Employees of financial firms are increasingly using instant messaging apps like WeChat, WhatsApp, Wire and Signal to communicate business information. Researches show that instant messaging is already surpassing email as the preferred mode of communication for many employees. It is true that these instant messaging platforms offer a lot of significant benefits to employees and financial firms, but they bring about a lot of compliance and regulatory risks too. Therefore, it is important for firms to address the financial, legal and compliance risks the growing use of instant messaging apps bring about. Different regulations stipulate businesses to record mobile messages, monitor phone calls and strictly follow WhatsApp archiving measures for business communications.
Risks of using mobile messaging for business communications
Data security – The employees of a financial firm continuously using instant messaging apps to send confidential and sensitive business information over unsecured networks and personal accounts is a big risk. They may carry this sensitive information on their personal devices and it may pose regulatory and compliance risk.
Recordkeeping – Sensitive business information sent through instant messaging apps is difficult to retain, preserve, analyze and reproduce. It is important to record mobile messages, monitor phone calls and follow text messaging compliance regulations.
Difficulty in auditing – Business communications that happen through the instant messaging apps in a personal device are difficult to audit and investigate unless they are offered voluntarily by the employees for audit.
BYOD policies – Many financial firms have BYOD policies that allow employees to use their personal devices for handling sensitive business information. The use of such BYOD devices makes it difficult to preserve and retain communications unless approved by the individual employee.
Recovering deleted messages – Using mobile messaging for business communications could put you at legal risk if you delete messages and not retain them for complying with regulations. When requested by a court or a regulator, you must be able to find, secure and produce information.
Exchange Act Rules 17a-3 and 17a-4, FINRA Rule 3110(b)(4) (Review of Correspondence and Internal Communications) and FINRA Rule Series 4510 (Books and Records Requirements) require a firm to create and preserve, in an easily accessible place, originals of all communications, received and sent, relating to its “business as such”. Also, if the firm allows its employees and other associated persons to use any particular digital platform, like a messaging app, it must preserve records of business-related communications and supervise the activities and communications of those persons on the application. The regulation asks firms to monitor phone calls and record mobile messages that involve business communication.
FINRA noted that some firms faced challenges in complying with the supervision and record keeping regulations for various digital communication tools and technologies. For example, some firms prohibited the use of certain digital channels for business-related communications but failed to maintain a process to identify and respond to red flags that employees and representatives were using impermissible personal digital channel communications.
Annex IV Section 2 of the MiFID Org Regulation makes provision for record-keeping of transactions and order processing. According to the regulation, the record must be kept of the date and exact time of any message transmitted to and received from the trading venue in relation to any event that is affecting the order or the deal.
The regulation also stipulates that the date and exact time must be recorded of any message that is transmitted to and received from another investment firm in relation to any event that is affecting the order or deal. The record must also be kept of any message that is transmitted to and received from the trading venue in relation to orders placed by the investment firm.
Advisers Act “Books and Records Rule” Rule 204-2 stipulates advisers to retain records of originals of all written communications received and copies of all written communications sent that are related to any recommendations made or proposed, receipt, disbursement, or delivery of funds, purchasing or selling a security, or the performance of a managed account or securities recommendation,” subject to certain limited exceptions.
It specifically prohibits businesses from using any app that can be misused by allowing employees and other associated persons to send messages anonymously, automatically destroy messages and prohibit third-party viewing of the messages.
What firms must do
Firms must update their policies and train employees in responsible usage of mobile messaging apps for business communications. It is important for every employee in a firm to follow text messaging compliance rules when they are dealing with business-related communications.
Establish compliance policies – Firms need to develop compliance policies and work closely with their information technology, marketing and compliance teams as well as their third-party vendors in training employees and other associated persons on how to use messaging for business communications by complying with existing regulations. It must be decided who will own and operate the messaging devices. You need to make sure to decide whether to use Bring Your Own Device (BYOD), Choose Your Own Device (CYOD) or Corporate-Owned Personally Enabled (COPE).
Create or update the policy on business text messaging – Based on the different compliance regulations, you have to create or update your company’s policies on the use of business text messaging. You have to make it clear what devices could be used, what messaging applications could be used, which mobile carrier must be chosen and which message archiving solution must be used.
Give adequate training – You must provide comprehensive training to your employees, other associated persons as well as third-party vendors on your business text messaging compliance policies. Firms must make training mandatory for all representatives before giving access or the right to use different messaging applications and business communications channels of the firm. The training must clarify the firm’s expectations of its representatives on the responsible use of business channels for communications.
Disciplining of violators – Firms must take disciplinary actions like suspending or permanently removing representatives who don’t comply with the firm’s policies on the responsible use of business texting.
Get a tool to archive mobile communication– You must implement the usage of a tool to archive mobile communication for text messaging compliance and to comply with other message archiving regulations. The tool must be used to monitor phone calls, record mobile messages and to do WeChat archiving and WhatsApp archiving.
TeleMessage captures and retains mobile content, including mobile SMS messages, voice calls, and WeChat conversations from corporate or BYOD mobile phones to ensure compliance with various data protection regulations. The messages are securely and reliably retained within TeleMessage servers or forwarded to your choice archiving data storage vendor.
Our mobile archiving products securely record content from mobile carriers and mobile devices for various ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:
TeleMessage offers cross-carrier and international mobile text & calls archiving for corporate and BYOD phones. Visit our website at www.telemessage.com to learn more about our mobile archiving products.