Regulators are zeroing in on WhatsApp. Here’s what Banks need to do
With 11 major banks now facing fines of $1.8bn over messaging violations, the use of WhatsApp in the enterprise has turned out to be a regulatory minefield.
WhatsApp now has over two billion users and is one of the most downloaded apps on both Android and iOS. However, while it might seem convenient to share information with colleagues or clients using one of the world’s most popular instant messaging apps, doing so can leave businesses in breach of legal regulations.
The last few years have seen a dramatic shift from legacy methods of communication in favor of social media and instant messaging channels. This change has naturally made its way into the workplace as well, especially in the wake of the pandemic, which saw the vast majority of employees working from home.
Unfortunately, while many have made WhatsApp a regular channel for business communications, sometimes even with the endorsement of higher ups in their organizations, most are unaware of the risks this presents. WhatsApp might help teams stay connected in the era of remote work, but doing so often comes at the cost of compliance and security.
What is the problem with using WhatsApp for work?
As a consequence of various security, privacy, and compliance risks, it’s perhaps no surprise that WhatsApp is squarely in the regulators’ crosshairs. This is an especially serious concern for financial services firms, which operate in a highly regulated space with strict record-keeping requirements.
In late 2021, financial services firm JPMorgan Chase were forced to pay $200 million in fines to two US banking regulators. A fine of $125 million was levied against the company by the Securities and Exchange Commission due to the potential of WhatsApp being used to circumvent federal record-keeping laws. Another fine, totaling $75 million, was levied by the Commodity Futures Trading Commission for allowing the usage of unapproved communications tools over the previous five years.
JPMorgan Chase is certainly not the only organization to find itself in hot water over the use of WhatsApp in the workplace as one of the biggest concerns recently has come with a price tag of over $1.8 billion.
Fines were issued by the SEC and CFTC to 11 finance groups in the US including major players such as Goldman Sachs, Morgan Stanley and Bank of America for recordkeeping failings. The financial institutions admitted to violating federal record-keeping requirements after an investigation uncovered what it called “pervasive off-channel communications”.
While shocking that these fines continue to grow, compliance issues with WhatsApp have been plaguing businesses for some time. WhatsApp was also hit with one of the largest fines to date under Europe’s General Data Protection Regulation (GDPR) within the last year. The €225 million fine was announced by Ireland’s Data Protection Commission and released along with a 266-page report detailing WhatsApp’s purported failings. On top of this the European Court of Justice has ruled that US-based tech companies, such as Meta, do not provide adequate data privacy for their European users.
Does this mean you should stop using WhatsApp for work?
Given the various security, privacy, and compliance issues we’ve highlighted above, it might appear that WhatsApp is irredeemable for business use. The most obvious solution would be to impose an outright ban. However, this would be practically impossible to enforce, and staff morale would take a huge hit given the important role that WhatsApp plays in many people’s lives. After all, at a time when many people are working from home long-term, a quick message from a colleague can make all the difference to an otherwise solitary working existence.
A far better solution would be to devise a policy governing the use of WhatsApp for work, much like the policies you probably already have in place concerning the use of email and personal devices. A comprehensive, yet easy-to-follow policy should provide examples of what sort of content and behavior is acceptable on the platform, along with a warning of the consequences of breaching those rules. Of course, staff also need to be made fully aware of your policy for it to be effective, so it’s important to send it out via email and other channels whenever it’s updated. Furthermore, employees must be able to demonstrate that they have read and fully understand the policy.
Naturally, a policy is only ever going to be worth anything if it’s properly enforced. Technology plays a vital role in policy-enforcement by providing additional layers of security, privacy, and control over your communications. With an optimal blend of policy and technology, businesses can give their employees the freedom to use WhatsApp and other personal messaging apps without fear of breaching company policy and industry regulations.
Keeping up with the legal obligations of records-keeping
WhatsApp messages are generally only stored on the devices used to send or receive them. Messages are only stored on WhatsApp servers until the recipient gets them, after which they are deleted. If a message is not received, it will be automatically deleted after 30 days. While this sounds good from a security perspective, it also presents issues with the record-keeping regulations that financial services firms and various other organizations are legally required to adhere to. Because there is no centralized or searchable repository for WhatsApp messages, there is no effective way to monitor or retain them.
Specifically, federal law, as well as similar laws in other countries, require financial services firms to retain meticulous records of any electronic messages between themselves and their clients. The purpose of these laws is to ensure that firms cannot use WhatsApp and similar platforms to skirt antitrust and anti-fraud laws.
Using WhatsApp in such environments requires a degree of third-party functionality to adhere to regulatory compliance. In such cases, it is vital that all your messages are centrally archived and readily available to compliance officers with integrated search and retrieval. Furthermore, these archives should ideally be protected by locally managed encryption keys that prevent anyone, including WhatsApp itself, from accessing your data. Only this way will you be able to meet the demands of SEC, GDPR, and FINRA while still using WhatsApp for your everyday business communication needs.