Financial Firms’ WhatsApp Chats Yield $400 Million in SEC Fines

After collecting over $2 billion in earlier penalties, the regulator imposed new fines for third-party app use by finance businesses that are required to document all professional communications.

BY BRUCE CRUMLEY @BRUCEC_INC

AUG 16, 2024
whatsapp-sec-inc-2165351112

Illustration: Inc; Photo: Getty Images

When the pandemic forced countless employees to begin doing their jobs from home instead of in the office, most businesses relaxed their tech rules to facilitate the switch. Rather than insisting staff use only company-issued computers and mobile phones as before, many companies embraced the Bring Your Own Device (BYOD) approach and allowed workers to use their personal IT gear for work instead. But the pragmatism created some risks for employers allowing a mix of private and business communications. That’s especially so in the financial sector, where over two dozen companies were fined billions by regulators over repeated employee use of prohibited third-party apps like Whatsapp.

This week the Securities and Exchange Commission (SEC) fined 26 financial companies nearly $400 million for infractions of its rules requiring documentation of all work-related communications. The regulator penalized mostly broker-dealer and investment advisory businesses whose employees used apps like Whatsapp, iMessage, and Signal to message colleagues and clients. Doing so, the SEC charged, failed to respect the companies’ requirements to maintain full records of professional exchanges, so investigators can consult them if questions arise–or crises wind up costing investors money.

Companies agreeing to pay SEC fines of between $400,000 and $50 million included Ameriprise, Edward Jones, LPL Financial, Bank of New York Mellon Corp, and Raymond James. The total $392.7 million in penalties came atop over $2 billion in penalties the regulator previously imposed, following its initial 2021 investigation into so-called off-channel communications applications by financial sector businesses.

The SEC’s announcement of the sanctions did not indicate it detected any devious or illegal actions by the 26 companies or their staffs that used the apps. The problem was that regulators regard any use of third-party channels as a threat to transparency rules intented to ensure fair conduct. As a result, investigators “uncovered pervasive and longstanding use of unapproved communication methods,” which resulted in “widespread and longstanding failures by the firms and their personnel to maintain and preserve electronic communications.”

The previous penalties levied against companies including Bank of America, CitiGroup, and Goldman Sachs included individual fines of as much as $200 million. That clearly wasn’t enough to convince other businesses to stop messaging app use for work.

Indeed, with recently obtained evidence and testimony indicating some employees had been actually encouraged to use the apps on the job–and then deleted messages when the SEC sought access to their devices–the regulator pledged to continue its offensive until the entire industry was in compliance with its rules.

“As today’s enforcement actions against more than two dozen firms reflect, we remain committed to ensuring compliance with the books and records requirements of the federal securities laws, which are essential to investor protection and well-functioning markets,” said Gurbir S. Grewal, director of the SEC’s Division of Enforcement.”

The importance of obliging finance companies to keep all records of their communications became clear when regulators and Congressional committees investigated the causes of the 2007 financial crisis. Emails they obtained from Wall Street banks included executives referring to toxic subprime mortgage-backed products they sold as prime investment opportunities to customers before the crash as “crap” and “pigs.” Other documentation revealed troves of critical evidence about what went on between Wall Street professionals ahead of the meltdown they provoked.

Given that history, the SEC argues enforcing continued record-keeping compliance–and battling off-channel tech that escapes documentation–remains one of its best means of monitoring financial company activities. Ongoing consultations of those documents, it says, allows early detection of any troubling or potentially illegal practices, while archived communications can be scrutinized during investigations when serious problems arise.

But using personal devices for work–or third-party apps on company IT gear—creates other kinds risks for non-financial companies, as well as benefits.

According to tech service management business N-Able, employees using their own computers, phones, and tablets for their jobs increase their productivity by 38 percent, and save their employer an average $350 per year.

But that mix of personal tech and professional activity also greatly increases the risks of data loss, incompatible or outdated software being installed, and malware threats. And with less support and monitoring of that gear by in-house IT geeks, the risk of phishing spam making it into email queues–and hackers accessing company networks through those scams–also rise.

That’s why it’s crucial for employers to vet personal devices used for business and have company tech staff install appropriate security protections and enable remote monitoring to ensure their safety. Short of that, outside specialists should be called in to regularly audit BYOD reliability, and remind staff of precautionary measures needed to make suretheir personal devices don’t become threats to the company.

And just to be cautious, employees might also be reminded not to accept text messages or calls through third-party apps from financial sector professionals–for everyone’s sake.

Inc Logo
This Morning

The daily digest for entrepreneurs and business leaders