Unmonitored business communications in financial services

1. USD 3 billion in fines and counting in an unending stream of US regulatory enforcement actions suggests this is not a flash in the pan.

If anything, ASIC has understated US regulatory vigour. Since late 2022, US regulators have imposed approximately US$3 billion in fines industrywide, spanning banks, broker-dealers, and investment advisors. Individual institutions have been fined as much as US$200 million and senior industry professionals have been fired. Even though our regulatory penalties are often orders of magnitude lower than those elsewhere, the implications are sobering for Australian financial intermediaries and their staff.

In our experience, these penalty numbers barely scratch the surface. They do not include the vast expense, time, senior management attention, and business disruption required to resolve investigations into unmonitored communication channel issues.

2. What’s the problem with texting and using WhatsApp in the financial services industry?

Nothing, per se.

The problem arises when personnel use unmonitored communication channels, whether texting, WhatsApp, personal email, encrypted, or ephemeral messaging platforms (think Snapchat, Signal, and Telegram, among others) for business purposes.

Unmonitored communications are problematic for many reasons. Prime among them, unmonitored communications may facilitate misconduct or other harmful activities. Accordingly, business conducted through unmonitored communications may result in financial intermediaries violating their obligation to supervise employees sufficiently to:

• detect and prevent misconduct and poor behaviour;
• manage risk; and
• maintain required business records.

ASIC, like its overseas counterparts, considers financial intermediaries to be gatekeepers whose supervision failures threaten customers and market integrity. For regulators, unmonitored business communications represent a serious supervision failure, not just a failure to maintain required books and records. Furthermore, regulators may consider that failing to capture unmonitored communications will, by definition, cause a financial intermediary to violate its obligations to respond to information requests promptly and completely.

Significantly, ASIC considers supervisory responsibilities to range beyond preventing legal violations, such as market manipulation, insider trading, or fraud. According to the Information Sheet, it extends to ‘other behaviour that may be prohibited under . . . a market intermediary’s internal policies.’ Under this approach, a failure to monitor and capture communications about a potential breach of an internal policy, or behaviour that may be considered inappropriate—as opposed to potential illegal activity—may attract regulatory scrutiny. An employee policy violation may accordingly morph into legal liability for the financial intermediary, an outcome that has taken many US financial institutions by surprise.

3. What exactly is a business communication?

This is a surprisingly tricky question to answer. And, when it comes to a ‘business communication’, you don’t always know it when you see it.⁴ Some messages are clearly business communications in the financial sector, such as a trader providing a bid or confirming a trade. But there is plainly a spectrum, and reasonable minds may differ about the side of the line that a particular communication falls on. Some may feel that a text to a client organizing a dinner is purely social, others may deem it a business communication. It is hard to give abstract guidance. Context is critical in most cases, including the precise wording of the applicable firm policy.⁵

US regulators incline to an expansive view. Typically, they consider ancillary communications, such as those dealing with topics like scheduling, general market colour, remuneration, and personnel issues, to be business communications even though they do not concern the core financial services offered by the firm or its clients.

ASIC echoes this broad approach in its Information Sheet:

‘[W]e consider business communications to include any written, voice or electronic communications used by market intermediaries and their representatives to carry on their financial services business. This includes, but is not limited to, communications reasonably required to meet record-keeping obligations and enable monitoring of compliance with financial services laws.’

The takeaway is that financial firms must supervise communications beyond those required to be maintained under record-keeping rules. ASIC considers the failure to monitor and capture business communications to be a supervisory failure, not just a record-keeping violation.

4. Why is the issue of unmonitored business communications so tricky? Can’t it be solved easily by training, calibrating risk assessments, implementing technological solutions and updating policy policies and procedures?

In the US, some banks are reversing years of BYOD policies and are again providing firm-issued devices to employees to address monitoring and access issues. Others are deploying applications that claim to be able to monitor and ingest diverse types of electronic communications. Still others have completely banned the use of texting or WhatsApp for business, despite client appetite for these channels.

Tools like these are unquestionably important for mitigating the risk of unmonitored business communications, and Australian financial firms should certainly revisit their policies, procedures, training, and compliance technologies. Doing so in isolation, however, will be insufficient to mitigate the risk. Communications technologies are continually evolving, and technical compliance solutions have practical limitations and are not, and will never be, perfect. The Release highlighted that a trap for intermediaries has been relying on “‘out of the box’ settings of vendor-provided communication surveillance systems and a failure to routinely calibrate alert parameters”.

Echoing the US approach, the Information Sheet emphasizes two further measures that financial intermediaries must implement:

• Consequence management frameworks and actions; and
• Processes for regular independent review and testing of surveillance controls and supervision frameworks.

These requirements are best explained by the US experience that financial institutions often had excellent policies prohibiting unmonitored business communications, which were honoured in the breach. Senior executives and indeed even compliance personnel tasked with enforcing the policies were found to have violated the policies regularly without sanction. To American regulators, as reflected in the financial penalties, this was a paradigm example of the regulatory enforcement truism that the only thing worse than not having a policy is having an unenforced policy.

The resulting US requirement to evaluate controls and impose genuine consequences for policy violations creates significant challenges. US regulated entities must surveil for indicia of unmonitored communications (for example, by adding relevant terms to compliance lexicons to detect references to texting and WhatsApp) and then investigate those indicia by gaining access to employee personal devices.

US regulators have also insisted that firms sample employee phones, even where there is no evidence of misuse.⁶ Obviously, this raises a host of difficult legal and business issues, especially in a BYOD environment. Beyond the legitimate privacy concerns, there are few things more corrosive to the employment relationship than an employer’s demand to access employees’ personal mobile phones, which are repositories of sensitive personal information (photos of children, personal health and financial data, and private conversations with loved ones).

Experienced lawyers can craft strategies and policies to balance these important competing interests, but they can be expensive and time consuming. For example, financial intermediaries may need to consider hiring forensic electronic discovery vendors or paying for independent lawyers to represent employees in the data collection and review process. Australian policies also need to cater for workplace surveillance laws, which differ from state to state.

5. What now?

Australian financial intermediaries are on notice that their supervision of employee business communications will be scrutinized. Now is the time to take stock and, as the Information Sheet recommends:

• revisit policies and procedures;
• review ongoing training and employee attestations;
• ensure appropriate consequence management frameworks and take action to enforce policies;
• maintain appropriate supervisory arrangements for monitoring business communications; and
• undertake regular independent review and testing of surveillance controls and supervision frameworks.

Beyond these important tangible steps, financial intermediaries should ensure that their corporate culture supports the appropriate supervision of business communications. Mere lip service is perilous. A recurring US theme is that a practice of unmonitored business communications by senior leadership and compliance staff will be a significant aggravating factor in a regulatory resolution.

ASIC acknowledges that one size does not fit all. Not everything done in the US will apply directly to Australia. Precisely what an Australian financial intermediary should do to ensure compliance depends on the nature, scale, and complexity of its business. Given the long lead time required to identify and remediate business communications issues, financial firms should act now to avoid the fate of their US peers.