16 Wall Street firms fined $1.8B for using private text apps, lying about it

The US Securities and Exchange Commission (SEC) has fined big-name banks and brokerages a collective $1.8 billion over workers’ use of private texting apps to discuss work and for not always saving those messages. The fines include $1.1 billion assessed by the SEC and a $710 million fine from the Commodity Futures Trading Commission (CFTC).

The SEC investigation uncovered what the agency called “pervasive off-channel communications,” that were collected by the firms themselves from employee devices. The employees included senior and junior investment bankers and debt and equity traders.

Tens of thousands of communications were intentionally meant to keep the bank’s internal compliance and regulators in the dark, according to the CFTC. And because many private communications channels are encrypted end-to-end, they leave no recoverable record for the bank’s supervision, the CFTC said in a statement.

“Another common theme is that the CFTC found senior executives — the very people responsible for keeping a bank’s house in order — who directed employees to use unauthorized communications channels and delete messages. Some executives even lied to the CFTC and SEC,” the CFTC said.

The use of unauthorized private apps, and failure to archive those communications, violates record-keeping and privacy rules. Both regulatory agencies called on the financial services sector to “fix internal policies and practices” to ensure US regulators and bank executives can prevent, detect, and correct unauthorized illegal communications.

The firms fined for the violations were: Barclays Capital Inc.; BofA Securities Inc., together with Merrill Lynch, Pierce, Fenner & Smith Inc.; Citigroup Global Markets Inc.; Credit Suisse Securities (USA) LLC; Deutsche Bank Securities Inc., together with DWS Distributors Inc. and DWS Investment Management Americas, Inc.; Goldman Sachs & Co. LLC; Morgan Stanley & Co. LLC, together with Morgan Stanley Smith Barney LLC; and UBS Securities LLC, together with UBS Financial Services Inc.

Two firms — brokerage Jefferies LLC and Nomura Securities International — agreed to pay penalties of $50 million each; brokerage Cantor Fitzgerald & Co. agreed to pay a $10 million penalty.

“Finance, ultimately, depends on trust,” SEC Chair Gary Gensler said in a statement. “By failing to honor their record-keeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust.”

In addition to significant financial penalties, each of the firms was ordered to prevent future violations of the relevant record-keeping provisions and were censured, the SEC said. The firms also agreed to retain compliance consultants to, among other things, conduct comprehensive reviews of their policies and procedures regarding the retention of electronic communications on personal devices and their respective frameworks for addressing non-compliance by employees.

Thomas Shuster, a research director with IDC’s Capital Markets Digital Transformation Strategies business who in the past was a registered agent of two broker-dealers and a registered advisor with a self-regulatory organization (SRO) under the SEC, said there was never any doubt about being subject to stringent record-keeping requirements.

“We weren’t even allowed to text and if we received texts, we had to create an image and maintain a record,” Shuster said. “That said, I don’t know if there’s momentum behind this action. My instinct is that the SEC made an example with these highly visible and deep-pocketed firms and will let the action speak for itself as a cautionary tale. Those appear to be significant fines for the given offense.”

Reports of impending fines first surfaced in July.

Bring your own device (BYOD) policies have long been the norm among financial services firms, but data privacy laws such as SEC Rule 17a-3 & 17a-4, the Dodd-Frank Act, Sarbanes-Oxley, FINRA rules, MiFID II, CCPA and GDPR all require regulated industries to archive business-related communications in a secure and reliable server or face significant penalties and fines — or even class action lawsuits.

The problem was less pervasive when only email was being used; corporate email servers could automatically store communications and archival software could provide regulators with specific messages using search tools.

But data privacy regulations make the use of consumer messaging apps in regulated industries challenging for IT, HR, corporate governance and compliance teams. And the use of “shadow communications” can the risk massive damage to a firm’s finances and reputation.

“It’s the proliferation of these other channels of communication that’s causing the problem,” said John Lukanski, a partner in the law firm of Reed Smith LLP. He said the problem with avoiding instant messaging apps is that clients often prefer them, so financial service employees have to make a decision: please the client or follow the rules.

Many financial services firms decided long ago to create pre-approved communications channels through which messaging could be archived, and employees had to attest they’d comply with those rules.

“The problem is if you have those rules in place, you have to ensure compliance. And, even supervisors are using unapproved channels to communicate,” Lukanski said. “What really infuriates regulators is when they’re performing an investigation and they’ve gone into firms and asked for communications… and a certain percentage of communications has been done off channel. In other words, they can’t produce all the records, which impede the regulators’ investigations.”

The banking, financial services and insurance (BFSI) sector is one of the most heavily regulated because it has so much influence over the broader economy.

“It invites corruption, market manipulation, securities fraud, and other unscrupulous behavior that ultimately leads to financial crises, recessions, etc.,” said Michela Menting, a research director with ABI Research. “So, regulatory bodies like the SEC and CFTC must impose very stringent regulations and compliance requirements to maintain market integrity.”

Menting believes the issue goes beyond just private messaging apps; it’s about the ability to hold the financial services industry accountable at a time whenmany firms are undergoing digital transformation.

Secure messaging apps on private phones provide a fast and simple way to connect bankers and traders, supervisors and personnel, anywhere, anytime. And the technology is ubiquitous, cheap and always available.

While WhatsApp is the most popular consumer messaging app, more than a half dozen others are regularly used, including iMessage, Facebook Messenger, WeChat, Telegram, and Signal. All made their way into the workplace as smartphones have proliferated and corporate BYOD schemes matured.

“It makes [the apps] massively popular tools, and practically necessary in a post-pandemic world where the workforce is increasingly distributed,” Menting said via email. “But the problem is that such tools too often sit outside of a company’s purview, in that shadow IT realm, because they are on private phones. One could view it as laziness on the part of financial organizations (at least those that have been sanctioned); they have very specific compliance requirements, which they chose to disregard in favor of convenience.

But laziness may be only half the story; the tools can also be used to obfuscate practices that might be considered unethical, if not illegal, Menting said.

Lukanski agreed, saying the risk of not archiving commutations is that bankers and brokers can become involved in underhanded activities in the name of the firm they represent, and there’s no way to discover it.

But not all of the unauthorized messaging were for nefarious purposes. Much of the activity took place during the height of the COVID-19 pandemic, when employees were mostly working from home. It was simply easier to use a private, off-server messaging app, Lukanski said.

“I’ve always felt…you can always do better,” he said. “If you’re a firm not among those 16 fined, I don’t think you can say, ‘We dodged the bullet.’ You have every reason in the world to pay attention to the issue now.”

Financial institutions have two things they can do, according to Nader Henein, research vice president with Gartner’s Privacy and Data Protection practice. They can train their employees, and they can monitor corporate owned devices.

“They can also monitor personal devices with the employees’ consent, but that is messy,” Henein said. “The weak link is sometimes the employee, but it is also the eternally strained relationship between where the business and the governance teams.”

The SEC has been turning up the heat under US President Joe Biden to stop financial services firms from using unsecured apps for business. In December, JPMorgan was hit with a combined $200 million in fines from the SEC and the CFTC for failure to monitor and store electronic communications between 2018 and 2020. The SEC cited the use of WhatsApp, text messages, and personal email accounts for business matters.

Before that, in 2020, a senior credit trader at JPMorgan was suspended for communicating with colleagues at Jefferies, KPMG, and VTB Capital using WhatsApp. The latter were then also the subject of investigations after employees were found to be using messaging apps as unauthorized channels for communications.

That same year, Deutsche Bank took steps to ban all text messaging and communication apps to improve compliance standards, with many others, including HSBC, Citi, and Wells Farg0, moving to more secure communications platforms. Some firms, however, appear to be ignoring the implications of not having thorough policies against such practices.

“By bringing these cases at the same time, and in parallel with the SEC, the Commission is sending a strong message … that we will not tolerate efforts to evade our regulatory oversight — oversight that these entities signed up for when they registered with the Commission,” CFTC Commissioner Christy Goldsmith Romero said in a statement. “Those choosing to participate in US financial markets are on notice — the era of evasive communications practices is over. The CFTC will hold you accountable.”

http://www.computerworld.com/category/security/index.rss