Banks face a WhatsApp reckoning as regulators clamp down on messaging apps

Tech Spotlight > Analytics [Computerworld] > An image of an eye with virtual surveillance. — Thinkstock

As regulators hand out lots of of thousands and thousands of dollars in fines for record-keeping failures associated to the usage of social messaging platforms comparable to WhatsApp, the finance business faces a selection: correctly implement bans on the usage of these apps or discover methods to make them compliant.

“The explosion of recent digital communications channels — and the pervasive use of those — raises a number of pink flags for the regulators,” mentioned Anthony Diana, a associate at regulation agency Reed Smith’s Tech & Knowledge Group. “The worry is that, if dangerous issues are occurring, they're occurring on these private apps, not on the sanctioned communication channels which might be surveilled.”

Anthony Diana, a associate at regulation agency Reed Smith’s Tech & Knowledge Group.

Apps comparable to WhatsApp have been round for years, however their use within the monetary sector grew through the COVID-19 pandemic as monetary advisers and merchants labored from dwelling and sought methods to maintain in touch with colleagues and purchasers.

Banks usually banned such shopper apps outright, however that stance has begun to shift for some companies who are actually opting as a substitute to seize dialog information for compliance functions. That enables staffers to make use of the communication instruments they like — and, most significantly, the instruments their purchasers desire — whereas staying on the correct facet of regulators.

"Addressing regulatory necessities round capturing, archiving, and monitoring the usage of cellular communications is a troublesome drawback,” mentioned Raúl Castañón, senior analyst at 451 Analysis, a division of S&P International Market Intelligence. “The shift to hybrid work and the rising use of cellular communications post-pandemic make it more and more related for organizations to allow compliant communications.”

Mentioned Diana: “There's recognition that individuals are nonetheless going to make use of some e-mail, however there needs to be different methods of speaking. Now, the push is on to determine the channels that take advantage of sense from a enterprise perspective, after which be sure that the know-how is in place to verify it is captured and surveilled accurately.”

With two billion energetic customers, WhatsApp is the preferred shopper messaging software, although it’s removed from the one one. iMessage, Fb Messenger, WeChat, Telegram, and Sign have all made their method into the office as smartphones have proliferated and company “deliver your personal system” schemes mature.

It comes all the way down to simplicity and comfort, mentioned Ari Lightman, distinguished service professor, digital media and advertising, at Carnegie Mellon College's Heinz Faculty of Data Programs and Public Coverage. “Why would you employ a platform that is theoretically not supplied by your organization? Due to ease of use. We spend a lot time in e-mail that it turns into a time sink; all people turns into horribly inundated, so that they go to messaging apps.”

Whereas the usage of unsanctioned communication apps generally is a headache for any firm, the issue is extra acute in extremely regulated industries. Banks are compelled by regulators to maintain a document of staff’ business-related communications to assist deal with fraud, insider buying and selling, market manipulation, and different types of misconduct.

Even when the overwhelming majority of messages despatched are innocent, the usage of social messaging apps means regulators lose visibility into what’s being mentioned. “That is the crux of it: if you do not know what's occurring on these platforms, there's suspicion related to it,” mentioned Lightman.

US regulators goal tier-one companies

It’s not a brand new drawback within the finance sector. Fines have been levied for uncompliant use of assorted communications applied sciences for years, however regulators have begun to take an excellent harder stance round private messaging apps in current months.

Most notably, JPMorgan was hit with a mixed $200 million in fines from the US Securities and Change Fee (SEC) and the Commodity Futures Buying and selling Fee (CFTC) in December for failure to watch and retailer digital communications between 2018 and 2020. The SEC cited the usage of WhatsApp, textual content messages, and private e-mail accounts for enterprise issues — a typical follow even amongst senior workers members tasked with implementing compliance with company insurance policies.

And it’s proved to only be the beginning: Citigroup, Goldman Sachs, and HSBC have been among the many banks that introduced cooperation with an SEC investigation in annual monetary outcomes statements earlier this 12 months. Reviews have since emerged that Citi, Financial institution of America, and Goldman Sachs are in talks with regulators to pay round $200 million resulting from a failure to watch unauthorized messaging apps. Barclays and Morgan Stanley have each reportedly put aside an identical quantity for associated fines.

However whereas it’s the big banks which have drawn the ire of regulators up to now, the difficulty is widespread throughout the business. “Each monetary establishment that’s topic to those rules is within the crosshairs of the regulators,” mentioned Diana. “They’re beginning with the massive [banks] as a result of that sends the message to the whole business that this can be a focus.”

Capturing WhatsApp messages

Banks have lengthy been in a position to entry software program and companies from compliance know-how distributors that allow the recording of SMS and voice information. As the usage of social messaging apps has turn into extra pervasive, some distributors have added capabilities to trace social messaging apps in recent times too.

There are completely different approaches to realize this. For some, it entails provisioning a separate, company model of WhatsApp on consumer’s cellphone, with a special cellphone quantity handy out to purchasers. A WhatsApp “wrapper” could be deployed through a cellular system administration (MDM) or enterprise mobility administration (EMM) platform to offer archiving for WhatsApp messages on iOS and Android units, in addition to desktop variations of the app. “Different choices embrace the usage of virtualization know-how that allows co-hosting of two or safer digital environments on a single cellular system,” mentioned Castañón.

It’s usually potential to seize prompt message information from direct messages and group chats, in addition to voice and video calls, shared hyperlinks, recordsdata and different attachments.

A few of the principal distributors providing WhatsApp seize embrace Guardec, LeapXpert, Movius, Symphony, TeleMessage, and Voxsmart.

Movius, which additionally sells software program to watch and document voice calls, SMS, and WhatsApp messages on cellular units, counts JPMorgan Chase and UBS amongst its prospects. The Monetary Instances just lately reported that German lender Deutsche Financial institution has advised its workers to put in the app on smartphones.

Movius app — Movius' software program can monitor and document voice calls, SMS, and WhatsApp messages on cellular units.

Movius declined to touch upon its prospects. however Movius CEO Ananth Siva mentioned banks are more and more conscious of the necessity to present workers with whichever instruments they use to conduct enterprise.

“In case you do not equip them with a channel that the purchasers of the agency are asking to work together on, then you are going to have all these challenges [with regulators],” mentioned Siva. “All of the companies we're working with proper now are very, very acutely aware of this. A few of them have been working at it for plenty of years and are higher geared up to deal with these challenges, others could be quick followers.”

Movius’ strategy is to offer an app that may be downloaded on an worker system, making a separate cellphone quantity that's used for business-related communications. All messages despatched or calls made through the quantity could be routinely recorded. With the app put in, finance professionals can ship WhatsApp messages to purchasers, who obtain a notification asking them to “choose in” to monitoring on of the dialog — although purchasers don’t want set up the app on their very own system.

The prospect of monitoring messaging apps inevitably raises privateness issues, even in an business that’s already topic to in depth monitoring. A requirement that staff set up monitoring apps on their private smartphones may result in some troublesome conversations, not least with senior executives.

Nonetheless, Siva mentioned the Movius app siloes communications from the remainder of a consumer's smartphone, enabling them to have an unbiased WhatsApp profile for private use. In that case, private messages ought to — theoretically, a minimum of — be exempt from monitoring. “Our know-how facilitates that work/private separation on the identical system,” he mentioned. “The situations are fully separate.”

As soon as dialog information has been captured, it may be handled like all supply of communication information that’s monitored for compliance functions.

Financial institution workers depend on quite a lot of approved digital instruments to speak internally and externally, comparable to chat performance inside Bloomberg and Thomson Reuters Eikon terminals, in addition to extensively used collaboration platforms comparable to Microsoft Groups, Slack, and video platforms together with Zoom. By capturing WhatsApp conversations, the info could be made obtainable for e-discovery and monitoring, identical to another channel, mentioned Shiran Weitzman, CEO of Defend, a communication compliance software program vendor. “In the identical method that we're doing this for Bloomberg chat or an e-mail, it is being achieved additionally on WhatsApp,” he mentioned. “We principally make the channel irrelevant for the compliance work.”

Along with collating and archiving communications for audits, pure language processing could be utilized to the dialog information to flag indicators of potential misconduct. It’s additionally potential to watch and lift alerts when staff attempt to shift a dialog to unapproved channels, highlighting phrases comparable to “let’s transfer the dialog to Telegram,” that may seem in an e-mail alternate or Groups chat.

Brian Lynch, president of SteelEye Americas.

“We have now a module in our surveillance platform that appears particularly for phrases like, 'Let's transfer this WhatsApp, or to Telegram,’ ‘Ping me on Sign,’ or no matter it is perhaps,” mentioned Brian Lynch, president of US operations at SteelEye, a compliance monitoring and reporting software program vendor. “It offers a sign within the current monitored channels that may belie some use of WhatsApp.”

Would an outright WhatsApp ban even work?

Regardless of the prevalence of WhatsApp as a enterprise communication software, comparatively few really monitor the app's use. Solely 15% of economic establishments at the moment monitor the platform, in response to a survey of 170 senior compliance professionals carried out by SteelEye. Even fewer observe fashionable office collaboration app Slack (9%), whereas Microsoft Groups (40%), Bloomberg Chat (40%) and Zoom (25%) usually tend to be on the monitored. (The survey information covers finance companies in a variety of sizes, so the outcomes might not be consultant of the stance taken by the most important, “tier one” companies.)

The SteelEye analysis additionally discovered that 41% of monetary companies companies see communication monitoring as an precedence within the subsequent 12 months, indicating a possible shift in angle.

It’s unsurprising that so few establishments monitor the usage of WhatsApp, mentioned Lynch, provided that many depend on inside insurance policies to implement bans on the usage of such instruments. “There is a important quantity which have determined that ‘coverage’ is how they will handle [the use of messaging apps],” he mentioned.

John Lukanski, a associate in Reed Smith’s Monetary Business Group.

Even within the face of elevated regulatory scrutiny, many monetary companies companies will likely be content material to double down on implementing insurance policies to restrict the usage of messaging apps. However for people who select this strategy, it’s vital to acknowledge that these apps are nonetheless more likely to be accessed by workers, and to take enough steps to implement insurance policies.

“A agency can select which method it desires to go, however it could possibly't simply be, ‘We will ban it,’ versus ‘We will enable it,” mentioned John Lukanski, a associate in Reed Smith’s Monetary Business Group. “If you are going to ban it, you definitely want a supervisory course of in place to police that. I do not assume you'll be able to say, 'We're not going to allow you to use this,' however then, with a wink and a nod, know that it is occurring however.”

Whichever strategy they take, monetary establishments must be contemplating their technique as regulators loom. “The regulators need to have a reckoning second, so you have to be sensible sufficient to acknowledge that and do one thing about it,” mentioned Lukanski.

Hybrid/distant work will increase use of messaging apps

Whichever strategy banks undertake, it’s clear that non-public messaging apps aren’t going wherever — and whereas WhatsApp is the preferred software at the moment, the panorama can rapidly change. “With the completely different ways in which folks can talk, it is going to be an ever-present, evolving problem to maintain up,” mentioned Lukanksi.

Past the proliferation of various cellular messaging instruments, the frequency with which they're used is more likely to have elevated through the pandemic as workers labored from dwelling and turned to quite a lot of digital instruments. The UK’s Monetary Conduct Authority warned final 12 months that “the chance from misconduct or market abuse could also be heightened by homeworking” with elevated use of unmonitored messaging instruments.

“Using all of those private communications channels was definitely accelerated by the pandemic, as a result of folks wanted a brand new strategy to talk,” mentioned Diana. “Quite a lot of the management features which were used previously — like limiting what they may do from the desktop — fell by the wayside."

Though there’s been high-profile pushback by some finance companies over staff working remotely, it seems that hybrid work is more likely to stay commonplace throughout the monetary sector. A survey on behalf of know-how vendor Riverbed indicated that almost all (83%) of IT and enterprise determination makers at monetary companies companies anticipate a minimum of 25% of their staff will proceed engaged on a hybrid mannequin post-pandemic, whereas nearly half (42%) of respondents anticipate half of their workforce will likely be hybrid.

If that’s the case, companies will likely be onerous pressed to finish the usage of private messaging apps totally.

“We’re seeing a whole disruption of how we work, how we talk, and the way we interact; mechanisms which might be rather more handy and usable have simply exploded,” mentioned Lightman. “The genie’s out of the bottle: it's a must to work out learn how to reside symbiotically with these kind of platforms.”

SteelEye survey results — SteelEye survey outcomes on app monitoring.