At least here in the UK, WhatsApp is the undisputed e-Communications darling. The E-Comms platform has soared in popularity from its debut in 2011 to more than two billion active monthly users (75 million of which reside in the USA) ten years later. Each day, over 100 billion messages are sent – yes, that is a “B” as in billion. Clearly, the lure of sending encrypted messages over the internet on WhatsApp is strong.
In fact, usage of WhatsApp appears to also be compelling to financial firms. Usage behavior by employees of JP Morgan Chase bank has been described as “addicted” and “hooked” given how pervasive communication via the app was amongst the executive team, brokers, and their clients. From January 2018 to November 2020, JP Morgan used WhatsApp extensively – on their personal devices – to transact business. Even their executives, who were tasked with compliance, used the app to communicate about sensitive financial matters. Widespread use of the app was only part of the problem: the bank failed in its record-keeping legal obligations.
Regulatory authorities do not like to be blind to financial transactions and correspondence between a bank and its clients. Not only does it create the opportunity for mistrust and impropriety, but it also makes it almost impossible for the authorities to monitor activities for anti-fraud and antitrust violations. As a result of recent missteps with compliance, on December 17, 2021, they were walloped with record fines of $125 million to the SEC for record-keeping failures and $75 million to the Commodity Futures Trading Commission for the bank’s allowance of unapproved e-Comms.
Now that SEC has uncovered at least “some” of JP Morgan’s transgressions, authorities believe they will uncover more as they research deeper across the firm. And, in a deliberate effort, the financial authority is now conducting a widespread investigation across the industry; no doubt sending shivers into the heart of every banking executive and compliance officer. JP Morgan’s total fine of $200 million may be a “tip of the iceberg” event that triggers a cascade of additional fines to JP Morgan and to other banks. The potential is strong for a ripple effect which will require updated policies and practices around the use of WhatsApp and record-keeping. Whether the app will become approved given its ubiquity is an open question.
It seems that WhatsApp is unwillingly and unenviably finding itself in the crosshairs of the SEC. If it’s not bankers and brokers transacting stock trades on the app (without properly recording and archiving those e-Comms), it’s fraudsters scamming good people out of their hard-earned savings. The problem is so widespread that HSBC, the leading financial firm in Hong Kong, has issued grave warnings and now alerts its customers to the threat of scams right on the homepage of its website. According to the information listed on their homepage, Hong Kong residents were bilked of nearly $3 million in a 3-month period in 2019 alone: no current statistics are available for HSBC consumer fraud.
Within the UK, the BBC reported that its residents are losing an average of £4 million daily through scams on WhatsApp. Unsurprisingly, many elderly fall victim to the scam hearing from imposters posing as their grandchild and asking for “quick money” to deal with an urgent situation. However, the trend shows that young people are being preyed upon, often acting quickly “without thinking” when they get a ping from someone whom they believe is their friend. According to the National Trading Standards scams team referenced in the BBC article, the collective loss to consumers in the UK related to such scams – which are increasingly perpetrated on WhatsApp – totals a shocking £9.3 billion annually.
In a 2019 market abuse case involving WhatsApp, there was an interesting twist. At that time, it was possible to hit the “panic button” on the app and instantly delete all messages by terminating your account. Konstantin Vishnyak, a former VTB Capital Plc banker, was being arrested by the London Police for suspected financial crimes, and, under the direct observation of the police officers arresting him, he deleted WhatsApp from his personal and his work phone. Just like that, there was no longer a record of his financial activities. As a result, he was acquitted of all charges by a London jury: there was no recorded evidence to uphold the charge.
Facebook, now Meta, was fined back in 2016 for its lack of transparency. The social media giant was fined €100 million by The European Commission for the use of “misleading information.” More specifically, the violations centered around how consumers’ phone numbers would be linked to Facebook identities and friend suggestions.
But it doesn’t stop here. Even WhatsApp itself was recently fined (September, 2021). The Irish Data Protection Commission levied a hefty fine of €225 million for exposing consumers’ contact information to non-WhatsApp users. General Data Protection Regulation (GDPR), which was enacted in 2016 and went into effect in 2018, requires that policies around data privacy be clearly articulated and shared with consumers. WhatsApp did not do so. However, the story doesn’t end here: WhatsApp is appealing the decision.
WhatsApp is not going away any time soon, although it’s clearly emerged as a bit of a “hot potato” and is at the epicenter of numerous high-profile cases around compliance. Financial and data privacy challenges have the embattled app butting heads with the law around the globe. So, how does a firm protect itself from risk given the ubiquitous usage of the app? Here are a few tips:
- Know your Channel: WhatsApp is unique in the way people communicate in it, the blurring of the lines between work and personal life resulted in a channel that emojis slang and even Gifs are common, your surveillance has to keep that in mind.
- Policy Review: now is the time to audit your policies, do they clearly restrict and define how WhatsApp specifically is to be used (or not)?
- Recording & Monitoring: if e-Comms platforms like WhatsApp or others are in use, has your firm arranged the necessary access to facilitate pro-active compliance efforts?
- Education & Training: is everyone at the firm fully trained and aware of the consequences of violating corporate policies including the use of personal devices? Are all consumers, clients, collaborators, and vendors aware of your firm’s policies and what they need to do to be compliant with them?
- Attestations: consider quarterly, but at least semi-annually, attestations requiring that all persons and organizations doing business with your firm attest to their understanding of all policies.
- Spot-checks: impromptu and randomized audits can go a long way to making your firm safe.
e-Communications are an essential and now routine part of our lives – and of all firm’s financial activities. Ensuring that they are monitored, recorded, and analyzed in a manner that is compliant with all laws is non-negotiable. If your firm is not dialed into WhatsApp and how it is being used internally, your business continuity and profitability are at risk.