WhatsApp watch: Are financial institutions under fire?

From its origins as a personal messaging app, WhatsApp has evolved into an indispensable tool for quick and efficient communication, both personally and professionally. In the UAE alone, approximately 7.99 million people use WhatsApp,¹ which accounts for roughly 80% of the population. 

Given its user-friendly interface, many have utilized the application for business communication purposes. Studies indicate that messaging applications, such as WhatsApp, have been used for tasks such as finalizing contracts, circulating business plans, and even sharing sensitive personal information of employees. A study by Veritas in 2021 revealed that 87% of UAE’s office workers had admitted to using such messaging applications to share business or sensitive information.²

This presents a direct challenge for companies in complying with regulations around the retention of business communications.³ In recent years, the US securities regulator, the Securities and Exchange Commission (SEC), has turned its attention to brokers and investment advisors for failing to keep records of “off-channel” communications. 

Off-channel communications: The use of unapproved applications on mobile devices to engage in communications relating to a firm's business. 

In December 2021, the SEC fined J.P. Morgan Securities LLC (JPMS), a broker-dealer subsidiary of JPMorgan Chase & Co., for widespread and longstanding failures by the firm and its employees to maintain and preserve written communications.  This was the first of many probes marking the beginning of numerous investigations into such behavior by multiple companies. 

As of 29 September 2023, the SEC has issued fines to multiple firms for similar failings totaling over USD two billion⁴ (someof which are detailed below).

Regulations

Record-keeping regulations exist at local and global levels, particularly within highly regulated industries, such as certain financial services. In the UAE, data retention requirements vary depending on the location of the company’s registration, with differences between free zones, such as the Abu Dhabi Global Markets (ADGM), the Dubai International Financial Center (DIFC), and the mainland. In the DIFC where companies are regulated by the Dubai Financial Services Authority (DFSA), organizations are required to adhere to DFSA’s Conduct of Business Rulebook (COB), which dictates that electronic communications related to transactions, depending on their nature, must be retained for specified periods of time.¹⁰

These rules are applicable to all forms of electronic communication, including WhatsApp conversations by employees.For organizations operating in multiple jurisdictions, their data retention and record-keeping requirements may be more extensive or complex. Therefore, it is crucial for organizations to understand the applicable local and international laws and regulations to develop effective strategies and methods to adhere to these requirements.

The solution(s)

If using WhatsApp entails a potential regulatory cost to financial institutions, should these companies prohibit employees from using mobile communication applications for business purposes, or would it be more advisable to implement monitoring solutions that allow for the capturing and retention of business communications on applications like WhatsApp? 

In either scenario, several key factors should be taken into consideration, including data governance, the use of corporate devices versus bring-your-own-device (BYOD), and compliance with data protection and privacy laws. 

Organizations should put a focus on data governance, ensuring the implementation of robust policies and procedures that cover various areas, such as the acceptable usage of corporate devices, social media and communication channels, as well as the use of BYOD and data retention. Policies alone are not enough to ensure compliance, as exemplified by JPMS, which had policies in place forbidding the use of non-approved communication channels.¹¹Regular employee training and the enforcement of policies with repercussions for non-compliance are critical components of a company’s data governance strategy, in addition to ensuring adequate involvement and alignment from multiple departments within an organization. 

Effective data governance requires tone-from-the-top, in both compliance and enforcement of policies and procedures. One of the key findings from the SEC’s investigations into Wall Street companies was that senior employees were involved in off-channel communications, some of whom were also responsible for overseeing the conduct of junior employees.¹²

To mitigate the risk of fines arising from off-record communications, organizations including J.P. Morgan, Deutsche Bank, and UBS, have started implementing monitoring solutions on employees’ mobile devices to monitor and preserve messages. 

Privacy considerations

Data privacy and protection regulations must also be considered in a company’s efforts to monitor and preserve data. In the UAE, there are multiple laws related to data protection, which may apply depending on the registered location of the company. These laws have an impact on an organization’s ability to monitor personal data and an individual’s right to privacy. Striking a balance between companies having control over their business data and respecting employees’ privacy is necessary. 

The SEC explicitly mentioned in their press release that personal devices were frequently used by employees to communicate business matters via various messaging platforms,¹³ hindering the ability to maintain and preserve records. Therefore, the common use of BYOD within the UAE may also represent a challenge. 

Given the sensitivity of data on BYODs, organizations may not be able to obtain consent to preserve copies of business communication data or to install monitoring and preservation solutions. Gaps in record-keeping may arise if employees leave a company after having used non-monitored BYODs for business communication. Alternatively, there is a risk of data being deleted by employees, for instance, through disappearing messages, wiping, and the manual deletion of messages or chats. Regulators do not appear to be sympathetic to such explanations for having gaps in records. 

There is no one-size-fits-all solution. Many organizations may have a complete ban in place for communicating via apps such as WhatsApp for business purposes, however, a weak data governance culture and lack of enforcement may result in gaps that put the organization at risk of regulatory action that could yield fines or reputational impact. Monitoring employees’ mobile devices may be the answer for some organizations, but this must be carefully considered in light of data protection and privacy laws, as well as the rights and consent of individuals. In the UAE, the high prevalence of BYOD may deter some companies from implementing such measures. 

A key takeaway is the importance of cross-departmental collaboration involving Compliance, HR, IT, Cybersecurity, and other functions to equip the organization and its employees with the knowledge, policies, procedures, and tools to ensure compliance while respecting the delicate balance between data control and privacy.

Another takeaway is that organizations need to have a plan in place for accessing, capturing, and reviewing off-channel communications if and when they occur.  Electronic discovery services, including data imaging of mobiles and application data and processing and hosting of data using forensic software, could be used both proactively and reactively, to secure and ensure access to off-channel communications for regulatory compliance monitoring as well as responding to complaints.

By implementing stringent policies, educating employees, ensuring proper data management and governance, and utilizing monitoring and eDiscovery services, companies can reduce their risk and be better prepared to face investigations. The convenience of WhatsApp in corporate communication can coexist with regulatory compliance if managed prudently, ultimately safeguarding a company's reputation and financial stability.

By Collin Keeney, Partner, Natalie Forester, Manager, and Faiz Ali Khan, Assistant Manager, Financial Advisory, Deloitte Middle East

Endnotes

1. https://www.globalmediainsight.com/blog/uae-social-media-statistics/. 
2. https://globalcioforum.com/87-uae-employees-share-sensitive-data-via-messaging-and-collaboration-tools-veritas-survey/.
3. https://www.sec.gov/news/press-release/2021-262.
4. https://www.reuters.com/business/finance/us-sec-charges-12-firms-with-record-keeping-failures-2023-09-29/#:~:text=NEW YORK C Sept 29 (Reuters,messaging channels for discussing business.
   
5. https://www.sec.gov/news/press-release/2021-262.
6. https://www.sec.gov/news/press-release/2022-174. 
7. https://www.sec.gov/news/press-release/2023-91.
8. https://www.sec.gov/news/press-release/2023-149.
9. https://www.sec.gov/news/press-release/2023-212.
10. https://dfsaen.thomsonreuters.com/rulebook/cob-67-record-keeping-voice-and-electronic-communications?highlight=record&phrase=false.
11. https://www.complianceweek.com/regulatory-enforcement/big-bank-messaging-app-crackdown-exposes-policy-holes-monitoring-struggles/32002.article.
12. https://www.investmentnews.com/wall-street-girds-for-whats-next-in-whatsapp-probe-240907.
13. SEC.gov | SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures.