This week, The U.S. Securities and Exchange Commission (SEC) hit more than a dozen banks with fines totaling almost $2 billion.
The likes of Bank of America, Barclays, Morgan Stanley and more must pay $125 million each to the SEC for improper use of messaging apps, collaboration tools and other unauthorized services for communication, without the proper policing.
Why have the banks been fined?
Under investor-protection laws, financial organizations must monitor, record and store employee written communications, keeping a paper trail that can be used for reviewing compliance. But with the proliferation of remote work, the cloud and mobile working, many banks started to pivot to new, instant forms of communication without the proper checks and balances in place.
Aware that something was going awry, the SEC launched an investigation into several banks last year, over violations relating to “pervasive off-channel communications,” between staff of varying levels of seniority. Executives, junior investment bankers, equity traders and graduates are all embroiled in this scandal.
Essentially, the SEC uncovered that employees were purposefully sending communications on unpoliced channels—like WhatsApp, Signal, Slack, Google Workspace and more—to avoid the eyes of internal compliance teams and regulators.
By communicating in this way, the banks were able to somewhat forge their record-keeping practices, as tens of thousands of messages weren’t recorded, leaving no trace.
Worse still, this isn’t a case of employees accidentally using Slack or WhatsApp instead of email. The Commodity Futures Trading Commission (CFTC), which worked with the SEC on the case, noted that this practice was wholly intentional.
In a statement, the body shared: “Another common theme is that the CFTC found senior executives — the very people responsible for keeping a bank’s house in order — who directed employees to use unauthorized communications channels and delete messages. Some executives even lied to the CFTC and SEC.”
The organizations involved
The $1.8 billion fine is spread across 27 firms. So far, the Bank of America, Barclays, Citigroup, Goldman Sachs and Morgan Stanley have proactively admitted wrongdoing and will pay $125 million each.
Elsewhere, brokerage firms Jefferies LLC and Nomura Securities International will pay $50 million each while Cantor Fitzgerald & Co. will pay $10 million.
The case is a landmark one in the history of financial compliance. Until last summer, the last SEC fine of this sort was way back in 2006, when Morgan Stanley (yep, again!) was fined because it failed to deliver email communications during an investigation into public offerings.
Other than that, JPMorgan hit the headlines last year, after the SEC fined the firm $200 million for using text messages and personal devices to communicate. It’s widely thought that this discovery led to the SEC investigating and cracking down on poor banking communications practices across the US.
Why is using chat platforms and apps such a big deal?
The finance industry is highly-regulated for a reason. Record-keeping and transparency are crucial to ensuring fair practice, preventing market manipulation and catching any misconduct. By circumventing the typical channels, banks are essentially living in the wild west. Who knows what they could do, what they could change and how they could impact the market!
The chair of the SEC, Gary Gensler, summed up the reasons for the fines very nicely in a statement, sharing that:
“Finance, ultimately, depends on trust. By failing to honor their record-keeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust, As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”
How can banks maintain compliance and stop this happening again?
We see two major issues that banks need to address: using the right technical controls and tackling cultural issues.
Firstly, compliance leaders need to deploy cloud-based data loss prevention (DLP). Polymer DLP, for example, uses artificial intelligence and machine learning to discover and protect FS data as it moves through collaboration applications.
It extends data protection outside of the corporate network and directly into SaaS apps, giving security teams much needed control and visibility over how data is being used and stored, and who accesses it – no matter where it travels.
At the same time, there’s a real cultural issue that organizations must address. Banks need to change the mindset of employees, teaching them that it’s not OK to use unofficial channels and apps. This needs to be driven into culture from the top-down. Leaders must set an example and security teams should reinforce correct practices through dynamic, ongoing training.
Polymer DLP uses in-app nudges to deliver security training to employees in real-time. When an employee attempts to violate a security policy – intentionally or otherwise – the solution blocks the behavior and shares a pop-up explaining why the action is non-compliant.
For the banking institution, Routefusion, for example, we deployed Polymer DLP for Slack and Google Drive.
The integration has successfully protected the company from both accidental and intentional data leaks. We were able to remove over 97% of all sensitive data elements shared in public chats in real-time while blocking virtually all sensitive files from being shared with unauthorized parties.
“Polymer just worked out of the box. Installation took a minute. Polymer was able to make our Slack & Google Drive compliant very fast.” – Michael Cramer, Head of Operations at Routefusion.