The use of messaging apps for professional communications has soared, in part, accelerated by the coronavirus pandemic as more and more people are forced to work from home. This increase has been seen across all industries.
In highly-regulated environments, such as the financial sector, employees should be aware of financial regulations when using messaging apps, but also those relating to security, transparency, and data privacy laws, such as General Data Protection Regulation (EU GDPR).
Not doing so puts organisations at risk of non-compliance, which can result in serious penalties.
As far back as 2017, the Financial Conduct Authority (FCA) highlighted the risks of using WhatsApp. Following this, the Securities and Exchange Commission (SEC) issued guidance in December 2018 outlining that they were responsible for monitoring electronic messaging, including instant messaging apps.
Despite regulators being clear about the risks of using messaging services, some financial firms seemingly failed to develop and implement robust guidelines around the use of messaging apps for professional purposes.
In January 2020, a senior credit trader at JP Morgan was suspended for communication with colleagues via WhatsApp, with KPMG, Jefferies, and VTB Capital also being investigated after employees were found to be using messaging apps.
Deutsche Bank took steps to ban all text messaging and communication apps to improve its compliance standards, but many are still yet to follow suit.
So, what are the implications of failing to implement a robust policy around the tools used to communicate within a bank or other regulated entity?
Privacy & Security
Consumer messaging apps in the workplace are challenging for IT, HR, corporate governance and compliance teams due to data privacy laws such as the GDPR and CCPA. The financial and reputational cost of misuse in these ‘shadow communications’ channels can be significant.
Taking WhatsApp, one of the most widely used consumer messaging apps as an example, any organisation using the platform could be non-compliant with the GDPR privacy regulation for the following reasons:
- Lack of explicit consent – anyone can be added to a WhatsApp group without explicit consent. WhatsApp has added functionality to prevent specific users from doing this, but this is not enabled by default. Additionally, contacts can upload data to WhatsApp/Facebook if they give access to their contacts/address book, even though those contacts have not given consent.
- Lack of ability to delete information – after a certain time content posted to WhatsApp cannot be deleted.
- Lack of ability to get your own data back (SAR – Subject Access Request) – WhatsApp cannot provide an individual with messages they have posted, only profile info.
- Data is transferred outside the EU zone – it is not very clear where exactly WhatsApp/Facebook moves the data it holds.
In many different scenarios, the use of WhatsApp for business purposes potentially breaches GDPR. With consumer messaging apps, many companies do not even know what groups exist, let alone who is in them, or whether former employees or contractors still have access to corporate information that they should not, increasing the risk of data breaches from occurring.
Following the global financial crisis more than 10 years ago, financial institutions have had to work hard to demonstrate transparency. Increased regulation, including EMIR, the Dodd Frank Act, and MiFID II, have been put in place to give regulators all the information they need to better identify risk and detect market abuse, meaning financial organisations can no longer claim that they had limited visibility, and therefore, no way of predicting another crisis from occurring.
While regulation is helping to increase transparency in the sector, consumer messaging apps like WhatsApp, Signal and Telegram have provided unofficial communication channels that are difficult to monitor, resulting in a total lack of visibility for employers and regulators alike. This increases the risk of employees taking advantage of situations, whether this is to conduct business in a way that benefits them, or their clients in a way that could be considered immoral, or illegal.
Like most businesses, Financial organisations have a legal obligation to keep a record of conversations between themselves and their employees, clients, or stakeholders. In the case of legal challenges, the organisation may need to provide a record of these conversations. However, many consumer messaging apps store data locally rather than centrally in the cloud, so there is no such record of conversations, putting firms at serious risk.
Organisations also have legal obligations and a duty of care around protecting their employees and ensuring adequate levels of oversight, governance and control, for example, to protect against bullying, harassment, or inappropriate behaviours in the workplace. Again, a lack of visibility and transparency around consumer messaging apps, including the ability to delete messages, makes it difficult for HR departments and legal teams to act quickly, and may inhibit their ability to collect evidence.
Terms of service
Not only are consumer messaging apps not fit for purpose in a corporate setting, it is likely that it is against the platform’s own terms of service to utilise them for business purposes.
WhatsApp is used by over 40% of UK workers for professional purposes. Aside from the privacy and other legal problems, this appears to violate WhatsApp’s own terms of service.
“WhatsApp is committed to using the resources at its disposal–including legal action–to prevent abuse that violates our Terms of Service, such as automated or bulk messaging, or non-personal use.”
Additionally, its terms state: “We make no representations or warranties that our Business Services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities.”
What can the financial service industry do to minimise risk when using messaging services?
Companies operating in the financial services industry require a tailored approach to messaging to minimise risk. Messaging apps provide many benefits, such as increased productivity and collaboration, and so excluding them from communications completely can close off channels that improve operational efficiency.
After Deutsche Bank banned all text messages and communication apps on work-issued
devices in order to improve its compliance standards, it introduced Symphony – an instant messaging service aimed at highly regulated financial firms and integrated it with consumer messaging app, WeChat. This has enabled the bank to be able to communicate with clients in real time, while also maintaining thorough and rigorous standards of data security and privacy protection.
There are also professional messaging apps, such as Hospify (developed for the healthcare sector) and Guild (used by all sectors), that have been built specifically to be GDPR-compliant alternatives to consumer messaging apps like WhatsApp and Telegram.
Security, transparency, and compliance
No-one would argue that security, transparency, and compliance are anything but paramount in the financial services industry, but it is easy for unregulated consumer messaging apps to slip under the radar unless an organisation specifically seeks to acknowledge and address their use.
As workplaces, working practises and channels of communications have evolved more in the past few months than they had over the past few years, in order to adhere to these 3 fundamental principles, it’s critical that businesses address the issues and risks associated with messaging apps by implementing robust policies around workplace communication and seeking viable, compliant alternatives.