10 June 2020
|
The use of ubiquitous personal instant messaging applications in a business context poses challenges to compliance functions and investigations. The current pandemic has amplified that challenge, with a spike in the use of messaging as workers are forced to work from home and swap face-to-face with digital interaction. We are likely to see an increase in corporates attempting to implement systems and processes to capture those messaging platforms, bringing them within corporate records and the reach of compliance. |
|
The challenges to evidence gathering posed by ephemeral messaging applications, such as WhatsApp and WeChat, is not an unfamiliar issue to corporate compliance and investigation functions, regulators and law enforcement. The end-to-end encryption of these communications and their existence outside corporate data systems have made it difficult to control, gather and record this data for compliance and investigation purposes.
Although many institutions have simply taken the approach of banning their use in a business context, their growing use in day-to-day commerce has forced many to reconsider. Multinationals have long struggled with managing the ubiquity of WeChat in China. Suggesting that staff should conduct business in China without relying on WeChat is a compliance edict doomed to fail. This is a trend that the current pandemic has only accelerated, forcing corporates to consider options to bring these platforms into their data ecosystem and compliance coverage. For instance, a number of banks are reported to have recently started testing large scale deployment of technologies to record and monitor WhatsApp messages exchanged with clients and colleagues with the aim of assisting with regulatory compliance, surveillance and investigations.1
This is not a new issue. Regulators and law enforcement around the world have been adapting to the explosion of instant messaging for some time. The U.S. Department of Justice in 2017 introduced a requirement appeared to impose a blanket prohibition on the use of encrypted messaging applications for companies to be eligible for full cooperation credit. In March 2019, the Department eased the standards required under their FCPA Corporate Enforcement Policy. The revised policy instead introduced the requirement of: “implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately comply with the company’s document retention policies or legal obligations.”2
Financial regulators have also needed to address the particular issues arising in a financial markets context. For instance, In Hong Kong, the Securities and Futures Commission issued a circular to provide guidance on the key controls and procedures of the use of instant messaging specifically to receive client orders.3 This imposes requirements to ensure that messages are centrally managed in a form which could not be inappropriately modified, erased or tampered with, and be readily accessible for compliance monitoring and audit purposes.
There are jurisdictions that have considered the issue in a broader context. The Monetary Authority of Singapore, for instance, has an active consultation which considers permitting the use of ephemeral messages if the financial institution can record all communications between their trading representatives and customers. MAS will require that the communication to be retained for 5 years and that those communications are otherwise compliant with other applicable regulations.4 However, conclusion of the consultation has been pushed back as a result of the pandemic. The Australian Securities and Investments Commission has not formally sought to regulate the area but has underscored that instant messaging platforms can be used to circumvent the monitoring system of financial institutions and thereby undermine the ability to detect and act on misconduct.5
From a practical perspective, compliance monitoring and investigations are hampered by the shift towards non-corporate instant messaging. While there is no way to prevent determined individuals taking communications off the corporate network and onto private messaging platforms, there are certainly controls that can be implemented to discourage that practice and, as a result, increase the efficacy of compliance and investigation functions. The need for such steps to be taken are only likely to be accelerated in the current climate.
For further information, please contact:
Jeremy Birch, Herbert Smith Freehills jeremy.birch@hsf.com
1 Financial News London, Bankers beware: Finance giants to monitor staff WhatsApp messages, 18 May 2020 2 The United States Department of Justice, 9-47.120- FCPA Corporate Enforcement Policy, March 2019 Securities and Futures Commission, Circular to intermediaries Receiving client orders through instant messaging, 4 May 2018 3 Securities and Futures Commission, Circular to intermediaries Receiving client orders through instant messaging, 4 May 2018 4 Monetary Authority of Singapore, Consultation Paper on Requirements on Controls against Market Abuse, August 2019 5 Australian Securities and Investments Commission, Report 525, Promoting better behaviour: Spot FX, May 2017 |
