WhatsApp mis-use is becoming a wider issue for businesses than simply compliance with financial regulations.
The UK energy regulator Ofgem has fined US bank Morgan Stanley for failing to keep records of communications after energy market traders used WhatsApp to discuss the details of energy deals. Ofgem said that the bank “did not take sufficient reasonable steps to ensure compliance with its own policies and the requirements of the regulations.”
The growing risk from Shadow IT
This incident is a prime example of the dangers of shadow IT which was highlighted in a recent blog from the National Cyber Security Centre (NCSC). In guidance published by NCSC on how best to tackle the risks of shadow IT, it comments that if employees are using unsanctioned processes and insecure workarounds to get their work done, it is usually because the tools provided by the organisation don’t work, are slow, or cumbersome to use. NCSC recommends using such situations as an opportunity to investigate what issues the users are experiencing, what exactly it is that employees are trying to achieve, and why the systems provided by the organisation are not working. With this information IT can re-examine approved solutions and source suitable alternatives that do meet the users’ requirements.
Penalties applied to employees as well as business
This is not just an issue that affects organisations, it can also have a huge impact on employees. In 2021 Morgan Stanley was one of a number of US banks that were fined $2.5bn for their employees’ use of WhatsApp and other unapproved apps to discuss deals with clients and colleagues. It was reported by the Financial Times that as a result of these fines, the bank imposed pay forfeitures of as much as $1m on some staff, depending on the number of messages sent, seniority and whether the employee had received prior warnings.
Preserve communications for later auditing
One of the key elements in the latest case with Ofgem, is the failure to store communications, which has long been a requirement of the financial services industry. The major failing with the use of WhatsApp and other consumer apps like it is that there is no ability to archive and audit conversations. Cathryn Scott, regulatory director of enforcement at Ofgem stated; “It is unacceptable that [Morgan Stanley] failed to prevent electronic communications which could not be recorded or retained. It risks a significant compromise of the integrity and transparency of wholesale energy markets.”
Enterprise secure communications applications such as Armour Mobile and Recall by Armour provide the ease of use of consumer messaging/calling/conferencing apps, but with UK MOD/government-accredited security and a secure audit facility, meaning that a copy of all communications and associated files are saved and can be reviewed later, subject to the appropriate security processes. Recall stores communications even when the original messages have been deleted from the user’s device (whether through normal use or in an attempt to hide misuse), something that simply can’t be achieved with a consumer app.
Recall by Armour
With Recall by Armour, suitably approved compliance officers are able to playback messages, audio or video calls subject to strict security processes:
- All transmitted media (text, attachments, audio) are archived.
- Tightly managed authorisation for audit access.
- Individual encryption keys limits access.
- All access to audit files is audited.
It’s not just FCA compliance that is important
The fine imposed on Morgan Stanley by Ofgem is the first of its kind under the transparency rules, which are aimed at protecting consumers against market manipulation and insider trading. It demonstrates the ever widening requirement for organisations to maintain transparency in communications, and to be able to prove that they have complied. Providing Armour Mobile on employees’ mobiles ensures there is no excuse for not using a secure and compliant communications app for all business use.
As we have argued on many occasions, keeping business communications secure, separate from personal communications and under the control of the organisation, even on devices that the organisation does not own (BYOD) IS possible, and is increasingly a business imperative.
Providing centrally managed applications for secure business communications puts you back in control of your data while still enabling the use of BYOD devices. Armour Mobile can also be deployed within an organisation’s own infrastructure, providing total surety of data sovereignty to comply with Data Protection / GDPR laws.
For more information about how Armour Mobile and Recall by Armour could help your organisation to keep control of all business conversations, prove compliance with a wide range of regulatory requirements and avoid heavy fines, CONTACT US today.
