WhatsUp? When instant messaging causes trouble

Instant messaging is now a fundamental part of our working and personal lives. However, for financial services firms and their employees in particular, where the two areas overlap, serious employment and regulatory issues can arise. 

Working from home may be here to stay, or may have had its heyday depending on which article you read. However, what is certain is that, when employees are working away from the office, keeping an eye on them becomes much harder for employers. For regulated employers such as financial services institutions in particular, this can cross the line from being a simple administrative headache to a significant legal or regulatory problem.

Firms in this sector are – understandably – subject to stringent regulations. These include strict requirements around the protection of confidential information and record-keeping. Compliant firms will address this by putting in place robust policies and procedures, and a secure network infrastructure to ensure that sensitive information can be handled securely.

However, where employees make use of their own devices or external channels (or both), such as WhatsApp, Signal, Telegram or other instant messaging services, it becomes difficult for their employers to monitor and record communications. Many apps offer encrypted messaging, and in most cases, communications data will be stored “in the cloud” (in reality, on servers owned or operated by app developers).

US financial services regulators take such activities very seriously. According to the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC), between January 2018 and September 2021, employees at 16 Wall Street firms regularly used messaging apps on personal devices to discuss business topics, including trades with co-workers, clients and third-parties. These activities led to breaches of U.S. federal regulations on the preservation of business communications.

During that three-and-a-half-year period, working practices around the world changed dramatically as Covid-19 took hold, leading to global lockdowns and in many places, mandatory work from home orders.

In January 2021, around the time of England’s third national lockdown, the UK Financial Conduct Authority (FCA) warned in its Market Watch newsletter of the risks from reduced monitoring of employees and their communications.

“Risks from misconduct may be heightened or increased by homeworking. This includes increased use of unmonitored and/or encrypted communication applications (apps) such as WhatsApp, for sharing potentially sensitive information connected with work. Use of such apps can present challenges and significant compliance risks, since firms will be less able to effectively monitor communications using these channels”, the FCA wrote.

The FCA also made clear that firms it supervises must continue to comply with their usual recording obligations.

“Firms will need to ensure that, if such apps are used for in-scope activities on business devices, they are recorded and auditable,” it said.

Since then, there has been a steady stream of actions taken against firms, and individuals, for these kinds of breaches.

This included some very significant penalties in the US:

• In December 2021, JP Morgan Chase & Co was fined US$125 million by the SEC and US$75 million by the CFTC for failure to monitor employees’ communications.
• In September 2022, the SEC and CFTC announced a combined total of US$2 billion of fines as they completed long-running and wide-ranging investigations into practices at a number of well-known firms including Bank of America, Citigroup and Goldman Sachs.
• On 11 May 2023, HSBC Securities and Scotia Capital admitted breaches of recordkeeping requirements by way of their employees' use of personal devices and apps for work communications, and significant civil penalties were imposed by the same regulators. The SEC said it had uncovered “pervasive and longstanding use of off-channel communications” at the institutions.
• In August 2023, the SEC announced charges against 11 further financial institutions, including Wells Fargo Securities, BNP Paribas Securities and Houlihan Lokey Capital, “for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications”. The firms agreed to pay civil penalties totalling $289 million. At the same time, the CFTC issued fines totalling more than $260 million.

Meanwhile, banks have taken their own measures against the individuals involved:

• In the US, it was revealed in June 2022 that a senior investment banker at Credit Suisse had left his position a couple of months previously following an internal investigation into a number of employees’ use of personal instant messaging systems. This came shortly after the bank announced it was co-operating with an SEC investigation into compliance with US record-keeping requirements [See Credit Suisse banker removed from role for unauthorised messages to clients, FT (14 June 2022)]
• At around the same time, it was reported in the UK that HSBC had dismissed a London-based trader for similar reasons, following an internal investigation [See HSBC dismisses trader over personal messages to client, FT (15 June 2022)]

UK regulators have been much slower to act than their US counterparts. In October 2022, it was reported that the FCA had issued information requests to a number of global financial institutions, including Citigroup, Nomura and Deutsche Bank, in relation to the use of instant messaging apps by staff. [See UK Watchdog Quizzes Banks About Staff WhatsApp Use, Bloomberg UK (October 2022)] These enquiries have not yet yielded any confirmed investigations or enforcement action by the FCA, although these may still materialise.

Interestingly, the Prudential Regulation Authority, in its April 2023 censure of Wyelands Bank Plc for historic regulatory failings, noted breaches related to the failure to centrally store WhatsApp messages used to discuss potential or actual transactions. In May 2023, the Competition and Markets Authority made provisional findings that five UK  banks had breached competition law by allowing traders to exchange sensitive information in chatrooms during bond transactions.

More recently, it was reported that only 14% of firms that attended a webinar on the issue were confident in their approach to communications surveillance, with 12% stating they do not conduct any communications surveillance at all. Given the developments in the US, it is arguably only a matter of time before the FCA takes formal action against UK firms for failing to spot and address communications breaches. In fact, in October 2023, the FCA held discussions with its US counterparts on the way in which they handle unauthorised messaging apps. 

Employment issues

The problem for employers is twofold. If someone uses their personal devices for confidential, work-related matters, arguably the horse will already have bolted and the damage will already have been done before the employer becomes aware of it. In addition, data protection and privacy laws, and the European Convention on Human Rights, mean that monitoring employees can be something of a tightrope walk for businesses.

Nonetheless, employers would be wise to take preventative measures to guard against wrongdoing and mitigate the risk of hefty regulatory fines as well as reputational damage.

Some suggestions for employers include:

1. Notifying employees

Notifying employees: employers should inform employees, in advance (i.e. ideally at the start of their employment), that they will be subject to work-related monitoring and surveillance, which will extend to their use of IT, email and electronic devices and communications. Legitimate reasons as to why the employer needs to conduct the monitoring and surveillance in the way that it does should be provided. Importantly, employees should be informed of the nature and extent of the monitoring and surveillance, the degree of intrusion into their privacy, and the possibility that the employer may access the actual content of communications sent and received. Consideration should be given as to how long any monitoring is required, whether there is a less intrusive method of conducting the monitoring, and whether it should or could be limited in time and/or the number of people who have access to its findings. Employees should also be notified of the consequences of the monitoring.

2. Getting the basics right

Getting the basics right: contracts of employment should include express provisions making it clear what the employer expects and requires of staff when it comes to trade secrets, confidential information, intellectual property, and IT, email and electronic devices usage and communications. These provisions should apply when in the office and when working from home. Contracts should also include clear provisions regarding staff monitoring, data protection, and privacy. Employers should consider their data protection policies and privacy notices, as appropriate.

3. Including an express clause in contracts regarding the reporting of wrongdoing

Including an express clause in contracts regarding the reporting of wrongdoing: employers should consider including a clause in their contracts of employment such that if a member of staff becomes aware of any wrongdoing either on their own part or on the part of a fellow employee, they are under a contractual obligation to report it. This will help employers trace any wrongdoing to the relevant perpetrator(s), deal with it quickly (to the extent possible), and will hopefully act as a disincentive to staff. Failing to report would amount to a breach of contract which could result in disciplinary action and/or dismissal.

4. Having clear policies and procedures in place, and implementing them consistently

Having clear policies and procedures in place, and implementing them consistently: employers should have well-drafted electronic communications, data protection, IT and email security, and disciplinary policies in place. They should also have a whistleblowing policy, so that employees who become aware of any wrongdoing or of any individuals acting in breach, can report such matters without fear of reprisals. Employees could be required to sign an acknowledgment, confirming that they have read the employer’s electronic communications, IT and email security policies and procedures, in particular, and accept their terms.

5. Having regular training and refresh sessions

Having regular training and refresh sessions: we live in a hyper-available, ultra-contactable internet age. Almost everyone has a mobile phone in their pocket, meaning that the lines between professional and personal can become blurred quickly, easily and almost without thinking. Having regular training and refresh sessions, to remind people of their obligations (both to the firm, as their employer, and to their regulatory bodies) will help remind people what is required of them and what will happen if they act in breach.

6. Providing staff with work devices

Providing staff with work devices: this can help employers establish ownership of and control over these devices (laptops, mobile phones etc.) and any work-related communications sent or received on them. Employers will be able to require staff to deliver up these devices immediately upon request at any time (employers ought to include a company property clause stating as much in their contracts of employment). However, employers should tread carefully with regard to personal communications on work devices. The courts have previously held that, depending upon the circumstances, employees have a reasonable expectation of privacy when it comes to private/personal messages.

 

Conclusion

There is no doubt that instant messaging is part of life and that it will be used, in some capacity or another, by employees when communicating with colleagues, clients and/or contacts. Firms therefore need to be realistic, nimble and proactively consider how they can meet their regulatory obligations in terms of monitoring and recording communications. It is important for employers to instil a “best practice” mentality amongst staff in this regard, and take what sensible steps they can (as outlined above) to mitigate the risks of regulatory action and damage to reputation.

Technology companies are working hard to address the apparent gap in the market, with some offering compliance-friendly messaging products where data is stored securely and with a right for the bank/firm to access. However, technology alone will not be enough to resolve the issue. Firms would be well-advised to consider their practices, policies and procedures carefully, and how they can be tightened, without falling foul of employment or data protection laws.

further information

If you have any questions or concerns about the topics raised in this blog, please contact Francesca Lopez. 

ABOUT AUTHORS 

Francesca Lopez is a skilled employment lawyer, with extensive experience acting on both sides of the negotiating table. From recruitment to termination, she handles the full spectrum of employment law matters, advising clients in a variety of sectors including but not limited to legal, financial and other professional services, technology, education, medicine, aviation and defence. She has a particular interest in acting for regulated clients.