and difficult to regulate. According to some industry insiders, there are those who share screenshots of confidential interactions with other clients in order to win more orders.

And of course, with everything being monitored, it is easy for employees to simply not wish to have every word they type be analyzed and possibly misinterpreted by people with the ability to fire them, censure them, fine them, and even prosecute them.

What is being done to stop this phenomenon?

Some monitoring systems are being programmed to recognize the signs of un-monitored communications. When phrases such as “sent you a text,” “check your phone,” and others are used, or when certain messaging programs are mentioned, it can be immediately flagged and brought to the attention of the company.

In some cases, that kind of flagging might not matter. When messages can be deleted and are not kept in any kind of archive, even by the messaging program itself, there may not be enough evidence to make a difference.

Furthermore, there is still a question about how much firms are determined to stop this behavior. In many cases, rogue communications are done to please the clients and to bolster profits. If regulatory bodies have no way to police these rogue communications, firms may be happy to simply let things be.

5