Investment banking firm Morgan Stanley has punished some of its employees with fines that topped more than $1 million for breaching compliance rules by using WhatsApp and iMessage for business communications.
The fines were levied by docking previous bonuses or future pay, according to a report in the Financial Times.
While the fines might seem steep, Morgan Stanley itself has had to pay millions of dollars in fines for previous SEC violations related to the use of consumer messaging apps for business purposes.
Last September, the US Securities and Exchange Commission (SEC) fined big-name banks and brokerages a collective $1.8 billion over workers’ use of private texting apps to discuss work and for not always saving those messages. The fines include $1.1 billion assessed by the SEC and a $710 million fine from the Commodity Futures Trading Commission (CFTC).
Morgan Stanley was among the more than a dozen financial services firms fined and had to pay more than $200 million. In 2020, Morgan Stanley suffered a major security breach related to two senior employees in the bank’s commodities division who were using personal messaging apps. The employees were fired.
In the most recent violation of company policy against using unauthorized and unmonitored communications channels, the bank hit employees with fines that ranged from few thousand dollars to more than $1 million per person.
The penalties were based on a points system that takes into account factors including the number of messages sent, the banker’s seniority, and whether they received prior warnings, said people briefed on the matter, according to reports.
Morgan Stanley did not immediately respond to a request for comment by Computerworld.
Shiran Weitzman, CEO of mobile risk intelligence platform provider Shield, said imposing bans on popular communications applications such as WhatsApp and iMessage is a temporary solution. Employees are eventually going to use what’s most popular and convenient.
Last year’s spate of financial services fines by regulators over improper use of messaging platforms was a shot across the bow — a statement that the industry needed to clean up its act, and “put some order in the house,” Weitzman said.
The problem, however, is the banking industry and other businesses with high-touch business services often see employees simply adopt the most convenient communications platforms.
“The requirements for WhatsApp or iMessage are similar as for any communication channel a bank is using — email, Slack, Microsoft Teams, Zoom, whatever. Anyone communicating on behalf of the bank…needs to be monitored,” Weitzman said. “With today’s technologies, it’s doable. Why they haven’t done it, that’s a different question. I have my guesses.
“It’s not a technology play,” he continued. “It’s very hard for them to [change]. They’re large organizations and every time they need to apply some new technology or requirement, they need to do it on a global level.”
During the pandemic, bankers forced to work remotely became comfortable using popular consumer messaging platforms because their clients were also using them. They were simply more convenient and at the time financial services companies relaxed their oversight of mobile communications services.
Weitzman said banks need to focus on enabling the best tools with security and monitoring software, which uses APIs to track communications and flag suspicious communications while still keeping conversations private. Though possible, banning employees from using the latest communications technologies is not conducive to good business.
“WhatsApp and iMessage, that’s forward thinking,” Weitzman said. “You need to be able to capture the message. And, the employee needs to fully acknowledge this is happening and give their consent. But I believe it will take time for this message to come down to [financial services firms], and I’m afraid there will be additional fines before it does.”