Serious consequences are highlighted in increased scrutiny of businesses using instant messaging apps. A policy of banning or forbidding the use of instant messaging isn’t really an option and many try band-aid technological solutions, entailing extensive reverse engineering imitating the actual messaging app, so each messaging app (WhatsApp, Wechat, Telegram, SMS and so on) has its own unique solution. Trying to manage each messaging app individually requires continual application re-engineering, raising a significant risk in terms of downtime but also running the solution risk that you don’t capture all the messages, all the while taxing company resources to manage so many different applications.
Web scraping to capture a copy of all the messages is specifically problematic as it operates regardless of whether the content is business related or personal and private. This blanket archiving generates data privacy issues for employees.
Disparate Technology Complications
For regulated firms, an archiving/record keeping solution must be found for mobile communication, whether band-aid or comprehensive, to ensure capture of all the channels. And for full-service financial firms, this compliant archiving solution must include all departments and functions.
Some approaches have reverted to random sampling approach, which does not interest regulators who will hold firms liable if they identify something actually amiss. Regulatory breach can lead to reputational risk and operational risk.
Firms started pushing the boundaries when driven by employees demanding that technology solutions constitute an integral part of their portfolio management arsenal. So, from a very restrictive early regulation of employee personal call monitoring the set of available channels migrated to something that employees can use for investment management of their assets, wherever they want however they want and all of that data is aggregated and reported back to the financial institution who employs them.
Communication surveillance restrictions often initially took the uncompromising stance of blanket disallowance, which ignores that much of these community communication channels are almost so natural and so native to a lot of the employees and customers that they do not purposely set out to break compliance rules, rather it is just built into their DNA; that this is how they communicate and they fall back onto these patterns without thought. Embracing contemporary communication channels offers an opportunity to motivate and facilitate stakeholder retention and minimize friction. Opimas estimates that only 13% of personal mobile phones and 40%of corporate mobile phones of regulated employees are being monitored.
Another complication is the large variety of traditional financial misconduct incurring penalties. According to an Optimas analysis, the penalties issued for financial misconduct are diverse in type though more than 50% were centered on U.S. securities fraud and investor protection measures.
Firms must regularly evaluate their existing BYOD-type policies (which are decreasing in use). Part of being able to actively manage and capture relevant communication is providing the employee with a seamless experience where you’re not asking them to manage multiple devices to ensure both full compliance and personal privacy. A work-type device is an effective platform for the multiple ways to capture that data and aggregate it together.
Varying National Regulatory Approaches
Britain’s FCA has welcomed new communication technologies, stating that no a priori restrictions are in place, rather, the issue is maintaining control and oversight, including scam protection. UK ministers have been perceived as governing by WhatsApp leading the public to question their trust in the government and its transparency. In a 2022 outbound email, the FCA noted “Since (last year), we are being tougher on firms who want authorisation to operate in the UK, using data more systematically to ask the rims we supervise more more rigorous questions and using enforcementand intervention powers more actively, pushing the boundaries where we need to.”
Similarly the German financial watchdog BaFin has noted their investigation of senior bank executives on their use again on all these private messaging channels such as WhatsApp. According to BaFin President Mark Branson, “Starting in 2022, BaFin will assume sole responsibility for financial reporting enforcement. We will be sending twice as many staff members into action as in the two predecessor teams put together: approximately 60 employees will be working in BaFin’s financial reporting enforcement directorate. All in the interests of ensuring a clean capital market.”
In Singapore the specific challenge is around SMS and texting which are still a very popular way to communicate. Last month a Singaporean bank got sanctioned for allowing and not dealing with the scams on instant messaging and text messaging monitoring issues, losing customers and millions of $US in the process.
Similarly in Hong Kong the tech community looks for solutions for banks reporting a lot of phishing and instant messaging text scams. The general consensus is for solutions offering a centralized and enterprise approach
Regulators worldwide are actively engaged in communication audits, looking at what financial firms are using and how those channels are being monitored. Companies are being surveilled as to what what else firm employees are unofficially using. Regulators are concerned that employees are evading existing programs or exploiting gaps in them.
Significant benefit to employees as well as clients arises from having a program that is streamlined and that facilitates frictionless communication channels in the customer’s preferred channel. With change and new channels inevitable, a six-month-to-two-year lead time to establish a compliance strategy and pass a security review or something like that is unreasonably sanguine.
