Is there a way to provide a secure and compliant communication system within the financial industry?
Communication and continuous collaboration is central to every Financial Institution (FI) in the world. However, with this important culture of communication, there is always a high risk of serious data breaches. In recent weeks, we have again seen eye-watering fines from the Security and Exchange Commission (SEC), to a total of $549 million, against some of the biggest FIs in the world.
What did these Financial Institutions do wrong? They failed to maintain the electronic records of employee communications due to the uncontrolled use of consumer messaging platforms such as Whatsapp. These messaging platforms often play a huge part in aiding communication within businesses but with this can come serious protection risks. In all SEC tracked FIs are required to keep a record of all messaging communications, failing to do so is not an option, in fact, it’s highly illegal. This is where the problem stems and why FIs are being fined so significantly. According to their report, the SEC uncovered pervasive and longstanding “off-channel” communications at all 11 firms they investigated. The firms admitted that from at least 2019, their employees often communicated about business matters through various messaging platforms on their personal devices, including iMessage, WhatsApp, and Signal. The firms did not retain the majority of these off-channel communications, in violation of federal securities laws. By failing to maintain these required records, the firms made it impossible for the Commission to validate the content of these off-channel communications in various SEC investigations. The “hurt multiplier” for these banks was that the failures involved employees at higher levels of authority, including supervisors and senior executives.
This is not a new problem for FIs.
The July 2023 fines were regulators’ latest effort to clamp down on the pervasive use of consumer messaging apps like Signal, Meta’s WhatsApp or Apple’s iMessage by Wall Street employees and managers. Starting in late 2021, the watchdogs secured settlements with bigger players including JPMorgan Chase, Goldman Sachs, Morgan Stanley and Citigroup. Fines in regards to these regulation breaks totaled more than $2 billion, according to the SEC and CFTC.
The overarching issue is clear. Businesses need channels of communication within their staff at all levels, however, consumer messaging apps, such as WhatsApp or iMessage cannot provide a secure and reliable platform for this. The solution is simple in theory; stop using these apps. But how should businesses navigate this.
- Don’t tolerate the bad behaviour
Banks are increasingly taking a zero tolerance approach to consumer messaging apps as a way to promote more compliant behaviour.
In 2022, a number of major banking crises were centred around the improper use of WhatsApp. The investigating authorities were either unconvinced that sufficient measures were being put in place to control the transmission of sensitive information in uncontrolled groups, or were able to conclude that the bank was accepting that this stuff “will just happen”. Banks are getting hit harder and more frequently and, as a result, they are starting to take action.
When Salt Communications speaks to senior bank officials within FIs it is clear that there is a renewed focus on curtailing this behaviour and staff are constantly being warned about the consequences of using WhatsApp for business purposes.
Since the beginning of 2023, banks have started fining employees up to $1 million for breaches involving WhatsApp. Deutsche Bank announced that it will now deduct bonuses from workers who use the messaging app. Wells Fargo has already indicated that it will do the same – and we expect more to follow. It is positive to see this switch in FIs mindsets to push their workforce into using more secure and compliant communications. It is clear that the best way to motivate a banker to change their ways is to hit them in the pocket. However, when there’s a sniff of malpractice the banks will act even more decisively. When recently chatting to a senior executive in a mid sized global financial institution he put it very bluntly. “A person’s stupidity, lack of experience or even just being bad at his/her job is not a crime. We’ll do our best to identify those individuals and either train them to do better or we’ll sack them. However, if we think you’re knowingly involved in financial dealings that are in any way illegal we will come after you as hard as we can. You’re gone! These people are putting our credibility at risk and this hits our bottom line from several angles.” He’s a banker so I assume, “the bottom line”, means his bonus…
- Provide a viable alternative to consumer apps.
The claim by well meaning bankers is that the existing bank provided systems aren’t flexible enough to allow staff to communicate easily and efficiently.
It does not make sense to ban these globally popular consumer apps without offering a viable alternative. Well meaning employees will revert back to using them in order to “get things done” when current systems fail.
By creating a modern and effective internal communication environment, successful financial institutions will be showing their workforce their commitment to making their lives easier, while doing their bit to protect sensitive data and remain compliant. Everyone’s a winner!
In order for the relationship between the business and the communication platform to be successful, there needs to be a mechanism to control who gains access to the system and have full visibility of where it is hosted and how data is controlled within the system. Obviously, the most important element for FIs is being able to show the SEC a record of communications when required to do so.
At Salt Communications, we work alongside major financial institutions to offer a secure and compliant safe haven communications network. This network enables financial organisations to efficiently share information about their most important matters whenever and wherever they choose, eliminating the requirement to use insecure and non compliant consumer messaging platforms.
IMPORTANT FOOTNOTE:
While not the focus of this article it should be noted that consumer apps aren’t just a bad idea for compliance reasons, but for major security reasons also. Large open consumer systems share the same vulnerabilities globally, which means that sophisticated nation state adversaries can exploit these weaknesses to attack users in FIs. This gives them access to sensitive information and can be used as a mechanism to launch major cyber attacks on the banking systems.
Reducing the use of consumer apps reduces the attack surface considerably and makes the whole bank safer.
If you require any additional assistance, please contact our experts for more information at info@saltcommunications.com or to sign up for a free trial of Salt Communications or to speak with a member of the Salt Communications team.
Discover why financial institutions should consider Salt as a secure communications method.
About Salt Communications
Salt Communications is a multi-award winning cyber security company providing a fully enterprise-managed software solution giving absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. Salt Communications offers ‘Peace of Mind’ for Organisations who value their privacy, by giving them complete control and secure communications, to protect their trusted relationships and stay safe. Salt Communications is headquartered in Belfast, N. Ireland, for more information visit Salt Communications.
References:
https://www.reflexisinc.com/7-steps-to-secure-branch-banking-communications/
https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr909.pdf
https://www.bbc.co.uk/news/technology-59209494
https://www.investopedia.com/financial-edge/0112/3-ways-cyber-crime-impacts-business.aspx
https://www.upguard.com/blog/biggest-data-breaches-financial-services
https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline
