The financial industry’s new favorite channels for non-compliant communication are “ghost communication apps” such as Signal and Whatsapp. Ghost Apps, like WhatsApp and Signal, are platforms that facilitate the sending of encrypted, untraceable messages. Tracking them is extremely difficult or impossible, especially after they have been deleted. There are even options to send a message that will delete after 5 seconds, leaving no trace of its existence. With the temptation for illegal activities within the industry and the rewards that they can offer, it’s no wonder that incidents such as these have occurred using the technology:
- An employee at Jefferies was fined $48,000 for communicating confidential client info via WhatsApp.
- A case was built against Navnoor Kang, money manager of a $50 billion account, who accepted nearly $200,000 in bribes. The reports show that he was using WhatsApp “in an effort to keep their communications from being monitored by law enforcement.”
- Debt salesman at an investment bank used Signal to send screenshots of messages with confidential information in order to win more business
Compliance professional and professor Warren Small advised authorities that “If you look the other way on this, it’s only going to get worse.” Luckily, authorities are taking action.
FINRA Regulatory Notice 17-18
FINRA’s response to the trend is contained in its regulatory notice 17-18. It starts by sharing a few statistics about the increased popularity of mobile and social media communications: 65% of adults used social media in 2015 compared to 7% in 2005, and 97% of smartphone owners regularly use messaging. This increased usage merits increased regulation.
The notice then points to past recordkeeping guidance, highlighting that businesses are required to keep records of all business-related communication (digital included), and that the content, not the medium it is sent by, is the determining factor in whether or not it should be archived.
Regulatory Notices 10-06 and 11-39 remind firms of their obligation to retain records of digital communications that relate to their “business as such” as required by Rule 17a-4(b) (4) under the Securities Exchange Act of 1934 (SEA). Regulatory Notice 11-39 notes that determining whether a communication must be retained depends on its content and not upon the type of device or technology used to transmit the communication.
FINRA also reminds organizations that they have the responsibility to train their workforce to know what communication should be archived, and to carry through with the act.
Regulatory policy is clarified and bolstered in the first question the notice addresses, which pertains to communication apps:
Question 1: “Investors have sought to interact with registered representatives through text messaging applications (“apps”) and chat services. Is a firm required to retain records of communications related to its business that are made through text messaging apps and chat services?”
Answer: “Yes. As with social media, every firm that intends to communicate, or permit its associated persons to communicate, with regard to its business through a text messaging app or chat service must first ensure that it can retain records of those communications” and later “the content of the communication determines what must be retained”
The notice is clear – If you are using a channel to send a message for business purposes, its content alone requires that it be archived regardless of which platform is used to send it.
Stay Ahead of Compliance
There are many workers who use non-compliant channels for perfectly legal reasons. This would be fine if it weren’t for those people in years past who have taken advantage of the system and made all of this regulation necessary. Even if these channels are used for legal reasons, they give off a shady appearance and should be avoided for business purposes. We agree that the majority of workers and organizations in the industry want to do the right thing; however, it is important to look compliant as well as actually being compliant.
The best way that your organization can ensure it is not negatively affected by non-compliant communication is to be prepared by implementing an archiving program and creating and enforcing communication guidelines. We have become experts in this area, equipping organizations with Retain Unified Archiving, which keeps a secure and complete record of all business communications. These organizations have drastically cut down time spent worrying about compliance because Retain quietly does its job in the background. When eDiscovery, litigation, or audits arise, the records are there and readily available.