What’s Up with WhatsApp?

Expansion of instant messaging tools complicate compliance monitoring for financial services firms


The pandemic has spawned a host of new messaging apps, causing many within financial services to change how they interact with clients and colleagues. Email and other traditional forms of digital communication take a back seat to new messaging apps, with increasingly well-known platforms like WhatsApp leading the pack.

Other industries have no doubt shifted similarly. But the most significant difference is that few of these other sectors are subject to the stringent record-keeping requirements governing work-related communications within the financial services space.

Such requirements, of course, have always been on the books. But recent headlines make it clear that regulators are determined to enforce them.

Last month, Morgan Stanley disclosed that it expects to pay a $200 million fine for failing to monitor employee use of unauthorized messaging applications. The firm did not publicly specify which platforms, although it’s fair to speculate that use of WhatsApp was likely part of the situation.

In December, the SEC and the Commodity Futures Trading Commission hit JP Morgan with fines totaling the same amount for similar infractions.

Meanwhile, three other mega-firms – Citigroup, Bank of America and Goldman Sachs – are reportedly prepping for comparable punishments for the same thing.

The size of the individual fines goes far beyond past judgments related to record-keeping violations, underscoring how serious this issue has become for regulators. That begs the obvious question: Could smaller firms be next?

The obvious answer is yes. With that in mind, we asked some industry experts their thoughts for how to best stay compliant in the new instant messaging landscape, encompassing senior executives from regtech firms Smarsh and RIA in a Box, a ComplySci Company as well as national consultancy Compliance Risk Concepts.


Chris DiTata, Esq.
Senior Vice President, Compliance Operations and General Counsel
RIA in a Box, A ComplySci Company

While the answer is relatively simple to explain, it will be hard to enforce. Firms can either prohibit personnel from using outside means of communication (e.g., no text, no personal email, etc.) or use a compliant system, such as TeleMessage.

While monitoring is undoubtedly a significant obligation, most investment adviser representatives (IARs) want to maintain compliance if there is an avenue to communicate with customers and prospects in their preferred manner. When communications involve text messaging, you must set the ground rules using a compliant solution embraced by your advisory firm or avoid texting altogether.

That is the easy part.

However, instilling a culture of compliance, especially around something as omnipresent as immediate digital communications, takes much more work. Firms should work with their technology solutions providers to ensure safeguards are in place to protect the company if an errant text message slips through the cracks.


Robert Cruz
Vice President of Information Governance

Given the speed of technology innovation, communications compliance gaps will never go away. In light of recent fines, we see firms taking three primary actions to address the gap:

First, firms are re-evaluating the benefit/risk equation when approving the use of new tools.  Every regulated firm makes a conscious decision of which communications tools it will approve for use by its business, comparing the expected benefits to the business versus expected compliance risk. With the onset of the outsized regulatory fines, these analyses are being revisited, not just to make a yes/no decision but to define and prioritize investments to reduce risk levels from both accepted and prohibited communications sources.

Second, firms are updating communications policies.  Communications policies are likely out of date now that employees are working from everywhere. When considering each digital communication tool’s unique features, we see policies being updated to address specific modalities and how those capabilities can be used by specific job functions.

And third, firms are increasing frequency and systemic monitoring for the use of prohibited networks.  We see many firms moving from ad-hoc, reactive inspection for the use of prohibited tools toward a proactive posture in surveilling employee communications.

These firms leverage tools that provide a unified view across all communications sources and advanced analytical tools that can spot potential infractions that traditional lexicons and policies may have missed.


Mitch Avnet

Chief Executive Officer and Managing Partner
Compliance Risk Concepts

Historically, firms tried to solve this ever-expanding compliance risk at the policy level. However, based on the recent regulatory activity in this area – it has become apparent that policies alone will not protect an organization from regulatory scrutiny, potential fines or sanctions.

The seamless integration of so many electronic communications channels into every aspect of our lives complicates this problem significantly. Implementing technology that gives employees access to specific, compliant platforms and blocks access to mediums that can’t be captured, retained, or supervised, is the only way to mitigate this risk.

Many organizations now choose to provide employees with company-owned devices to ensure a defensible control environment is in place as an additional layer of protection. Implementing these controls is virtually impossible if employees use personal devices for un-monitored business communications.