{"id":20219,"date":"2022-09-28T14:30:16","date_gmt":"2022-09-28T22:30:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/09\/28\/news-13952\/"},"modified":"2022-09-28T14:30:16","modified_gmt":"2022-09-28T22:30:16","slug":"news-13952","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/09\/28\/news-13952\/","title":{"rendered":"16 Wall Street firms fined $1.8B for using private text apps, lying about it"},"content":{"rendered":"

<\/p>\n

The US Securities and Exchange Commission (SEC) has fined big-name banks and brokerages a collective $1.8 billion<\/a> over workers\u2019 use of private texting apps to discuss work and for not always saving those messages. The fines include $1.1 billion assessed by the SEC and a $710 million fine from the\u00a0Commodity Futures Trading Commission<\/a> (CFTC).<\/p>\n

The SEC investigation uncovered what the agency called \u201cpervasive off-channel communications,\u201d that were collected by the firms themselves from employee devices. The employees included senior and junior investment bankers and debt and equity traders.<\/p>\n

Tens of thousands of communications were intentionally meant to keep the bank\u2019s internal compliance and regulators in the dark, according to the CFTC.\u00a0And because many private communications channels are encrypted end-to-end, they leave no recoverable record for the bank\u2019s supervision, the\u00a0CFTC said in a statement<\/a>.<\/p>\n

\u201cAnother common theme is that the CFTC found senior executives \u2014 the very people responsible for keeping a bank\u2019s house in order \u2014 who directed employees to use unauthorized communications channels and delete messages. Some executives even lied to the CFTC and SEC,\u201d the CFTC said.<\/p>\n

The use of unauthorized private apps, and failure to archive those communications, violates record-keeping and privacy rules. Both regulatory agencies called on the financial services sector to \u201cfix internal policies and practices\u201d to ensure US regulators and bank executives can prevent, detect, and correct unauthorized illegal communications.<\/p>\n

The firms fined for the violations were: Barclays Capital Inc.; BofA Securities Inc., together with Merrill Lynch, Pierce, Fenner & Smith Inc.; Citigroup Global Markets Inc.; Credit Suisse Securities (USA) LLC; Deutsche Bank Securities Inc., together with DWS Distributors Inc. and DWS Investment Management Americas, Inc.; Goldman Sachs & Co. LLC; Morgan Stanley & Co. LLC, together with Morgan Stanley Smith Barney LLC; and UBS Securities LLC, together with UBS Financial Services Inc.<\/p>\n

Two firms \u2014 brokerage Jefferies LLC and Nomura Securities International \u2014 agreed to pay penalties of $50 million each; brokerage Cantor Fitzgerald & Co. agreed to pay a $10 million penalty.<\/p>\n

\u201cFinance, ultimately, depends on trust,”\u00a0SEC Chair Gary Gensler said in a statement<\/a>. “By failing to honor their record-keeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust.”<\/p>\n

In addition to significant financial penalties, each of the firms was ordered to prevent future violations of the relevant record-keeping provisions and were censured, the SEC said. The firms also agreed to retain compliance consultants to, among other things, conduct comprehensive reviews of their policies and procedures regarding the retention of electronic communications on personal devices and their respective frameworks for addressing non-compliance by employees.<\/p>\n

Thomas Shuster, a research director with IDC\u2019s Capital Markets Digital Transformation Strategies business who in the past was a registered agent of two broker-dealers and a registered advisor with a self-regulatory organization (SRO) under the SEC, said there was never any doubt about being subject to stringent record-keeping requirements.<\/p>\n

\u201cWe weren\u2019t even allowed to text and if we received texts, we had to create an image and maintain a record,\u201d Shuster said. \u201cThat said, I don\u2019t know if there\u2019s momentum behind this action. My instinct is that the SEC made an example with these highly visible and deep-pocketed firms and will let the action speak for itself as a cautionary tale. Those appear to be significant fines for the given offense.\u201d<\/p>\n

Reports of impending fines first surfaced\u00a0in July<\/a>.<\/p>\n

Bring your own device (BYOD) policies have long been the norm among financial services firms, but data privacy laws such as SEC Rule 17a-3 & 17a-4, the Dodd-Frank Act, Sarbanes-Oxley, FINRA<\/a> rules,\u00a0MiFID II<\/a>, CCPA<\/a> and\u00a0GDPR<\/a>\u00a0all require regulated industries to archive business-related communications in a secure and reliable server or face significant\u00a0penalties and fines<\/a>\u00a0\u2014 or even class action lawsuits.<\/p>\n

The problem was less pervasive when only email was being used; corporate email servers could automatically store communications and archival software could provide regulators with specific messages using search tools.<\/p>\n

But data privacy regulations make the use of consumer messaging apps in regulated industries challenging for IT, HR, corporate governance and compliance teams. And the use of \u201cshadow communications\u201d can the risk massive damage to a firm\u2019s finances and reputation.<\/p>\n

\u201cIt\u2019s the proliferation of these other channels of communication that\u2019s causing the problem,\u201d said John Lukanski, a partner in the law firm of Reed Smith LLP. He said the problem with avoiding instant messaging apps is that clients often prefer them, so financial service employees have to make a decision: please the client or follow the rules.<\/p>\n

Many financial services firms decided long ago to create pre-approved communications channels through which messaging could be archived, and employees had to attest they\u2019d comply with those rules.<\/p>\n

\u201cThe problem is if you have those rules in place, you have to ensure compliance. And, even supervisors are using unapproved channels to communicate,\u201d Lukanski said. \u201cWhat really infuriates regulators is when they\u2019re performing an investigation and they\u2019ve gone into firms and asked for communications\u2026 and a certain percentage of communications has been done off channel. In other words, they can\u2019t produce all the records, which impede the regulators’ investigations.\u201d<\/p>\n

The banking, financial services and insurance (BFSI) sector is one of the most heavily regulated because it has so much influence over the broader economy.<\/p>\n

\u201cIt invites corruption, market manipulation, securities fraud, and other unscrupulous behavior that ultimately leads to financial crises, recessions, etc.,\u201d said Michela Menting, a research director with ABI Research. \u201cSo, regulatory bodies like the SEC and CFTC must impose very stringent regulations and compliance requirements to maintain market integrity.\u201d<\/p>\n

Menting believes the issue goes beyond just private messaging apps; it\u2019s about the ability to hold the financial services industry accountable at a time whenmany firms are undergoing digital transformation.<\/p>\n

Secure messaging apps on private phones provide a fast and simple way to connect bankers and traders, supervisors and personnel, anywhere, anytime. And the technology is ubiquitous, cheap and always available.<\/p>\n

While WhatsApp is the most popular consumer messaging app, more than a half dozen others are regularly used, including iMessage, Facebook Messenger, WeChat, Telegram, and Signal. All made their way into the workplace as smartphones have proliferated and corporate BYOD schemes matured.<\/p>\n

\u201cIt makes [the apps] massively popular tools, and practically necessary in a post-pandemic world where the workforce is increasingly distributed,\u201d Menting said via email. \u201cBut the problem is that such tools too often sit outside of a company\u2019s purview, in that shadow IT realm, because they are on private phones. One could view it as laziness on the part of financial organizations (at least those that have been sanctioned); they have very specific compliance requirements, which they chose to disregard in favor of convenience.<\/p>\n

But laziness may be only half the story; the tools can also be used to obfuscate practices that might be considered unethical, if not illegal, Menting said.<\/p>\n

Lukanski agreed, saying the risk of not archiving commutations is that bankers and brokers can become involved in underhanded activities in the name of the firm they represent, and there\u2019s no way to discover it.<\/p>\n

But not all of the unauthorized messaging were for nefarious purposes. Much of the activity took place during the height of the COVID-19 pandemic, when employees were mostly working from home. It was simply easier to use a private, off-server messaging app, Lukanski said.<\/p>\n

\u201cI\u2019ve always felt\u2026you can always do better,\u201d he said. \u201cIf you\u2019re a firm not among those 16 fined, I don\u2019t think you can say, \u2018We dodged the bullet.\u2019 You have every reason in the world to pay attention to the issue now.\u201d<\/p>\n

Financial institutions have two things they can do, according to Nader Henein, research vice president with Gartner\u2019s Privacy and Data Protection practice. They can train their employees, and they can monitor corporate owned devices.<\/p>\n

\u201cThey can also monitor personal devices with the employees\u2019 consent, but that is messy,\u201d Henein said. \u201cThe weak link is sometimes the employee, but it is also the eternally strained relationship between where the business and the governance teams.\u201d<\/p>\n

The SEC has been turning up the heat<\/a> under US President Joe Biden to stop financial services firms from using unsecured apps for business. In December, JPMorgan was hit with a combined $200 million in fines<\/a> from the SEC and the CFTC for failure to monitor and store electronic communications between 2018 and 2020. The SEC cited the use of WhatsApp, text messages, and personal email accounts for business matters.<\/p>\n

Before that, in 2020, a senior credit trader at JPMorgan was suspended for communicating with colleagues at Jefferies, KPMG, and VTB Capital using WhatsApp. The latter were then also the subject of investigations after employees were found to be using messaging apps as unauthorized channels for communications.<\/p>\n

That same year, Deutsche Bank took steps to ban all text messaging and communication apps to improve compliance standards, with many others, including HSBC, Citi, and Wells Farg0, moving to more secure communications platforms. Some firms, however, appear to be ignoring the implications of not having thorough policies against such practices.<\/p>\n

\u201cBy bringing these cases at the same time, and in parallel with the SEC, the Commission is sending a strong message … that we will not tolerate efforts to evade our regulatory oversight \u2014 oversight that these entities signed up for when they registered with the Commission,\u201d CFTC Commissioner Christy Goldsmith Romero\u00a0said in a statement<\/a>. \u201cThose choosing to participate in US financial markets are on notice \u2014 the era of evasive communications practices is over. The CFTC will hold you accountable.\u201d<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

\n
\n

The US Securities and Exchange Commission (SEC) has fined big-name banks and brokerages a collective $1.8 billion<\/a> over workers\u2019 use of private texting apps to discuss work and for not always saving those messages. The fines include $1.1 billion assessed by the SEC and a $710 million fine from the\u00a0Commodity Futures Trading Commission<\/a> (CFTC).<\/p>\n

The SEC investigation uncovered what the agency called \u201cpervasive off-channel communications,\u201d that were collected by the firms themselves from employee devices. The employees included senior and junior investment bankers and debt and equity traders.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[21359,1328,15547,714],"class_list":["post-20219","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-financial-services-industry","tag-government","tag-messaging-apps","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20219"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20219\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}