What’s Up with WhatsApp?
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. In the aftermath of the monumental AppSec failure on Wall Street, Harriet Christie of MirrorWeb stops to ask what can be done about WhatsApp.
In September 2022, the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CTFC) reached settlements totaling around $1.8 billion with 12 of Wall Street’s leading investment banks. The prominent institutions, which included Morgan Stanley, Citigroup, Goldman Sachs, and Bank of America, were penalized for failing to monitor employees’ use of unauthorized messaging apps, like WhatsApp, with colleagues and clients.
The probe followed on from JP Morgan’s $200 million fine in December 2021, with the floodgates opening. Authorities seem to have used that initial $200 million settlement figure as a yardstick for the industry, signifying the end of an unofficial grace period afforded firms adapting to the pandemic. Such monumental penalties have, of course, had a seismic impact on the financial services landscape, with the repercussions reaching far beyond the behemoths evidently being made an example of. But how did we get to this stage, and how can firms address the employee behaviors which are clearly no longer going to be tolerated?
What’s Up with WhatsApp?
The SEC mandates that banks maintain records of all communication between clients and brokers. Private exchanges, like those occurring through WhatsApp, are far more challenging to monitor, and the likelihood of data being compromised only increases as personal devices are introduced to the equation. It’s important to note that the issue here is not with WhatsApp itself; the same concerns apply to WeChat, Telegram, and other ‘ephemeral’ messaging apps. It is the difficulties in documenting communications on these encrypted platforms, and the subsequent contravention of record-keeping requirements, that are problematic.
Phone Call Fatigue
Until relatively recently, consumers had limited options available to them if they wanted to reach out to a regulated firm. To discuss their bank account, for instance, they’d need to either get on the phone or head over to their local branch for a personal discussion. Now, they can communicate with the organization through a multitude of digital channels.
It’s not just an option, but a preference. WhatsApp, Facebook Messenger, and Telegram were among the most downloaded apps in Q1 2022, and WhatsApp itself has an astronomical 2 billion active users worldwide. According to Forbes, 93 percent of US consumers want to communicate via text message, with speed, ease of use, and (consumer) familiarity with the platforms proving decisive advantages. This works both ways; it’s also more accessible and more efficient for employees to communicate through tools that they’re familiar with using in their day-to-day life than one provided by their employer.
Remote Channels
The disruption of the Covid-19 pandemic led to far greater reliance on messaging apps, as physical proximity, even with colleagues, was prohibited. In 2019, 68.1 million U.S. mobile phone users accessed WhatsApp to communicate. This figure is projected to grow to 85.8 million users in 2023. A by-product of this reliance on new digital channels was an escalation in the number of workers using personal phones or tablets for business, as lines began to blur and professional and personal lives intertwined.
Employees are more likely to act casually when working remotely, whether that means taking longer breaks or messaging clients or colleagues through an unauthorized channel. Having allowed these communication habits to set in over a sustained period, they’re now tough to shift back to a pre-Covid level, given the inherent convenience and usability that employees have become accustomed to.
Paying the Bill
JP Morgan’s $200 million dollar fine in December 2021 was the first significant penalty in a probe that has also impacted the aforementioned dozen leading investment banks to the tune of $1.8 billion. The SEC’s crackdown has since continued to expand, as Wall Street’s private equity giants have revealed that they’re under investigation.
The enforcement unit has also launched inquiries about smaller Registered Investment Advisor (RIA) protocols for ‘off-channel’ business communications. RIAs are subject to the same regulations as the larger firms that were previously penalized, so while they may have been spared the ambush of the initial investigations, they should be mindful that they’re in the regulators’ crosshairs, nevertheless.
What Now?
The situation leaves business leaders and compliance teams in a quandary. Should they sacrifice convenience and operational efficiency in the pursuit of compliance, banning messaging apps outright and instead relying on the tried and tested solutions of email, phone calls, and, to a lesser extent, social media?
This is probably a tempting option, given the enormity of the penalties being administered. It has undoubtedly been the more popular approach given that, in July 2022, just 15 percent of financial firms were monitoring WhatsApp.
But it’s not quite that simple. Banning employees from using particular channels doesn’t necessarily mean that all risks are eliminated. Prohibiting helpful tools will probably lead to disgruntled employees and “compliance gaps” in the workplace. The safer option is for business leaders to understand the platforms that employees and consumers prefer to use, then develop suitable policies accordingly. Ultimately, if employees want to use unauthorized apps, they will do so, unless a supervisory procedure is in place to police it correctly. This has had immense repercussions for the likes of Goldman Sachs, Bank of America et al., who have not succeeded with this step, despite their resources.
Can WhatsApp be Monitored?
The preferable option here is surely to empower staff to utilize the platforms with which they’re most comfortable, minimizing limitations wherever possible. To achieve compliance on encrypted platforms like WhatsApp, business leaders must ensure they can capture, preserve, and monitor conversations. This is easier said than done, and the process has historically been a source of great difficulty. However, in recent years, new solutions have been developed specifically to tackle this emerging necessity.
Much as they had previously for social media platforms, leading digital archiving vendors have built the technology to capture and archive communications data from apps like WhatsApp, WeChat, Signal, and Telegram. This rescues business leaders from the frustration of having to choose between efficiency and compliance; both can now co-exist very peacefully. Crucially, firms can also allocate secondary numbers on personal devices, allowing employees to differentiate between business and non-work-related contacts and capture pertinent data accordingly. This means that privacy can also be maintained despite heightened levels of professional scrutiny. It would be counter-intuitive to ignore the rising demand for encrypted messaging apps in the workplace. Thankfully, businesses no longer have to.