close
close

Unmonitored Business Communications in Financial Services | Global Law Firm

Posted on by darion

The author is a lawyer admitted to the legal profession in Australia and the USA and has spent over 15 years practicing law enforcement in New York, including on matters relating to unmonitored business communications, described below.

Entry1

On 26 June 2024, ASIC issued two guidance documents on financial intermediary compliance: Fact Sheet 283 ‘Supervision of Sales Representatives’ Business Communications’2 (Fact Sheet) and accompanying press release calling on “market intermediaries to strengthen their supervisory arrangements to record and monitor representatives’ business communications in order to prevent, detect and respond promptly to misconduct and breaches of financial services regulations”3 (Release). While they may seem like mild compliance updates, these statements actually signal a strong regulatory focus on a critical issue facing Australian financial intermediaries.

These documents deserve careful reading. Halfway through the issue, it is noted that “(a)risks from the widespread use of personal devices and unapproved communication channels have also been underscored by recent actions by the U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission. These regulators have reached record settlements with dozens of financial institutions for failing to maintain and protect electronic communications.”

In doing so, ASIC is drawing attention to an issue that was critical to the core business practices — and balance sheets — of US financial firms. It is reasonable to think that Australia will follow a similar trajectory, except that Australian financial intermediaries now have a limited window of time to reduce regulatory risk by complying with new ASIC guidelines and applying the tough lessons from the US. The lesson here is that having perfect corporate policy and relying on technology to monitor and intercept communications is not enough.

1. $3 billion in fines and counting in the seemingly endless stream of U.S. regulatory actions suggests this is not a passing trend.

If anything, ASIC has underestimated US regulatory vigour. Since the end of 2022, US regulators have levied fines of around $3 billion across the industry, spanning banks, broker-dealers and investment advisers. Individual institutions have been fined up to $200 million, and senior industry professionals have been dismissed. While our regulatory fines are often orders of magnitude lower than elsewhere, the implications are sobering for Australian financial intermediaries and their staff.

In our experience, these penalty figures barely scratch the surface. They do not include the enormous expense, time, senior management attention and business disruption required to resolve investigations into unmonitored communication channel issues.



2. What is the problem with texting and using WhatsApp in the financial services industry?

Nothing, in itself.

The problem occurs when staff use unmonitored communication channels, whether it’s SMS, WhatsApp or personal email, encryptedOr ephemeral messaging platforms (including Snapchat, Signal, and Telegram) for business purposes.

Unmonitored communications are problematic for a number of reasons. First, unmonitored communications can facilitate misconduct or other harmful activities. As such, activities conducted through unmonitored communications can result in financial intermediaries failing to exercise sufficient supervision over their employees to:

  • detect and prevent misconduct and inappropriate behavior;
  • manage risk; and
  • maintain required business records.

ASIC, like its overseas counterparts, views financial intermediaries as gatekeepers whose failures to supervise endanger customers and market integrity. For regulators, unmonitored business communications constitute a serious failure of supervision, not just a failure to maintain required books and records. Furthermore, regulators may consider that failure to intercept unmonitored communications will by definition result in a financial intermediary breaching its obligations to respond promptly and fully to information requests.

Importantly, ASIC considers that supervisory responsibilities extend beyond preventing breaches of the law, such as market manipulation, insider trading or fraud. According to the Fact Sheet, it includes “other conduct that may be prohibited under the . . . internal rules of the market intermediary”. Under this approach, failure to monitor and record communications about potential breaches of internal policies or conduct that may be considered improper – as opposed to potential illegal activity – could attract the attention of regulators. Breaches of employee rules could therefore turn into legal liability for the financial intermediary, a move that has caught many US financial institutions by surprise.



3. What exactly is business communication?

That’s a surprisingly difficult question to answer. And when it comes to “business communication,” you don’t always know when you see it.4 Some messages are clearly business communications in the financial sector, such as a trader making an offer or confirming a transaction. There is, however, a clear spectrum, and reasonable minds may differ as to which side of the line a particular communication falls on. Some may consider a text to a client organizing a dinner to be purely social, others may consider it a business communication. It is difficult to provide abstract guidance. Context is key in most cases, including the precise wording of the applicable company policy.5

U.S. regulators tend to take a broad view. They typically consider ancillary communications, such as those on topics like scheduling, general market color, compensation and human resources issues, to be business communications, even if they do not relate to the core financial services offered by the company or its customers.

ASIC reiterates this broad approach in its Fact Sheet:

“(W)e consider business communications to include all written, voice or electronic communications used by market intermediaries and their representatives to conduct financial services business. This includes, but is not limited to, communications reasonably required to fulfil recordkeeping obligations and to enable monitoring of compliance with financial services regulations.”

The conclusion is that financial firms must supervise communications beyond those required to be kept under recordkeeping rules. ASIC considers that the failure to monitor and record business communications is a failure of supervision, not simply a breach of recordkeeping rules.



4. Why is the problem of unmonitored business communications so difficult? Can’t it be easily solved by training, calibrating risk assessments, implementing technology solutions, and updating policies and procedures?

In the U.S., some banks are reversing long-standing BYOD policies and re-providing employees with company-issued devices to address monitoring and access issues. Others are deploying apps that claim to be able to monitor and download various types of electronic communications. Still others have banned text messaging or WhatsApp for business purposes altogether, despite customer interest in these channels.

Tools like these are undoubtedly important for mitigating the risk of unmonitored business communications, and Australian financial firms should certainly re-examine their compliance policies, procedures, training and technologies. However, doing so in isolation will not be enough to mitigate the risk. Communication technologies are constantly evolving, and technical compliance solutions have practical limitations and are not, and never will be, perfect. The release highlights that a trap for intermediaries is reliance on “out-of-the-box vendor-supplied communications surveillance systems and a lack of routine calibration of alert parameters.”

As with the United States, the Fact Sheet highlights two further measures that financial intermediaries must implement:

  • Consequence management framework and activities;
  • Processes for regular, independent review and testing of supervisory controls and supervisory frameworks.

These requirements are best explained by the US experience, where financial institutions often had excellent policies prohibiting unmonitored business communications that were honored in the event of a breach. Senior executives and even compliance personnel tasked with enforcing the rules routinely violated them without penalty. For US regulators, as reflected in the financial penalties, this was a prime example of the obviousness of enforcement: that the only thing worse than no rules at all is to have unenforced rules.

The resulting U.S. requirement to assess controls and impose real consequences for policy violations creates significant challenges. U.S. regulated entities must monitor for signs of unmonitored communications (for example, adding appropriate terms to compliance lexicons to detect references to text messages and WhatsApp) and then investigate those signs by accessing employees’ personal devices.

US regulators have also urged companies to take samples of employees’ phones even if there is no evidence of misuse.6 Of course, this raises a host of difficult legal and business issues, especially in a BYOD environment. Beyond legitimate privacy concerns, there are few things more corrosive to the employment relationship than an employer demanding access to employees’ private cell phones, which are repositories of sensitive personal information (photos of children, personal health and financial data, and private conversations with loved ones).

Experienced lawyers can create strategies and policies to balance these important, competing interests, but they can be expensive and time-consuming. For example, financial intermediaries may need to consider hiring electronic forensic discovery providers or paying independent lawyers to represent employees in the data collection and review process. Australian policies must also take into account workplace surveillance laws, which vary by state.



5. What now?

Australian financial intermediaries are being notified that their oversight of employee business communications will be under scrutiny. Now is the time to take stock and, as the Fact Sheet recommends:

  • review policies and procedures;
  • review of current employee training and certificates;
  • ensure an appropriate consequence management framework is in place and take action to enforce policies;
  • maintain appropriate supervisory arrangements to monitor business communications; and
  • conduct regular independent reviews and tests of supervisory controls and the supervisory framework.

In addition to these important, tangible steps, FIs should ensure that their corporate culture supports appropriate oversight of business communications. Mere statements are dangerous. A recurring theme in the US is that the practice of unmonitored business communications by senior management and compliance personnel will be a significant factor in undermining the regulatory solution.

ASIC recognises that there is no one size fits all solution. Not everything that is done in the US will apply directly in Australia. Exactly what an Australian financial intermediary needs to do to comply will depend on the nature, scale and complexity of its business. Given the long lead times it will take to identify and fix business communication issues, financial firms should act now to avoid the fate of their US counterparts.