Fahreen Kurji

The year might be coming to an end, but regulatory action regarding the use of unauthorized communication channels is not. Having taken action against the banks, the US regulators are increasing scope and putting Private Equity firms on notice. Many believe that Commodities firms are next in line. In England, the FCA is also beginning to ask the same uncomfortable questions to firms. If you’ve attended an industry roundtable or event of late, “what’s up?” has been replaced by “whatsapp?”.

Behavox’s top true positive-generating Risk Policy, “Unauthorized Activities,” has seen a 78% rise in alerts in 2022, suggesting that employees continue to take communications “offline” where they cannot be monitored or a part of the firm’s books and records. Regulators are taking these stats seriously and are forcing organizations to address this enormous increase in off-record unauthorized activity.

Firmwide guidance has been issued at many organizations, similar to the following from a global investment bank:

“Personal devices cannot be used for anything related to business. If you are found to be using personal devices to communicate business matters, we will have to respond in the harshest manner.” 

Firmwide practice, however, seems to differ from the guidance. An investment bank employee indicated:

“I understand the rationale behind the policy but there are a lot of conversations I cannot have over corporate WhatsApp… not mentioning that most of my clients are my friends and the trust-based relationship we have will be undermined if I ask them to switch to my corporate WhatsApp number. If the bank finds out, I will definitely get sacked the next day, but I think the risk of this is extremely low.”

This sentiment has been echoed by individuals within the Private Equity space:

“Keep in mind… this is not unique to me. I don’t know anyone in our business who would keep all communications to the corporate device.”

Opting to “trust but verify,” we reached out across the Behavox community of users across American and European financial services institutions. An overwhelming majority (87%) echoed the sentiments above: updated firm policies are not being followed. 

This presents an uncomfortable dilemma for compliance teams who are left wondering, “What can we use as an effective deterrent to employees routinely taking the conversation offline?”

Regulated firms are now finding themselves up against the clock to bring business communications back into their books and records through a combination of policy changes and introduction of new technology, allowing employees to use authorized versions of prevailing chat channels that can be monitored.

We see four key questions being asked in response to the unmonitored business communications dilemma:

  1. Is there a case for simply banning channels like WhatsApp/ WeChat/ Telegram instead of offering firm-approved versions of these channels?
  2. How best to respond to regulatory enquiries regarding capture and preservation of monitored or unmonitored channels for business conversations?
  3. If firms capture firm-approved versions of WhatsApp-type channels for books and records, should they also be actively monitoring these communications?
  4. Do employees actually use firm-approved versions of WhatsApp-type channels or are they still pivoting business conversations to personal platforms?

The fourth question seems to be in the spotlight these days, dominating much of the airtime at roundtable discussions that we have recently attended and hosted.

Since firms have an obligation to keep business communications as a part of their books and records, there is increased interest in detecting when employees are switching to unmonitored platforms. Firms are now asking, “how can we effectively set up a Risk Policy to detect this issue?”

As our colleagues in the field of digital forensics know too well, there is always a trace – and a trace is often all you need to advance your investigation.

Despite the fact that data transmitted over personal WhatsApp and WeChat accounts is beyond our reach (and for good reason!), individuals who have a habit of hopping channels for business purposes will inevitably end up leaving a trace of their intentions:

Experienced compliance professionals would immediately make a point that these examples are too simplistic and that, in the real world, we deal with a greater level of obfuscation:

And they would be right – you would be very lucky to catch the last sentence using lexicon-based systems.

However, this is exactly the type of challenge at which AI-based systems like Behavox Quantum truly excel. Behavox’s AI technology can capture the underlying context and semantics across various languages in written or spoken communications.

Policies alone will not appease the SEC or other regulators through this street-wide sweep. Firms are expected to retain all business communications and must have risk controls in place to reasonably capture these communications. 

Proactive firms are thinking a few steps ahead, expanding access to popular communication channels for monitoring and, most importantly, identifying when employees are still evading the rules and channel hopping to unauthorized communication channels.