Clients versus compliance: banks hung up over WhatsApp fines

For busy bankers, there’s always a temptation to send one more message from their mobile before a flight takes off, even when the cabin crew are telling them to switch to airplane mode. Now it seems operational risk managers are fighting against the same instincts on the trading floor.

But the US Securities and Exchange Commission (SEC) is a cabin crew with a difference—they can fine you for non-compliance. Together with the Commodity Futures Trading Commission (CFTC), the SEC dished out fines of more than $1 billion in 2022 over the misuse of personal messaging services, and further enforcement actions followed in 2023.

The clampdown is now spreading across the Atlantic, with German regulator Bafin and the UK’s Financial Conduct Authority also investigating. An FCA spokesperson says the regulator is “actively discussing personal device use with a range of UK authorized firms, not limited to those who may have been subjected to other regulatory enquiries”.

Unsurprisingly, many of the affected institutions are now adopting a zero-tolerance approach. Out of nine banks that responded to a question from WatersTechnology sibling publication Risk.net, seven said they have initiated an outright ban on third-party communications. While the SEC and CFTC focused on the use of WhatsApp, spokespeople for banks also mention WeChat, Telegram, Messenger, iMessage and FaceTime as apps they are targeting for prohibition.

“If that line is violated, a reprimand won’t do—bankers don’t heed reprimands, they just get stealthier,” says a senior operational risk manager at a global bank. “It should be termination—it will only take one or two before that sinks in among the staff.”

But it’s not just traders who are hooked on personal messaging services. It’s also their clients. Instant messaging provides direct access to a bank’s employees, saving critical seconds in fast-moving markets. The sheer number of firms caught out by the SEC and CFTC (18 and counting) shows this is an endemic issue, not just a few isolated troublemakers.

There’s certainly a direct correlation in volume of conversations relative to the frequency of fines

Oliver Blower, VoxSmart

“A significant number of clients, including those with high net worth and ultra-high net worth, prefer to receive information through WhatsApp due to its speed and convenience,” says a senior controller at a second global bank.

Importantly, the SEC and CFTC fines were not imposed for actual market abuse. There’s no evidence WhatsApp has replaced the shady conversation in the basement corner of a Wall Street wine bar. Instead, banks were condemned for failing to monitor staff communications adequately. That opens the door to a more flexible response, built on advances in compliance technology.

Two banks have confirmed they are adopting a regtech-enabled approach that will allow staff to use private messaging in a monitored format. Deutsche Bank is also reported to have begun requiring staff to install mobile app Movius, which can track private and text messages. It may be possible to square the circle of pleasing clients by maintaining access to staff via private messaging while monitoring communications to the regulator’s satisfaction.

“We are now having more conversations with tier one banks than we’ve ever had in eight years,” says Oliver Blower, chief executive at VoxSmart, a communications regtech vendor. “There’s certainly a direct correlation in volume of conversations relative to the frequency of fines—that definitely was a catalyst.”

But the new surveillance platforms are not without risks, and compliance managers don’t necessarily feel they have yet landed on a definitive solution to managing off-channel communications.

What’s the point?

When the fines were first announced, bankers might have been tempted to view them as a hangover from the pandemic lockdowns—a time where the lines between work and personal life were almost non-existent. Those outside the financial sector could be forgiven for shaking their heads and condemning a complete lack of common sense. After all, banks have plenty of approved communication channels, so why go private if not for misconduct?

Risk managers and other communications experts, however, suggest things are not so simple. First, widespread use of private messages predates the pandemic. And it wasn’t necessarily seen as sailing close to the wind.

The senior op risk manager at the first global bank recalls making a startling discovery while at a previous employer as far back as 2018. An intern had diligently taken comprehensive notes in an all-hands call for the investment bank research team, where they had discussed in-depth the pros and cons of using around half a dozen different private messaging apps—including features such as encryption levels and disappearing messages.

Think about the types of people we’re talking about here. They are risk-takers by default

Christian Hunt, Human Risk

“Why would they go through the best way to conceal communications on a staff call? Because research often has personal connections with the big-hitting clients at the bank, as they do one-off calls to give value-added service,” says the senior op risk manager.

The pressure to fulfill the demands of high-value clients provided the pull, says Christian Hunt, founder of behavioral risk consultancy Human Risk and former global head of compliance and operational risk at UBS. And as for the push, “Think about the types of people we’re talking about here. They are risk-takers by default.”

Until the SEC showed up, perhaps the risk was underestimated, and therefore perceived as worth taking. Now the fines have left no one in any doubt that all communications regarding trading and markets should be recorded, whether front- or back-office, at banks or asset managers.

The pull factor remains, but clients themselves will worry about being caught up in enforcement actions. The senior controller at the second global bank says clients are quick to blame their bankers—who are supposed to be the experts, after all—when things go wrong.

Taking a dip

Superficially, a total ban looks like the simplest and most reliable response. It sends a clear message, leaving no room for misinterpretation. But the ban itself requires monitoring, either physically or through technology.

One method is so-called “dip sampling”, where employees are—for instance, randomly—asked to hand over their personal phone to check there are no prohibited communications on it.

“That’s a really horrible manual check that someone has to do in a compliance capacity, and there’s no real feeling that it’s a risk management strategy,” says Robert Mason, director of regulatory intelligence at regtech vendor Global Relay and a former conduct risk manager at Lloyds and UBS. “It’s more something that you can say you’ve done.”

A total clampdown also prevents the bank from determining if private messaging services could generate meaningful value for certain business lines. One risk manager says they would consider supervised access to WhatsApp for particular use cases. By allowing it on a case-by-case basis, they hope to extract the most value out of it, while limiting the amount of risk and control infrastructure needed.

“What benefits does WhatsApp offer when it comes to being part of an organization? Does it provide any unique value or is it simply appealing because of its trendier nature?” asks the senior controller at the second global bank.

Computer says yes

Since banks are likely to need technological solutions to enforce a ban in any case, an incremental investment would instead permit carefully supervised use of private messaging.

“The amount of data and different channels that we all use, the only way that we can effectively manage risk is through the use of technology,” says Ian Hollowbread, chief operating officer for digital innovation at ING Group.

The obvious answer is to install systems that capture private communications channels and analyze them for suspicious interactions, providing both red flags for compliance teams to respond to, and easier access to data for regulators. There are already numerous vendors active in the market. Like Deutsche, ING has gone down the third-party vendor route, which may be easier than trying to build a surveillance system from scratch in-house.

However, there are drawbacks. Given the proliferation of providers, banks may find themselves using one firm for trade surveillance, one for monitoring official communications channels such as trading turrets, and one for monitoring private messaging. This adds another provider to the ever-growing list of critical third-party vendors whose failure could leave the bank exposed. Moreover, having separate providers for each surveillance function means the bank could end up with disjointed compliance data that is difficult to reconcile when searching for potential market abuse.

“Market surveillance is becoming an ever more complex challenge for the industry, and we continuously look towards the use of next-generation technologies to help bring together various aspects of data to develop a holistic review of risk and to manage it accordingly,” says Hollowbread.

ING does not disclose its vendor for monitoring private messages. It is understood that HSBC has chosen to connect a business application of WhatsApp to Symphony, the existing trade messaging system that is widely used in the industry. This would potentially help to solve the problem of monitoring systems multiplying like rabbits.

Big brother

However, the question of how to handle traders’ personal mobiles remains perhaps the most sensitive aspect of this. Hunt at Human Risk says it’s reasonable to expect any device provided by an employer to be monitored, but installing what is essentially spyware on a personal phone enters very different territory, where employers could have access to private discussions unrelated to work.

“That might be your drug dealer, your mistress, your kids, your wife; you might be talking to your therapist,” says Hunt. “There will be lots of things where you would say: that feels like a step too far, do I trust my employer with information that is not relevant to them?”

The risk of a backlash from staff is evident. But at the same time, the risk of enforcement isn’t going away. “I don’t see any reason why this won’t get bigger, that thread does seem to be a hell of a lot longer than regulators thought,” says Mason.