Are Banking Communication Surveillance Systems Falling Short?
"The $2 billion problem"
Recently, several large financial firms were hit with substantial fines for the use of unauthorised communications channels for business purposes.
In August 2023, US regulators announced a combined $549 million in penalties against a host of financial firms, including Wells Fargo, BNP Paribas and Societe Generale Americas. Specifically, the charges trace back to 2019, when employees at those firms used off-channel communications channels such as WhatsApp and iMessage. As such, the firms violated US federal securities laws by failing to maintain or preserve the majority of these communications. According to NBC News, total financial services sector fines related to the use of unauthorised communications channels total more than $2 billion.
Of course, the monitoring of communications among financial institutions is essential for ensuring regulatory compliance, and for detecting potential wrongdoings such as insider trading and market abuse. As a reminder, financial firms are required under US SEC, FINRA, EU ESMA and UK FCA rules to capture and store records in a tamper-proof format and to monitor employee communications. With the possibility of incurring significant financial and reputational damage, it is therefore vital that financial institutions have the appropriate monitoring practices in place.
However, given the large fines issued by US regulators, the monitoring protocols of financial institutions seemingly appear inadequate. One would question, then, why some banks’ communications monitoring systems are currently falling short and what they can do to improve their communications monitoring?
One of the main reasons for the inadequacies in bank communication monitoring systems is the increased digitisation of workflows, driven by the onset of the Coronavirus pandemic in 2020.
With the shift to working from home on a hybrid-or-otherwise basis, the lines may have become blurred in terms of what means of communications employees were authorised to use. Given that many financial firms were logistically unable to deploy recorded-line infrastructure to their employees, this meant that — in many cases — there was little alternative to using personal devices for work communications in order to keep business running. As a result, maintaining records of personal employee communications became nearly impossible for many ‘regulated’ individuals.
Given that, according to the US SEC, several bank employees co-operated in providing communications from non-approved channels from personal devices, this could suggest that many employees may genuinely not have realised that there was a problem. However, another US regulator, the CTFC, indicated that some senior employees knowingly used unauthorised channels.
According to Fintech Global, the average monitoring rate for messaging apps such as WhatsApp, SMS, iMessage, LINE, WeChat, Telegram and Signal is still low, coming in at just 29%; FinTech Global also said that it does expect this figure to more than double by the end of the year. This is largely because firms remain uncertain of how to implement bans on unauthorised platforms; for instance, monitoring unauthorised apps on employee devices can create data protection and privacy issues, where employees would reasonably expect their personal communications to remain private.
Additionally, banning communications platforms entirely could lead to a Catch-22 of employees switching to other platforms that are not outright banned. While regulatory bodies such as the UK’s Information Commissioner’s Office give some guidance on how to monitor employee communications, they give no specific advice on how to implement supervisory regimes that achieve full compliance. Therefore, achieving compliance at a federal level in the UK, for example, is largely the prerogative of the firm against a backdrop of uncertainty.
The poor monitoring rates could suggest a few things:
That firms are not taking communications surveillance seriously enough, leaving them with substandard surveillance systems;
The financial penalties imposed by regulators have, up to this point in time, been too lenient and do not incentivise immediate changes to financial institutions’ communications surveillance rules compliance strategies;
Guidance from regulators in helping to achieve robust communications monitoring frameworks is unclear, and it is leading to a sort-of paralysis that is stopping firms from acting.
If financial services firms wish to ensure that they can avoid the threat of heavy fines and reputational damages, it is essential that they take all possible measures to monitor employee communications. There are several ways in which they can do this.
One way is through the provision of authorised phones and authorised messaging applications on company devices in order to guarantee compliance, at least when employees are in the office environment. For personal devices, it is crucial that financial firms have surveillance solutions that seamlessly integrate with these devices, ensuring coverage of all relevant communication channels and recordkeeping. Such solutions can be obtained from specialist compliance-centric vendors, and are forming part of the proliferating RegTech trend in capital markets.
Imposing outright bans on the use of unauthorised messaging channels for business purposes, and issue penalties specific to individuals who break the rules. Such policies would need to be expressed clearly from above, with training and awareness programmes on the seriousness of unauthorised messaging given by firms.
GreySpark explores the topic of effective financial services industry communications surveillance methods in greater detail here.
Ultimately, the huge fines dished out recently by US regulators to several investment banks should be a wake-up call for other firms that are still falling short in their surveillance monitoring systems.