A year ago we wrote about the risks and challenges of using of WhatsApp at work. Twelve months on and we have seen a number of developments including recent guidance from the FCA which stated that it has acted against individuals and firms for misconduct which involved the use of WhatsApp and other social media platforms to arrange deals and provide investment advice and that it views such conduct as serious. The FCA expects this to remain an area of focus and has commented on the increased risk that employees may use informal encrypted messaging systems such as WhatsApp in a home working context and reminded firms of their continued obligations in relation to recording and monitoring such communications.
The ability to comply with record keeping obligations in relation to less formal modes of communication is also an area of focus for US regulators. Last September the SEC fined a brokerage firm $100,000 when it was unable to provide copies of business related text messages from personal devices despite a court order. This issue arose despite the fact that the brokerage firm had prohibited the use of unapproved communications, which was reinforced by annual compliance attestations and training.
It seems increasingly clear that it will not be sufficient for firms to simply rely on the fact that they have prohibited the use of personal devices and/or messaging systems such as WhatsApp for business purposes. We outline below some practical steps gleaned from our collective experience in the UK and US of dealing with these issues including from an in-house and enforcement perspective.
- Firms should regularly re-visit their policies in relation to the use of privately owned devices and/or messaging systems such as WhatsApp for business purposes and consider whether any updating is required. To the extent that the use of messaging systems is permitted, does the firm have a clear unqualified right of access to business related messages on a work device and have adequate steps been taken to ensure these messages are recorded and monitored in compliance with relevant regulatory requirements? In the UK the position in relation to personal devices is more complex, as considered in more detail in our previous article.
- Firms need to be able to demonstrate that they have ensured that the policy is well understood, including giving prominence to the policy as part of the induction process. Given the variance in market practice between institutions, it may be helpful to explain that the firm’s approach may differ from that of previous employers.
- Regular refresher training should be provided. Points to consider when designing training and procedures include:
- Ideally, training should be conducted in small groups using examples or case studies specific to the particular business area in question. Auditorium style training to significant numbers of employees across the business may inhibit effectiveness particularly where examples given are not easily applicable by all attendees to their day to day experience and raising queries to check understanding is more difficult.
- Training should emphasise the need for care to be taken when communicating with colleagues and third parties for business purposes. Individuals are prone to use more informal language when communicating via messaging applications than they would otherwise. However, they should be reminded that there are a variety of circumstances in which their messages may be reviewed and carelessly worded communications may be read out of context and misinterpreted. Training should also emphasise that firms are now routinely required to provide text and WhatsApp messages as a matter of course, and that a failure to provide any such business communications may not be an issue solely for the firm. Consequences for the individual include being required to provide such messages to the government or regulator in the event the firm cannot produce them.
- Training for managers should include reference to the importance of setting the right example including reinforcing the message for any new joiners early on and not being seen to condone or participate in breaches of the policy.
- Ensure that training and procedures make it clear when and how the use of WhatsApp is permitted (if at all) and emphasise the need for individuals to separate work and personal messages, providing examples of how this can be done. The task of separating these, for the purpose of complying with a regulatory request for example, can be extremely onerous and challenging.
- Training and procedures should make it clear that individuals should not delete work related messages.
- Training should clearly define “business communications.” Many employees interpret business communications too narrowly.
- All training should include an element designed to ensure the policy has been understood, such as a quiz or other testing.
- Consider yearly or bi-yearly attestations that employees are required to complete at the end of the training. The attestation should ask employees to attest that they do not use unapproved communication platforms, and should specifically list those platforms that are unapproved.
- Undertake regular spot checks and a more detailed review if there is evidence that the use of privately owned devices and/or messaging systems may have departed from the policy.
- Develop a consistent and clear disciplinary guide for employees who violate the communications policy. While individual cases will vary depending on the circumstances, it can be important to demonstrate to the government and regulators that the firm takes this issue seriously.
- Given that the use of text messages and WhatsApp for business communications is pervasive, a number of technology solutions are becoming available which allow firms to capture text messages, mobile phone calls and WhatsApp chats, although firms will need to consider local requirements including data protection considerations, where relevant.