With regulators around the world stepping up their focus on off-channel communications, all businesses must ensure they’ve appropriate policies and procedures in place, as In-House Perspective reports.

When the Covid-19 pandemic hit and many workers around the globe were forced to work from home on very little notice, communication apps meant that for most the transition was largely seamless. From WhatsApp and Signal to Teams and Zoom, a huge number of platforms allowed the relationship between businesses and their clients – and between an organisation’s staff – to continue.

The issue is that these platforms are informal and unofficial, meaning the conversations they facilitate when it comes to businesses speaking to their clients are neither recorded nor retained. Regulators such as the US Securities and Exchange Commission (SEC), which require retention of communications so they can ensure businesses are behaving in an appropriate manner, have taken issue with their use.

The regulatory eye

Indeed, the SEC has taken action against more than 40 broker-dealers in recent years for the use of so-called off-channel communications, levying over $1.7bn in penalties. In April it took its first enforcement action against a registered investment adviser, agreeing a $6.5m settlement with Senvest Management in relation to multiple violations of the Advisers Act. Employees had, the SEC found, ‘communicated about company business internally and externally using personal texting platforms and other non-Senvest messaging applications in violation of the firm’s policies and procedures’. Senvest also failed to maintain or preserve these communications while some had even been set to automatically delete. Senvest, the SEC stated, will ‘implement improvements to its compliance policies and procedures’.

In August, after the SEC fined 26 companies a total of more than $390m for widespread record-keeping failures, Gurbir Grewal, Director of the SEC’s Division of Enforcement, said the actions show the regulator is ‘committed to ensuring compliance with the books and records requirements of the federal securities laws, which are essential to investor protection and well-functioning markets’.

The cases have, says Tami Stark, a partner at White & Case in New York, sent a strong signal that the SEC expects the same standard of record-keeping to apply to off-channel communications as to traditional communication methods.

‘While registrants have been preserving and maintaining email communications as standard practice since the early 2000s, electronic communications have now proliferated across a variety of platforms other than email, especially since the Covid-19 pandemic and the advent of remote work,’ she says.  ‘As a result, the SEC has taken action to put broker-dealers and investment advisers on notice that the same record-keeping requirements apply to off-channel communications occurring on non-traditional communications platforms, even if a registrant has not specifically authorised employees to use those channels for business communications.’

Daren Domina, a partner at Haynes and Boone in New York, agrees that the pandemic has led to employees taking a laxer approach to business communications, but highlights that customers have too. That means that, in order to ensure they are complying with necessary regulations, financial business don’t just have to look to their own people’s behaviour but to that of their customers as well. ‘Working conditions have changed since the pandemic, with more people working from home and using personal devices and computers and that has exacerbated the issue of off-channel communications – people have got more comfortable with their use,’ he says.

People have been using text messages and other methods of communication without necessarily thinking what that might mean from their employer’s perspective, says Domina. ‘The issue has lessened somewhat because of the return to the workplace, but some of those habits haven’t gone back to where they should be in terms of using only approved channels and clients and customers have got used to using those channels too,’ he explains. ‘Even if a regulated person sends something through an approved channel they might get a separate response or text message to their personal device.’

Domina says this isn’t only an issue for companies themselves. ‘They need to educate clients, customers and counterparties not to use those off-channel communications,’ he explains. ‘That requires an effort. Businesses have to reposition the stream back into an approved channel – if a client sends a text message about a business topic it could mean cutting and pasting it and sending it to your work email so you can send the response from a work email as if it had been sent to an approved channel.’ This, he says, would bring the employee back to communicating with the client in a channel that’s approved and archived by the company.

Though the SEC’s cases have been the most eye-catching in recent times, they’re not the only regulator taking action. The US Commodity Futures Trading Commission and the country’s Financial Industry Regulatory Authority are taking a similar approach, while Angela Flannery, Senior Vice-Chair on the IBA Communications Law Committee and a partner at Sydney firm Quay Law Partners, says the Australian Securities and Investments Commission has also begun to set out clear expectations around business communications.

Similarly, in the UK, in the summer of 2023 energy markets regulator Ofgem fined Morgan Stanley £5.41m for failing to record and keep WhatsApp messages traders sent on privately owned phones in which they discussed energy market transactions. Although the organisation had a no-WhatsApp policy in place for trading communications, Ofgem found that Morgan Stanley didn’t take the appropriate steps necessary to ensure that the policy was complied with. It was the first-ever UK fine issued by Ofgem in relation to electronic communications, with Cathryn Scott, Ofgem’s Regulatory Director of Enforcement and Emerging Issues, saying that it ‘sends a strong message to market participants’ about the seriousness with which record handling must be taken.

‘It is unacceptable that Morgan Stanley failed to prevent electronic communications which could not be recorded or retained,’ she said at the time the fine was agreed. ‘It risks a significant compromise of the integrity and transparency of wholesale energy markets.’ Ofgem noted that Morgan Stanley had ‘taken steps to ensure the breaches do not happen again, including enhanced staff training and the strengthening of its internal systems and controls’ and that it fully co-operated with the regulator’s investigation.

For Melanie Ryan, a partner at Pinsent Masons in London, such actions are probably the tip of the iceberg, with watchdogs including the UK’s Financial Conduct Authority and Prudential Regulatory Authority (PRA), both of which have warned of the risks inherent in off-channel communications, predicted to step up their scrutiny of companies’ practices. She says there’s a growing concern among regulators that off-channel communications can allow for potential misconduct, including market abuse or anti-competitive behaviour.

At the highest levels

But while it’s falling on regulatory bodies to set standards for the use of off-channel communications in financial businesses, Vikram Shroff, Co-Chair of the IBA Employment and Industrial Relations Law Committee and a partner at AZB & Partners in Mumbai, says it’s something all employers should be thinking about, regardless of sector. This is especially so as a lasting legacy of the pandemic is that the lines between workspaces and the home and what constitutes a work or a personal device have been blurred.

‘With all these messaging services it’s become much easier to connect with people and thanks to Covid we’ve seen some of the telecoms channels like Zoom and Teams boom – with everyone sitting at home it became so normal to use these channels,’ he says. ‘But because everyone was at home it wasn’t very formal and there were a lot of conversations that weren’t related to work. I remember clients sending me a message saying they needed to speak for two minutes and I’d say “let’s speak now”. Before Covid they’d ask for a call, we’d arrange a time, it would all be logged, but all of that got eliminated. That started becoming normal and, post-Covid, it’s continued.’

For Shroff, communication is now easier, but there are issues and challenges. He says he’s a firm believer in having these channels of communication available, but that sometimes the mindset of participants is that the conversation is casual – resulting in someone saying something that might not be appropriate. In his role as an employment lawyer, Shroff says it can be difficult when assessing evidence gathered from these channels to figure out if there’s a case of harassment or not, for example. ‘It allows employees to be part of a large group but sometimes things might be sent that you might think is fine or appropriate but someone else might perceive it differently’, he says. ‘It’s always risky when using these channels that while they might make communication easy, they could lead to other issues.’

In February, the Scottish Information Commissioner David Hamilton, who oversees the use of freedom of information laws in Scotland, said the UK Covid-19 Inquiry had raised ‘significant practice concerns’ over how ministers used messaging services such as WhatsApp. His office began an investigation that will probably ultimately lead to a set of rules being put in place for officials to follow.

‘The failure to retain or even record a complete set of the decision-making processes has not only deprived the inquiry of information, but also frustrated the public’s right to request information and generally undermined the spirit of Freedom of Information,’ Hamilton said at the time. ‘It is critical that public officials retain information which allows the public to understand how decisions are reached, for both record-keeping requirements and to maintain public confidence. Understanding how decisions are reached is how public trust in decisions [is] secured and lessons learned for the future. It is evident that the use of informal communication channels present risks to transparency and accountability within government. My intervention will review current practices as well as identifying actions to be taken to ensure improvements are made in relation to how officials and ministers use and retain informal communications in future.’

Getting policies right

The Scottish Information Commissioner’s concerns highlight just how prevalent the use of off-channel communications has become – and how important it is for businesses and other organisations to know how to use them. Indeed, Domina says that it’s incumbent on all organisations, regulated or otherwise, to have policies and procedures in place that clearly set out how they expect informal messaging services to be used – and how their people might be sanctioned for failing to adhere to those policies.

‘They are in a different position to regulated entities but non-regulated entities and businesses should consider whether they should voluntarily have policies and procedures regarding off-channel communications and the nature and extent of such policies and procedures, at all times taking into account their own business, personnel and particular circumstances,’ he says. 

‘The first step for businesses is to evaluate their own policies and procedures to see how robust they are’, explains Domina. Traditionally, he says, before off-channel communications became more prevalent, policies would often have a prohibition on off-channel communications and instructions only to use the company’s email addresses for business matters and some language about the consequences of not doing so. ‘Now, given the prevalence of the issue and the consequences of non-compliance, policies and procedures really need to spell out what is an approved channel and what is off-channel communication, and businesses need to provide training for individuals so they understand what is business-related communication and what is not,’ says Domina.

Shroff agrees, but warns that, as informal communication channels can also help foster opportunities, policies should be carefully tailored to avoid the risk of stymying this potential benefit. ‘Organisations should definitely have policies in place because the world is changing – social media continues to get more and more popular and that’s where policies would help,’ he says.

These policies, he adds, need to cover what’s official and what’s not official and where the employer might be liable along with examples. ‘A defined policy would help employers defend themselves against any claims and would help employees avoid difficult workplace situations,’ says Shroff. ‘But first employers have to understand what the risk is to work out what kind of policy they need. You don’t want to put a restriction on everything and lose out on the opportunities these kind of tools give you. It needs to be balanced in such a way that it’s not just completely restricted but [also] not just completely free. Every organisation will have to figure out what the right balance for them is.’

For Flannery, given how widespread the use of informal communication platforms is, and given that this is unlikely to change, it’s possible that developers will come up with a business version of their offering that automatically retains records on the behalf of clients. Unless and until that happens, though, she says the key thing for employers to be focusing on is ‘training, training and more training’.

‘Employers need to invest in IT systems, make sure that when their employees are using them it’s not on their own personal devices, and that access to unauthorised means of communication is restricted,’ she says. Further, employees need to be sensible and realise that there are particular kinds of communication that you need to keep records of, continues Flannery. ‘Off-channel communication platforms haven’t caught up with business, but that’s because they were never designed for business, they were meant for leisure. I don’t think they’ll ever be banned but their use will be much more heavily regulated by businesses in terms of what you can use those alternative channels for,’ she says.

Ultimately, ‘whatever digital utopia we’re moving towards I don’t think it will remove the need for businesses to keep records’, says Flannery. Adding to this, she finds it hard to see how WhatsApp can reform itself so there’s a business version that keeps files and verifies users. Further, identity fraud is a particularly important issue in this context and because the channels being used are so virtual there’s a much bigger risk of it occurring. ‘That’s not really appreciated by the people using those channels’, says Flannery. ‘Any of those types of communication channels that can find a way to provide that sort of service would probably have a very lucrative business going forward. Record keeping and verification of who you’re dealing with are the key issues.’