Compliance experts look to AI, tech to help with WhatsApp violations

With the latest round of fines hitting firms for misuses of WhatsApp and similar services for so-called off-channel communications, many large firms are hoping these sorts of violations are in their past.

But regulatory experts caution that it's not enough simply to have policies in place insisting advisors go through official channels when discussing business with each other or clients. Too few firms go the extra step of making sure employees are abiding by the rules.

Technology can often help here, said Carlo di Florio, the global advisory leader at the compliance consultant ACA Group. With so many messaging-tracking systems now on the market, firms that haven't adopted something of this sort could have a hard time explaining themselves to regulators.

Technology offered by ACA and other regulatory specialists can help firms monitor and log messages advisors send to each other and clients using services like WhatsApp or social media. Artificial intelligence can also be used to detect troubling patterns in communications between firm representatives. Often, di Florio said, people who break the rules are likely to do so only with colleagues they are in frequent contact with.

READ MORE:
Firms struggle to monitor staffers even after WhatsApp probes
Latest WhatsApp sweep shows value of cooperating with SEC
JPMorgan bosses addicted to WhatsApp fuel $200 million in finesAI and 5 other FINRA worries for 2024
7 takeaways from the SEC's $5B enforcement year

"These are people who usually know each other, right?" he said. "And because there are millions of communications, we want to home in on those where relational analytics suggest: This is where the risk could be more manifest. So we use natural-language processing as part of that surveillance tool, because it's able to really digest a lot of data and identify and assess patterns."

Latest warning shot

The most recent fines in regulators' campaign to stamp out off-channel communications came on Friday with the Securities and Exchange Commission's announcement that it was hitting 16 firms with $81 million in civil penalties for messages sent through unapproved means. The companies caught up in the sweep included some of the biggest names in the industry.

The largest fine fell on Northwestern Mutual Investment Services, together with Northwestern Mutual Investment Management and Mason Street Advisors, which were ordered to pay $16.5 million. U.S. Bancorp was hit with an $8 million fine. Meanwhile, Huntington Securities, an institutional broker-dealer out of Chicago, got off with a relatively small $1.25 million penalty after going out of its way to cooperate with regulators.

Most of the firms have not been responding to requests for comment. U.S. Bancorp released a statement saying, "We cooperated fully with the SEC's investigation, have been working proactively to enhance our technology and oversight further, to meet the expectations of our regulators and needs of our clients, and are pleased to have this matter behind us."

Previous regulatory rounds have imposed fines for similar violations on some of the top firms in the industry, including Morgan Stanley, Goldman Sachs, Bank of America, UBS and Citi. Di Florio said the total fines handed out easily exceed $2 billion. Violations were found at all levels, from the C-suite down to customer-facing advisors.

Di Florio said many of these firms have taken steps to prevent violations from recurring, such as insisting that employees only discuss business on company-issued devices and forgo the use of cell phones on trading floors. Now the emphasis will be on making sure they follow through on the commitments they've made.

"The expectation is going to increasingly be that firms are using technology as part of the solution here," he said. "And that may be where firms aren't doing enough. They feel that they looked at their policies and procedures, they've done some communication training, they've issued devices, but are they really using the technologies and capabilities that are available to capture, archive and surveil?"

Retention test

The SEC views record retention as central to its mission of protecting market integrity. Communications that are conducted off-channel, using encrypted means, can be extremely difficult to scour for evidence of wrongdoing. The Financial Industry Regulatory Authority, the brokerage industry's self-regulator, has expressed similar concerns about messages sent through unofficial conduits.

"Today's actions against these 16 firms result from our continuing efforts to ensure that all regulated entities comply with the recordkeeping requirements, which are essential to our ability to monitor and enforce compliance with the federal securities laws," SEC Enforcement Director Gurbir Grewal said in a statement. 

Brad Levy, the CEO of the compliance software firm Symphony, said it's impractical to expect financial planners simply to abandon sending messages on WhatsApp and similar systems. Clients, particularly younger ones, want to use those services, and advisors will always be under pressure to meet them where they are.

"Sometimes you have personal relationships with someone you really know, right?" Levy said. "You're in the town, your wives or husbands are friends, and you're doing golfing times. And it's a fine line between business. So there's all this complexity there."

Keeping it encrypted

Symphony offers a tracking system that ties into WhatsApp and many other messaging services. Levy said the data remains encrypted, helping to ensure the privacy of client information.

If regulators want to see what someone has been sending through these means, they have to go to the advisor's employer. The firm will have a key allowing the messages to be decrypted.

Levy agreed that the SEC is unlikely again to bring big sweeping charges against the firms that have already been hit with substantial fines. Most of those places have taken the recent enforcement actions seriously enough to avoid a top-to-bottom indictment of their policies and procedures.

But that doesn't mean they'll be able to stop individual advisors from going rogue from time to time. Levy said there's also the possibility that once the SEC starts reviewing information from the formerly encrypted data it has unearthed, it will start finding evidence of dubious activity.

"And that usually takes years, because they'll find something else, and next thing you know, there will be some Wall Street insider trading or something else going on that's even more nefarious. And I think there'll be some of those that eventually come out."

Regular check-ins

Both Levy and di Florio agreed that firms will do well to remind employees regularly of their duties and responsibilities with communications. Di Florio recommended employers ask advisors to certify once a quarter to certify that they've not engaged in off-channel communications.

"The more frequently you do the certifications [that] require the employee to say they haven't done anything inconsistent with the policy, the greater the likelihood is that people are going to think twice about it," di Florio said.

Regulators will also want firms to show instances in which employees were found to have violated the policies and then explain the consequences. It will be important to show that advisors who step across the line are being treated the same regardless of their seniority or how much money they produce.

"And then is it one strike and you're out? Or two strikes and you're out?" di Florio said. "What are the ultimate consequences that come to bear? Are you pulling back on bonuses? And how much are you pulling back on bonuses for people who don't comply?"