Social and Mobile Apps: Escalating Cost of Non-Compliance

Feb 25th '22

You’ve most likely seen the recent headlines: Big Bank X fined for use of WhatsApp, Global Bank Y fined for malicious text messages, broker-dealer firm fined for lack of oversight of a rogue broker operating under the alter ego of “Roaring Kitty” on Reddit…


Maybe you’ve also noticed the increased focus and scrutiny from the Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), Commodity Futures Trading Commission (CFTC) and other regulatory bodies via Regulatory Priorities letters. Or you’ve seen increased, expensive regulatory enforcement for improper or unauthorized use of digital communications.


How are financial services firms re-evaluating in this environment?

Smarsh see a confluence of factors at play:


  1. A plethora of new communications tools that are familiar and easily accessible to a new generation of clients and staff
  2. A distributed workforce, where the activities of remote staff are more difficult to detect and monitor
  3. Market conditions (until events of the past few days) that are attractive to a segment of investors who are less experienced and more susceptible to fraud, schemes and market abuse


Buried underneath this is the analysis that firms have historically made in evaluating new communications tools in terms of assessing the business benefits against the risks and costs associated with those tools. Since the onset of the pandemic, the arrival rate of requests to support new tools has accelerated significantly. For any firm, large or small, this represents a tax upon compliance staff who fight to keep up with tools that they’ve already chosen to support.


Additionally, in weighing the potential risk and cost of regulatory action resulting from the misuse of these technologies, some may have relied upon previous enforcement patterns since the passage of the original FINRA 11-39 rule on social media, or the latter amendment to include text and other messaging formats under FINRA 17-18. Here are a few enforcement examples from the last few years for reference:


  • In January of 2016, FINRA fined an investment bank $1.5 million for electronic communication failures including failure to retain electronic records in WORM format and failure to retain text message communications from company-issued devices
  • In July of 2016, FINRA fined a brokerage firm $50,000 for failing to retain business-related communications including Bloomberg messages and WhatsApp instant messages
  • In September of 2020, FINRA fined a brokerage firm $100,000 for willfully violating recordkeeping rules by allowing prohibited text message communications
  • In December 2021, the SEC and CFTC fined a global bank $200 million for failure to preserve records after the bank admitted that its employees often communicated about securities business matters on their personal devices and for using text messages, WhatsApp and personal email accounts
  • In February of 2022, a UK-based bank alerted investors in their 2021 results that they are under investigation by the CFTC over the use of unapproved messaging platforms for business communications, including WhatsApp


With the recent announcement that the SEC opened a broad inquiry into how Wall Street banks are keeping track of employee’s digital communications, particularly whether these banks have been adequately documenting employees’ work-related communications such as text messages and emails, with a focus on their personal devices, we expect to see more fines in the coming year.


This is not to imply that all firms are behaving negligently. It is more to suggest that the time and expected negative outcome could have easily been lower on the investment priority list than items with a higher probability or history of larger regulatory fines. With the most recent regulatory actions in mind, it may be time to revisit that analysis.


Since the onset of the pandemic, the arrival rate of requests to support new tools has accelerated significantly. For any firm, large or small, this represents a tax upon compliance staff who fight to keep up with tools that they’ve already chosen to support.


What firms can do now

The simple starting point is for firms to ask themselves these questions:


Do you really know what tools are being used by your employees to communicate with the market and collaborate internally?
The pandemic and hybrid work have reduced visibility into how individuals are getting their jobs done and makes tools that are familiar and comfortable like mobile apps more likely to cross over from personal lives into business activities. This caught some firms off guard, but others had already been experiencing a shift as younger employees and clients had been pushing firms toward supporting new communications tools such as WhatsApp and other social apps.


Is your benefit/risk/cost equation still accurate?
In comparison to the $200 million fine, regulators have not previously identified deficiencies for social media and text with such ferocity. Fines have historically been much smaller and centered on email, WORM format, text, or generally “electronic communications.” Larger fines were typically seen with long-running deficiencies in recordkeeping. Since 2021, fines have spiked, and the SEC is conducting sweep exams. The combined effect of more retail investors in the market, who prefer using newer tools, which attract scammers and fraud, has gotten the attention of regulators.


Most firms will evaluate the benefits they would gain by allowing use of new tools against the cost and risk of them being used inappropriately. They need to reign in unapproved channels and tackle policies and procedures for the channels they’re using.


How frequently and systemically are you monitoring for use of prohibited networks?
Many firms have defined processes to periodically inspect for the use of prohibited tools (e.g., looking for breadcrumbs indicating that a specific platform like Discord is being used), but practices remain ad-hoc and semi-automated. Every firm should have front-line policies to look for outside business activities (OBA) or other potential conflicts of interest that are likely happening on dark-corner platforms. The adage holds that those with intent on wrongdoing will go where they believe they can avoid detection (just ask my teenagers).


When was the last time you updated your acceptable use and retention policies?
For many firms, reviewing retention policies is not the most exciting way to spend one’s day, but communications policies can easily become out of date or even unintentionally biased towards central IT-controlled tools that we used back in the office. Additionally, firms may not be updating those policies based upon new features or capabilities of tools that they already support (e.g., auto-generated transcripts, whiteboards, bots, etc.). It may be time for firms to make sure that policies are aligned with how business is being conducted today.


What training and attestation programs are in place to ensure employees know what to do?
Training on the appropriate use of emerging tools should not be static – it should be specific to the tools being used, the role of the individual using them, with clear consequences laid out for activities that are prohibited. Many firms did not have the ability to take this step at the outset of the pandemic, but with the likely future of hybrid work lying ahead of us, now is the time.


Image: Smarsh (link)


How Smarsh can help

Financial firms must come to terms with many mitigating factors. The workplace has changed, and the regulators expect due diligence in a digital world. Fortunately, there’s good news. With a scalable, end-to-end solution for capturing, archiving, supervising and making sense of digital communications data, firms can ensure compliance and manage risk comprehensively. And avoid being the next headline.


Featured webinar: 2022 FINRA Exam Priorities – Year of the Retail Investor: Watch On-Demand


Source: Smarsh – Authors: Robert Cruz & Tiffany Magri


About the authors: 

Robert Cruz – Vice President, Information Governance at Smarsh

Robert is Vice President, Information Governance for Smarsh. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and discovery cost and risk reduction.


Tiffany Magri – Regulatory Advisor at Smarsh

As a Regulatory Advisor at Smarsh, Tiffany monitors, evaluates and consults on the financial services regulatory landscape. Tiffany has more than 10 years of experience facilitating compliance with laws and regulations, policies, and risk management. Prior to joining Smarsh, Tiffany was a Senior Associate at Benefit Street Partners and a Compliance Analyst at Broadstone and Manning & Napier Advisors.


About us

At LS Consultancy, we provide a cost-effective and timely copy advice and copy development services to make sure all your advertising and campaigns are compliant, clear and suitable for their purpose.


We are experts in Marketing and Compliance, and work with a range of firms to assist with improving their documents, processes and systems to help mitigate risk.


Contact us today for a chat or send us an email to find out how we can support you in meeting your current and future challenges with confidence.


Explore our full range today.


Contact us



Why Not Download our FREE Brochures! Click here.


Call Us Today on 020 8087 2377 or send us an email.


You can see our Google reviews here.


We’re looking for guest writers with business know-how and experience to create outstanding articles to feature on our website. Sound like you? Then find out more…