You need to understand all the risks and what steps you should take
Financial services businesses are regulated organisations which must follow rules that include very strict record-keeping obligations. The reason is to preserve the integrity of the industry and maintain trust, and this means all business communication must be recorded. By failing to do so, regulators are unable to do their job to protect investors, consumers and the public.
The challenge is with the explosion in personal communication tools, such as WhatsApp, and personal devices being used in the workplace. It is very quick and convenient for staff to use these tools to communicate either internally or externally instead of using the tools provided by their firm, which are also unlikely to provide a platform for instant messaging externally with anyone.
The most prominent communications tool is WhatsApp, which now has at least 2 billion monthly active users globally. 100 billion messages are sent daily and the average user spends at least 38 minutes on it each day.
It’s time to act now
In recent years, regulators have started to get very concerned about how WhatsApp and other tools are being used to perform regulated business.
For example, in 2022 Securities Exchange Commission (SEC) charged 16 Wall Street Firms with widespread recordkeeping failures and handed out penalties totalling more than $1.1 billion. More recently the SEC is now investigating a number of smaller hedge funds (including many based in London) for similar reasons.
Also closer to home in the UK, the Financial Conduct Authority (FCA) is also ratcheting up its supervision and warnings in this area and it’s thought very similar investigations have started, similar to the US.
In response to the above, we provide a simple 5-step guide to approaching this issue.
1. Resistance is futile
All firms need to accept that it’s highly likely that a great number of their staff are using WhatsApp, in some manner for business purposes. It has become clear that simply telling staff not to use WhatsApp doesn’t work. Even if staff don’t intend to use it as a business communication tool, if they share their mobile number, because of the ubiquitous nature of the platform, they are likely to receive inbound messages from external sources (e.g. clients, suppliers etc). Of course, there are also many areas, such as business development, which is so dependent on building new relationships. It’s become almost impossible to operate without it.
Face the facts, your staff are likely to be using it, so you need to understand to the risks.
2. Understand your risks
There are many risks, such as data loss, security risks and privacy, but compliance issues are what is leading most firms to look at this. The need to either record all business communication, or “relevant” communication means that anything which is sent over WhatsApp and isn’t recorded will result in non-compliance. Many firms will no doubt already have a policy on using such forms of communication, typically banning it, and that they have the right to perform “surveillance”. The challenge is this surveillance is very difficult to police, particularly if they are using personal devices over which the company has no control.
3. Don’t be afraid to embrace it
By understanding the risks and how and where it’s being used, and the potential value of it to your business, teasing it out of the shadows can become a user-driven opportunity. By looking for and talking about solutions, it will send a clear message to business users that “we understand the business benefits of WhatsApp” and a solution can be provided for those who need it for communication within some agreed scenarios.
4. Find the right solution
There are various technical solutions on the market, however, it can be very time-consuming for firms to understand and select the right approach. The complexity is that WhatsApp is predominately used for personal communication, and when using a personal device (BYOD), a user is unlikely to be happy with having all their personal communication recorded. Therefore, a secondary phone number will then need to be provided with a second instance of the WhatsApp application which is controlled by the business. It is still down to the user to use the correct version of WhatsApp on their phone (business/personal). These solutions will typically offer the ability to hook directly into the company’s existing compliance vault which, for example, is used to record emails and internal messaging platforms.
5. Have a communications policy in place
As ever it’s not just about the technology, firms should have an instant messaging communication policy which provides clear rules on when and how WhatsApp can be used, e.g. for what purpose, how the communication is recorded, what rights the company has on the communication and the difference between a personal vs business device.
Also don’t forget to set a communication policy with third-party suppliers/customers and anyone with whom you are communicating. They must know there is a compliance policy in place and that all messages are recorded. Financial firms need to obtain explicit consent from customers before using WhatsApp, and additionally, users should have the option to opt out of such communication channels.
Is it time for you to consider recording WhatsApp communication?
If you would like to know more about solutions for compliant recording of WhatsApp communications within your regulated business, feel free to get in touch.