What happened with the recent fines imposed on banks?

United States regulatory organizations recently fined 16 banks for failing to appropriately monitor, track and prevent their employees using unapproved messaging applications to discuss work-related information. The US Securities and Exchange Commission (SEC) struck them with fines totalling $1.1 billion, while the Commodity Futures Trading Commission (CFTC) fined them $710 million. The banks include some of the most prominent names in finance: Bank of America, Goldman Sachs, and Morgan Stanley.

The SEC investigation revealed that there was widespread “off-channel communications” on the bank’s employees' phones and computers. Furthermore, it was uncovered that in some cases, the firm's executives even guided their employees to specifically use these unsanctioned messaging apps and delete private messages.

Why is the usage of messaging apps prohibited?

Maintaining compliance is table stakes to participate in a regulated industry like financial services in the US. Per investor protection laws, financial institutions must monitor, record, and store employee written communications, keeping a paper trail that can be used for reviewing compliance with regulators. The importance of maintaining these records is paramount in a highly-regulated market like financial services, where the consequences of non-compliant bad actors can drive disastrous market outcomes representing billions of dollars.

When banks don’t sufficiently use policies and software to enforce, monitor, and record employees that use messaging applications for work communications, they remain in the dark for possible employee misconduct in their regulated market. Thus, maintaining a log of communications and actions is critical, so regulators can establish and maintain a fair market, ensuring there is no misbehavior amongst participants. Financial services firms are required to meticulously monitor employee communications pertaining to business matters to prevent any sort of misconduct, such as insider trading.

SEC chair Gary Gensler, spoke about the importance of maintaining compliance, “Finance, ultimately, depends on trust. By failing to honor their record-keeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust."

Difficulties in keeping up with data sprawl

From WeChat to Signal— it’s difficult to keep up with the plethora of new apps and features employees use to communicate and share data every year.  Many messaging apps have adopted end-to-end encryption as the standard, an obstacle many data security tools can’t overcome. For example, it’s impossible for network security tools like SWG and CASB/SSE tools to see end-to-end encrypted messages sent through messaging apps.

Post-incident forensics tools can be used to investigate what actions a user performed, but not stop data exfiltration in progress. In addition, post-forensics tools often require physical custody of devices – which can increase lead time, and business risk.

How can banks and other financial services firms achieve compliance and prevent fines?

• Monitor messaging application usage: Leverage software that can monitor and record all messaging applications (like WeChat), cloud storage (like Dropbox), and file sharing (like Apple AirDrop) applications utilized by employees for work communications.
• Trace data using source context: Trace and track the origin and movement of data whether contained in a file or copied and pasted directly from an application (i.e. corporate dev files to WhatsApp). Data tracing can show the flow of sensitive data through multiple channels, including software applications (from Zoom video recordings, files from Slack, to Salesforce reports), network shares, endpoints, email — starting from creation through egress.
• Establish specific policies: For example, enabling automated alerts of unusual download attempts of spreadsheets from web applications (i.e. Salesforce CRM), and sensitive documents from a cloud file storage app (i.e. Dropbox DocSend).
• Leverage business context: For example, why is an associate on our investor relations team downloading troves of M&A documents owned by the investment team?), to monitor unusual behavior, and enforce policies.
• Educate employees in real time: Don’t rely entirely on quarterly security training. When an employee does something wrong, warning or redirecting them to a safer, approved path is key. At the point of using unsanctioned applications (like WeChat) or exfiltrating data, provide employees with a gentle warning pop-up message explaining why the action is non-compliant, just in case it was an unintentional accident.
• Block bad behavior: If an employee attempts to exfiltrate sensitive documents post-download, modern enterprises can also defend themselves by setting a policy to block the exfiltration of data via a specific egress vector (like a WhatsApp upload) outright.  

Compliance simply can’t be ignored

US regulators have made it crystal clear that they won’t shy away from fining non-compliant financial firms billions of dollars. As more and more new communication applications are being created and adopted daily – from Apple’s FaceTime Audio, to the latest encrypted messaging app, it’s getting more challenging to monitor employee work communications in a regulated market. As we saw with the rapid adoption of remote work, we anticipate regulators to increasingly track and scrutinize new vectors for marketplace misconduct. Ultimately, financial services firms must take these regulations seriously, as they have their balance sheets, reputation, and clients’ trust at stake.