Big Risks from Unmonitored Use of Messaging Apps By Bank Employees

An SEC crackdown demands a closer look at the communications channels that bank employees use for business purposes — personal text, email and messaging apps. Avoiding regulatory and reputational risks requires having the right policies and enforcing them.

Bank employees who use text, WhatsApp and Facebook Messenger for business could be compromising security for the sake of convenience.

Those digital tools sidestep bank controls and don’t always retain conversations, says Conway Dodge, Managing Director and Deputy Leader of the Americas at Promontory IBM Consulting. That could open a bank up to trouble, in the event of accusations of unfair treatment or violation of Fair Lending practices.

“There’s institutional risk, economic risk, and considerable reputational risk with these off-channel communications,” Dodge told The Financial Brand in an interview.

SEC Warning: Fix Bank Communications Issues

A Securities and Exchange Commission crackdown highlights the dangers. The agency announced in September that it found “pervasive off-channel communications” at 11 financial institutions that violated recordkeeping provisions of the Securities and Exchange Act of 1934. In each organization, junior and senior employees routinely used personal devices and text messaging for business matters for years.

Because most of these messages were not retained, the SEC and Commodity Futures Trading Commission imposed more than $1.1 billion in fines on institutions such as Citigroup Global Markets, BofA Securities, Goldman Sachs, Morgan Stanley and Barclays Capital.

In announcing the news, Sanjay Wadhwa, the SEC’s Deputy Director of Enforcement, took the opportunity to issue a warning to the banking industry.

“The time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel,” Wadhwa said.

It is a warning banks of all kinds should heed.

While investment banks have different record-keeping obligations than commercial banks, the SEC’s action should be a wake-up call to assess the array of risks around business communications throughout every organization, Dodge says.

Tools like Zoom, Slack, Google Docs, and messaging apps allowed banks to support digital operations and remote work during the pandemic shutdown in 2020, but many banks adopted them without their usual level of emphasis on oversight.

“The whole point is that institutions cannot control what isn’t being monitored,” says Dodge. “They can’t meet their record-keeping requirements, and there are other risks associated with off-channel communications,” including fair-lending concerns.

Dig Deeper: 5 Ways Banks & Credit Unions Must Mitigate Risks and Losses

‘Every Financial Institution Is in the Crosshairs’

Many banks have tightened up their security policies since the height of the pandemic, but employees could still be using nonbusiness channels for business out of convenience.

Social media, text, and email contact lists are an easy way for anyone to engage previous employers, personal contacts, and other associates. However, the lines can blur quickly when a loan officer or banker starts discussing business on a platform like WhatsApp or Facebook Messenger, or engages with a prospect through a direct message, or DM, about interest rates, terms, or the loan application process.

The Problem at Hand:

Many banks adopted tools like Zoom, Slack, Google Docs and messaging apps to support remote work, but with little attention to oversight.

“The institution needs to understand what is being communicated to potential borrowers because they have obligations under various regulatory regimes,” says Dodge.

Indeed, those off-channel conversations steered towards business could run afoul of several regulations, such as Regulation B (Equal Credit Opportunity), Regulation Z (Truth-in-Lending), and Regulation DD (Truth-in-Savings). The Gramm-Leach-Bliley Act also requires financial institutions to explain their information-sharing practices to their customers to safeguard sensitive data.

“Every financial institution that’s subject to these regulations is in the crosshairs of the regulators,” Anthony Diana, a partner in the tech and data group at the law firm Reed Smith, told ComputerWorld. “They’re starting with the big [banks] because that sends the message to the entire industry that this is a focus.”

Tighten Policies and Procedures

Legal compliance is easier to maintain on an official bank platform or channel, such as bank email. While Dodge is not aware of any regulations preventing loan officers or retail bankers from using messaging apps, he says it is a best practice to ensure the bank can monitor, document and retain all business communications.

Many financial institutions are already taking a closer look at how banking employees communicate with each other and customers.

Banks “can’t manage what they don’t know.”
– Dave Dickinson, Banker’s Compliance Consulting

In a survey by SteelEye, 41% of participating firms said communications monitoring is one of their top investment priorities in the coming year. However, while monitoring can help on official channels, it does nothing if a banker or loan officer starts a business conversation on their own social media channel or their own device.

“They can’t manage what they don’t know,” says Dave Dickinson, President of Banker’s Compliance Consulting. “Some banks let their loan officers message privately, but they ask that they have a way to monitor it or that they be copied. Others don’t let them message through these platforms.”

For that reason, banks must set clear expectations with explicit policies and procedures around business communications, and update and enforce compliance measures continually.

Learn More About a Digital Bank Operating Exclusively in Messaging Apps

Even in the cases brought by the SEC, most institutions already had policies with training and annual certifications. “This became a systemic problem on Wall Street, and you had senior officers and high-ranking traders who appeared to know what the rules were nonetheless violating those rules,” Dodge states. “It raises the question as to whether policies, procedures, and training certifications are really enough, or if you need to do more.”

To reduce the risk that employees will switch to their own channels, banks must ensure their own communications channels are efficient, easy to use and suit their needs.

But, staying safe, compliant and maintaining a paper trail doesn’t mean cutting the cord on personal channels, says Dickinson. Banks can still allow their employees to use these messaging apps with proper implementation.

For example, there is a corporate version of WhatsApp that can be downloaded on a user’s phone with a separate phone number that can be used for bank clients. There are also WhatsApp “wrappers” that can be deployed via mobile device management or enterprise mobility management platform for archiving.

The point is to solve for the need to have documentation, says Dickinson.

“If you’re not keeping records, and a person asserts a claim or problem, what evidence do you have to defend yourself?” he asks.

This article was originally published on . All content © 2024 by The Financial Brand and may not be reproduced by any means without permission.