Over the past decade, instant messaging app services for businesses or individuals to communicate with single or multiple users has seen some of the fastest growth in the tech sector. For instance, when Whatsapp was launched in 2009, it was providing a free message service alternative to Blackberry Messenger. Its growth since then up to over 1.7 billion monthly users, has been nothing short of phenomenal, eclipsing the speed of user numbers for apps such as Twitter, Skype or Facebook itself. In India, by far its largest market, Whatsapp now has over 400 million users and is only recently being challenged by stablemate Messenger and newcomer Tiktok. No doubt it was these stellar user growth rates that convinced Mark Zuckerberg to add Whatsapp to the Facebook stable in 2014 for US$19 billion.
However the popularity of instant messaging services has brought with it heightened risk, due in large part to an increasing number of price rigging scandals in the financial services sector, from interest rate swaps, to LIBOR to foreign exchange. It is therefore important to review the risks of using instant messaging particularly, but not exclusively, in regulated business environments.
Part of the attraction of instant messaging is that it is more informal than traditional communication, such as email and letters, and, therefore, it is common for users to communicate freely as if they were speaking in real time, without perhaps taking adequate time to reflect on the content of their messages. A number of recent cases illustrate the importance of upholding the same standards regardless of the method of communication.
In May 2019, the EU Commission fined a group of banks over €1 billion for participating in foreign exchange spot trading cartels based on online chat room conversations. Traders were exchanging sensitive information, trading plans and, occasionally, coordinating strategies in informal chat rooms with colourful names such as ‘Essex Express ‘n the Jimmy’ (because all but Jimmy commuted from the county of Essex) and ‘Three way banana split’.
The LIBOR manipulation scandal also included a significant amount of evidence from chat rooms. Other online chatrooms for traders have sported names such as ‘The Bandits’ Club’, ‘The Mafia’ and ‘The Cartel’. In these ‘private’ forums they bragged about their activities and egged each other on with phrases such as ‘If you ain't cheating, you ain't trying’ and ‘Mess this up and sleep with one eye open at night'.
Many banks banned staff from using online chat rooms shortly after these scandals first broke and a number of employees were dismissed. Even so, a class action in the US involving claims of foreign exchange manipulation involving 15 banks recently settled for US$2.3 billion. A similar class action is in train in England using the rights available under the Consumer Protection Act 2015.
This issue is not limited to the financial services sector. Part of the problem is that it is a common perception that due to encryption some of these informal messaging services are more secure than conventional modes of communication, which as the above examples demonstrate may not be the case. For example, the US indictment of Roger Stone, a political consultant and strategist on the US presidential campaign of Donald Trump, was found to have quoted the following message ‘Yes - want to talk on a secure line - got Whatsapp?’. In addition he also allegedly sent messages threatening a witness and suggesting he do a ‘Frank Pentangli’, a reference to keeping your mouth shut when giving evidence as depicted in the Godfather II. Mr Stone was arrested and indicted under the Mueller probe into Russian interference in the 2016 US elections and is facing a lengthy prison sentence if convicted on the seven charges he faces.
Other regulated firms including accountancy practices and law firms have recently dismissed partners and senior managers based on evidence from messages sent on Whatsapp. So, how do employers, regulators, enforcement agencies and other authorities access messages?
Messaging history may be accessed in a variety of ways. For example, employers may be entitled to retain and access the content of written or oral communications by contract with the worker. Regulators may use their statutory powers to require oversight of communications and order retention and disclosure in the event of perceived wrongdoing. Once litigation is a possibility, parties are asked to preserve evidence and may be ordered to disclose all relevant documents to include digital messages, whether stored on devices controlled by the organisation or the individual. In the case of a prosecution for corruption, evidence may be voluntarily disclosed by organisations at an early stage in return for leniency, for instance in the case of a deferred prosecution agreement.
From a regulatory standpoint, in the UK, the FCA handbook provides that ‘a (regulated) firm must take all reasonable steps to prevent an employee or contractor from making, sending, or receiving relevant telephone conversations and electronic communications on privately-owned equipment which the firm is unable to record or copy’.
In the US, the Foreign Corrupt Practices Act corporate enforcement policy suggests corporations put in place ‘…appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company's ability to appropriately retain business records or communications or otherwise comply with the company's document retention policies or legal obligations’.
Some jurisdictions, such as China and North Korea, actively monitor and censor online usage and content, filtering or blocking search queries or messages containing politically sensitive or offensive material.
In conclusion, the use of messaging apps in the regulated sector carries with it the same risks as if you were putting the words in a written document or email. If they don’t apply them already, businesses in the regulated space should review their instant messaging policies and personal device policies to ensure that the digital policies and arrangements they have in place to monitor, retain and preserve electronic communications are appropriate and relevant to current instant messaging applications. This should ensure not only that staff comply with the law but also enable prompt and informed dialogue with a regulator or other enforcement agency at an early stage where necessary.