Two Wall Street regulators recently fined eight investment banks and three other financial firms a total of $549 million over “widespread and long-standing failures” to archive electronic communications sent via services including WhatsApp, Signal and iMessage. The regulators also said they will continue to pursue such cases.
The fines are the latest in a series that the Securities and Exchange Commission and the Commodities Futures Trading Commission have issued to broker-dealers over the past two years, starting with JPMorgan Securities in December 2021. The fines issued last week hit brands including Wells Fargo, Bank of Montreal, BNP Paribas and Wedbush.
The CFTC and SEC have now collectively imposed $2.5 billion in fines over these recordkeeping violations, which Ian McGinley, director of enforcement for the CFTC, said are designed to send a clear message.
“Recordkeeping and supervision requirements are fundamental, and registrants that fail to comply with these core regulatory obligations do so at their own peril,” McGinley said.
Some broker-dealers and investment advisors have self-reported violations to the SEC or improved their policies and procedures, but “many still have not,” according to the director of the SEC’s enforcement division, Gurbir S. Grewal.
“Here are three takeaways for those firms who haven’t yet done so: self-report, cooperate and remediate,” Grewal said. “If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.”
The SEC’s deputy director of enforcement, Sanjay Wadhwa, said that the commission knows others have committed recordkeeping violations, “and so our work to enforce industrywide compliance continues,” he said.
Three Wells Fargo subsidiaries agreed to collectively pay a $125 million penalty to the SEC and $75 million to the CFTC.
BNP Paribas and Société Générale each agreed to pay $35 million to the SEC and $75 million to the CFTC.
Bank of Montreal and Mizuho Securities each agreed to pay the SEC $25 million. BMO also agreed to pay the CFTC $35 million.
Houlihan Lokey Capital agreed to pay the SEC $15 million.
Moelis & Company and Wedbush each agreed to pay the SEC $10 million.
SMBC Nikko Securities agreed to pay the SEC $9 million.
How banks have responded
Since 2016, all messages on WhatsApp have been end-to-end encrypted. For investment banks, that has made it hard to monitor messages sent or received by employees on the platform.
The investment bank can’t go directly to Meta, which owns WhatsApp, and ask for copies of all the messages its employees have sent or received. Meta can’t read the messages. Only the bank employee or the person messaging the employee can read the messages.
This has led some firms to outright ban employees from using WhatsApp and similar apps for work purposes, but this comes with challenges stemming from WhatsApp’s prevalence internationally. Many estimates peg the number of WhatsApp users above 2 billion.
Not only that, but there is a business imperative to supporting WhatsApp messaging in investment banking, according to Brandon Carl, executive vice president for product strategy at Smarsh and a former executive at Nomura and Bank of America.
“The thinking is, if we don’t support it, we may lose that client to somebody else who will support it,” Carl said.
So, rather than try to cut out its use altogether, other investment banks, including JPMorgan, have started working with vendors that help companies monitor channels that otherwise defy surveillance. JPMorgan has gone with Symphony for this purpose; other providers include Smarsh, Shield and SteelEye.
These solutions typically work by adding a middleman between the investment banker and WhatsApp — a service that archives any message the banker sends or receives via WhatsApp. In turn, that shifts the recordkeeping challenge to one of ensuring employees are using the right accounts and devices.