Ever suspected bankers used WhatsApp comms at work? $1.8b says you're right
Thought shadow IT at your office was bad? Try enforcing workplace device policies on hedge fund traders
Updated Ever given a colleague a quick Signal call so you can sidestep a monitored workplace app? Well, we'd hope you're not in a highly regulated industry like staff at eleven of the world's most powerful financial firms, who yesterday were fined nearly $2 billion for off-channel comms.
Banking giants including Goldman Sachs, Credit Suisse, and Citigroup agreed to pay $1.1 billion in penalties from the US Securities and Exchange Commission (SEC) and $710 million in fines from the Commodity Futures Trading Commission (CFTC) in separate actions on Tuesday for failing to monitor and stop their workers from using unauthorized messaging apps. The action comes after months of wrangling between the federal regulators and the banks, culminating in fines many have criticized as being too small to be a real deterrent.
The companies yesterday admitted their staff, including senior investment bankers and equity traders, regularly shot the breeze on WhatsApp and other "unapproved" private channels.
The companies were also hit with cease and desist orders preventing them from continuing to "commit or caus[e] any violations and any future violations of Section 17(a) of the Exchange Act." In what might be the most unusual part of this situation, all of the companies (along with some of their subsidiaries) appear to have admitted to wrongdoing.
The SEC said in a statement that its investigation uncovered "pervasive off-channel communications," and that after gathering communications from the personal devices of just a sample of the various firms' personnel they found off-channel exchanges between "senior and junior investment bankers and debt and equity traders."
SEC chair Gary Gensler said in a statement: "Finance, ultimately, depends on trust. By failing to honor their recordkeeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust."
The agency went on to say that secret squirrel comms failings had occurred across all "16 firms" (that number includes the 11 and their affiliates - there's a full list here), adding that it had "involved employees at multiple levels of authority, including supervisors and senior executives."
The CFTC, meanwhile, said of its separate but related operation that the behavior was "egregious and widespread" and the "increasing reliance on novel communications platforms available on personal mobile devices, indicates a concern that — unless effectively addressed — may negatively impact market-participants' internal compliance ... and the Division of Enforcement's ability to effectively and efficiently investigate conduct that may violate the CEA and/or CFTC regulations."
The agency also said it was looking at allegations of similar misconduct at another "major financial institution" registered with the CFTC in the matter, citing a 2021 complaint where a dollar-swaps trader at a global investment bank was alleged to have deleted WhatsApp comms after the division made an order that he retain all communication on messaging apps including Facebook, Whatsapp, Telegram, Slack, or Signal, including any backed up versions in cloud storage etc.
As for what's to stop them from doing it again, the businesses have all vowed to up their compliance efforts, agreeing to retain compliance consultants who will conduct comprehensive reviews of their policies and procedures on the retention of "electronic communications found on personal devices" and take a look at their "frameworks for addressing non-compliance by their employees with those policies and procedures."
- Open up, it's the IRS. We're here about the crypto tax you dodged
- Cisco asks shareholders to vote against global tax transparency
- Boeing to pay SEC $200m to settle charges it misled investors over 737 MAX safety
- Microsoft: Blobs can be WORMs in the new, regs-compliant Azure
Gurbir Grewal, director of the SEC's Division of Enforcement, said the 16 firms admitted the facts and acknowledged that their conduct violated these very important requirements, and have started to implement measures to prevent future violations.
The Register is keen to hear any of your solutions to the sticky shadow comms problem. You could require staff to place personal devices in secured containers, but what happens when they're needed outside the office? How do you enforce such a policy? And then how can the company be sure you don't just walk out the office after work after market close, and simply send a Telegram message from your own cellphone? Quants and traders, on the whole, are better than your average non-finance fan at memorizing strings of numbers. ®
Updated to add:
Bank of America, Barclays, Goldman Sachs, Credit Suisse, and Nomura all declined to comment while Deutsche Bank told us it "fully cooperated" with regulators on this "industry-wide matter" and "proactively deployed fully compliant and convenient text and chat platforms." You'll be relieved to know it doesn't expect any impact on its third quarter results.