- Wall Street is losing its grip on employee communications amid a proliferation of encrypted messaging apps, according to remarks made by bankers and enforcement officials at a conference panel in Phoenix.
- The encryption of popular apps like WhatsApp, WeChat, and Signal puts the messages largely beyond the reach of compliance staff and enforcement authorities unless they get access to the phone.
- Conversations with roughly five other bankers or lawyers on the sidelines of the event suggest it's a big problem for the industry.
Wall Street is losing the battle over secrecy to a host of encrypted messaging apps.
For years, banks and securities firms, not to mention corporations in other industries, have watched as employees gravitated to encrypted messaging apps like WhatsApp or Signal and WeChat in Asia, and sought ways to monitor the communications.
Those efforts continue to come up short. That's the conclusion of a recent exchange between one of Wall Street's top lawyers and government enforcement officials at a conference in Phoenix. Conversations with a half dozen lawyers, both in house and external, on the sidelines of the event suggest it's a big problem for the industry.
The exchange took place between Eric Grossman, Morgan Stanley's general counsel, and enforcement officials at the Securities and Exchange Commission and Financial Industry Regulatory Authority. Moderating a panel, Grossman asked the officials to weigh in on what banks should do to comply with rules around retaining and monitoring employee-client communications in an era when conversations are increasingly happening on encrypted apps.
Regulators require banks to maintain records of employee and client communication, including email, phone and text messages. But the encryption puts messages largely beyond the reach of compliance staff and enforcement authorities unless they get access to the phone.
"Technology around communications is evolving beyond the governing regulations with respect to retention of client communications and business-related communications," said Grossman. "Texting is supplanting email and lots of folks have both personal and business relationships so they are texting someone personally about, well, something personal, and it changes into a business communication."
In the past few years, messaging apps like WeChat, WhatsApp, and Signal have taken root across Wall Street trading floors and investment banking offices as a secure and encrypted means of communication. As more and more business communication moves to the platforms, Wall Street and government officials have increasingly been left without a way to monitor them.
Banks are trying to figure out how they can watch those communications to curb wrongdoing and meet regulatory requirements, without infringing on employee or customer privacy concerns. The app developers haven't been all that helpful in coming up with a way to archive or save messages, according to one of the people.
"There's a value that they're selling, and that's privacy," said Joseph Facciponti, an attorney at Murphy and McGonigle, who ran internal investigations at HSBC earlier in his career, referring to the tech companies. "It's going to be hard to put the genie back in the bottle."
Sign up here for our weekly newsletter Wall Street Insider, a behind-the-scenes look at the stories dominating banking, business, and big deals.
The challenge to find a solution is so intractable and the trend so strong that some surmise that Wall Street's top cops may find themselves back to the way things were done in the 1990s, when they could only monitor memos — email in this era — or phone records.
Making matters worse, much of the adoption is being driven by clients, according to lawyers. In Asia, customers have asked their advisers to move their communications over to WeChat, the ubiquitous Chinese messaging and e-commerce platform. And in some cases, clients don't use email anymore, Grossman said.
The challenge is made more difficult when companies require employees to use their personal device for company business, in what's known as bring-your-own-device policy. That makes it possible for employees to have the apps on the phone they use for business, comingling business communications with personal correspondence.
While one potential solution may be to force employees to use work-issued devices, which can't download the apps, and policies that prevent the use of personal devices on, say, a trading floor, that's unlikely to slow employees looking to keep communications hidden, Facciponti said.
Susan Schroeder, Finra's head of enforcement, acknowledged the need for the messages, and the inherent difficulty in getting them.
"I know in our exams and investigations, we routinely ask for those kinds of communications," she said, "knowing that there is a very high likelihood that they exist, particularly in higher risk situations."
She added: "If we are going into a firm that we think is pump and dump firm, we might go in unannounced so that we can look at everyone’s cellphones and see the actual communications before they get erased."
Steven Peikin, co-head of enforcement for the SEC, meanwhile, struck a harder tone, putting the issue squarely back on the companies.
"If that issues comes up and the only issue from an enforcement standpoint is where were the communications, where are the required records kept, then we need to ask what were you doing from a compliance standpoint?" he said. "How were you ensuring that you were fulfilling the compliance function?"
