What to do About WhatsApp
Sales material for compliance technology focuses on crime. In reality, most people working in Capital Markets are law abiding and a large part of the RegTech industry is there to help institutions demonstrate that supervision and record-keeping regulations are being adhered to. When this is found not to be the case, fines will follow. We highlighted this example back in 2016 which was relevant to both compliance technology and trading floor design. No specific crime was reported but red flags for non-compliance were ignored for an extended period. The most recent big examples were for unmonitored, “off-channel” communications using WhatsApp.
The WhatsApp Problem
The main problem with WhatsApp is its ubiquity, at the time of writing, global user numbers were estimated at 2.7 billion. People look at the app’s end-to-end encryption and assume that clandestine communications made by people using it in the trading community are automatically nefarious. For most of these users, it’s just a question of easy, portable, widely shared functionality – much as it is for the rest of us. However, when unlawful conversations do take place, it is reasonable to assume that an unrecorded channel is where this will happen.
There is no doubt that all electronic communications channels need to be recorded for supervised users. Regulatory wordings about what needs to be captured have become wider in scope as have the people and companies they apply to. In Europe, MiFIDii article 16(7) requires:
“the recording and storage of “telephone conversations or electronic communications relating to transactions concluded when dealing on own account and the provision of client order services that relate to the reception, transmission and execution of orders […] even if those conversations or communications do not result in the conclusion of such transactions.”
In the US, The Dodd Frank Act requires that:
“Any information or conversation that leads to a financial transaction must now be recorded and securely stored – including fixed and mobile phone calls, as well as other digital communications. All recordings must be consistently time-stamped, securely stored, and easily accessible on a WORM [write once, read many] storage.”
In the UK the FCA’s SYSC 9.1 regulation requires firms to maintain accurate and complete records of all communications, regardless of the medium used. It references frameworks such as MiFID, MiFIR and MAR. Further clauses including SYSC 13.9, SYSC 3.2.6 and sections of SYSC 10A require firms to use encryption to protect client data from unauthorized access or theft; to obtain written consent from clients before a recorded app is used, and to let them know the risks of using the app.
A financial firm can try to limit the channels used by its staff, but its clients will have their own preferences. If they want to host video conferences on WebEx, Zoom, BlueJeans, talk on Cloud9, or text chat on ICE Chat or Murex, the firm will accommodate them. For encrypted chat platforms like WhatsApp, Signal or Telegram, the situation is slightly different. The pressure is still there, but the recording rules affect banks, brokers, investment managers and commodity traders, so in most cases, neither party should be using these systems, unless, of course, they can be effectively captured.
Usage of WhatsApp in regulated industries increased dramatically during the pandemic when people were working remotely and the trend hasn’t reversed. Most banks had taken the stance of a blanket ban for WhatsApp use but that solution is becoming harder to justify now and the fines have focused attention.
Eventually, it is possible that as Microsoft Teams becomes fully integrated across Financial Services, with compliance wraparounds in place, its own cell phone messenger will become so prevalent that other chat usage can be banned again, especially when federation puts all the users’ contacts in the palms of their hands. The problem of WhatsApp persists for now though and solutions do exist.
Some solutions involve provisioning a separate, corporate version of WhatsApp on user’s phone, with a different phone number to give to clients. A WhatsApp “wrapper” can be deployed via a mobile device management (MDM) or enterprise mobility management (EMM) platform to provide archiving for WhatsApp messages on iOS and Android devices, and web/desktop versions of the app. Other solutions use virtualization to enable co-hosting of two or more secure virtual environments on a single mobile device. For financial institutions it is important that records reach a central compliance archive for all channels and that the dependability of this process can be demonstrated.
There are a number of offerings on the market, as ever, the levels of functionality and development will vary and we won’t attempt to list them. As well as the ability to integrate with central archives, the key requirement is user experience. While client consent is required to authorize recorded WhatsApp usage, as described above, many of these solutions place no requirement on the counterparty to install the same solution. It is the supervised user who has a separate icon on their phone and there is no delay in chats being started.
Capture and Archiving Strategy
If it’s not WhatsApp, it’s something else. Banks in different parts of the world may cite WeChat, Telegram or LinkedIn as the next capture headache. Strategically, banks need to be able to bring new streams within a compliant framework painlessly. While capture solutions tend to be relatively straightforward on an individual basis, the strategic focus switches to effective storage, reconciliation, replay, surveillance, and trade reconstruction. Financial institutions need to be able to convince themselves and regulators that all required recordings have been made and are accessible in a chronological multi-channel format.