Enforcement risks for firms: unauthorised communication applications

Increasing regulatory scrutiny of unauthorised communication applications

Regulators in the UK and the U.S. have been unequivocal in their recent message that the unauthorised use of unmonitored personal devices and encrypted communication applications can pose significant risks to firms. 

Last month, U.S. regulators reached settlements with a number of firms following a probe which was prompted by employees’ widespread use of unauthorised (and unmonitored) messaging applications. Just over a week after these settlements were made public, the FCA took enforcement action against a UK broker in relation to market abuse reporting failures. Although these points did not form part of its formal findings against the broker, the FCA observed that the broker had in place no policies or training which covered restrictions around the use of personal devices and encrypted messaging applications for business purposes and also noted that a number of the broker’s employees had been using encrypted chat applications on their personal mobile devices to communicate with, and take orders from, clients when they were not authorised to do so.

The FCA’s interest in this area is not new. Back in 2017, the FCA took enforcement action against a former investment banker, for sharing client confidential information over WhatsApp with friends. However, the communications in that case were not part of the individual’s business activities, but rather the FCA found that they shared this confidential information with friends to “impress” them. 

In January 2021, the FCA used its Market Watch newsletter to warn firms about increased risks associated with homeworking, including “increased use of unmonitored and/or encrypted communication applications such as WhatsApp for sharing potentially sensitive information connected with work”, noting that this “can present challenges and significant compliance risks, since firms will be less able to effectively monitor communications using these channels”. More recently, it has been widely reported that the FCA has issued information requests to a number of firms about the frequency and content of employee exchanges through communication applications, suggesting a reinvigorated focus on this area.

What are firms’ UK obligations? 

The FCA has not prohibited use of personal devices or encrypted messaging applications for business purposes. Rather, the FCA requires firms to adhere to specific recording obligations in relation to electronic communications and telephone calls that relate to certain in-scope activities. More generally, the FCA will expect firms to have appropriate systems and controls in place relating to permitted methods of electronic communications, their ability to monitor them and retention arrangements in order to comply with their obligations under the FCA’s Principles for Businesses.  

What does this mean for firms in practice? 

In light of the recent regulatory scrutiny in this area, many firms have reaffirmed an outright ban on employees using personal devices and encrypted messaging applications for business purposes, whereas others have decided to permit use of encrypted messaging applications on work devices provided that the firm has installed appropriate surveillance software.

Firms that have not already done so should carefully consider and, if necessary, revisit their approach to employees using personal devices and encrypted messaging applications for business purposes. The following are some of the most common issues we have seen clients consider and grapple with in this area:

• Clear policies and training: Firms should ensure that their policies are clear about what restrictions apply to employees using personal devices and/or encrypted messaging apps and that these restrictions are also clearly spelt out in training. Some firms are also requiring their employees to provide regular attestations about their adherence to these restrictions.
• But having clear policies alone is not enough: Firms need to look out for examples of where employees may not be adhering to these policies. For example, if issues about the use of personal devices and/or encrypted messaging applications for business communications arise in an internal investigation into a different topic, firms should not just walk past this issue. What a firm should do in this situation will depend on the relevant context, but in appropriate cases firms should consider whether this issue may indicate more widespread use of personal devices and/or encrypted messaging applications for business purposes in breach of restrictions which needs to be addressed. Where these issues arise in the context of regulatory investigations, firms should expect a heightened degree of sensitivity and interest from regulators.
• Issues with obtaining employees’ personal devices: Where firms suspect that personal devices may have been used for business communications which are relevant to an internal investigation, firms will find that they cannot force employees to hand over their personal devices for inspection or imaging. However, if employees refuse to hand over their personal devices or requested content from them in this context, firms can draw an adverse inference in any related disciplinary processes, and when considering whether an employee has complied with their personal regulatory obligations under the Senior Managers and Certification Regime.
• Potential evidential issues: Some of the most widely-used encrypted messaging applications include a variety of functions, including the ability to edit or delete messages after they have been sent, or to allow sent messages to ‘disappear’ after a certain amount of time. Firms using messages sent and received on these applications as evidence in investigations should therefore proceed with caution in terms of what evidential value can be placed on these messages, given the risk that they may be incomplete or edited.
• Keeping pace with technological advances: Technology is constantly evolving and, whilst there are always new communication applications on the horizon which will present challenges, others present the opportunity for enhanced surveillance. Firms should consider how the emergence of new software and services from compliance technology vendors that enable recording and tracking of communication applications might be deployed positively on work devices to help ensure on-going compliance with monitoring and recording obligations. However, any proposals to introduce new monitoring software will need to be tested rigorously.