WhatsApp: A Reminder that MiFIDII Compliance is About Content not Channel

WhatsApp: A Reminder that MiFIDII Compliance is About Content not Channel

Robin Smith

Technical Director International at Actiance

Robin Smith has over twenty years' experience of security and compliance solutions within a wide range of networking and messaging systems.

Views 515

WhatsApp: A Reminder that MiFIDII Compliance is About Content not Channel

26.06.2017 12:15 pm

As the FCA publishes its near final rules on MiFID II and fines a former investment banker for sharing confidential information over WhatsApp, now is a good time to look at why firms need to be able to find content and understand the context of a conversation quickly and easily, irrespective of the applications in use.

The nature of the modern world today is that we use different communications tools depending on their suitability to the message, the audience we’re addressing, and which device happens to be at the end of our fingertips at that moment. But we don’t just stick to one tool, even within the same conversation.

We bring others into a Skype for Business call, we banter with colleagues over IM about another conversation we’re having, we answer our phone to field calls from the boss, reply to emails that have been lingering too long in the inbox, mine Twitter for interesting updates, and check out the latest on Instant Bloomberg.

Sometimes it seems like a miracle the work gets done with all these channels of communication prompting us for attention.

Now imagine you’re a reviewer trying to piece together just thirty minutes in a trader’s life. There are five different types of communications tools to review and you need to be able to correlate what the trader said to whom, who else was “listening”, what their next action was, and then decide how to react. Did they really mean to release that information, or did they think they were talking to their boss and it was a genuine mistake? But also, regardless of their intent, is there a transgression that needs to be acted upon?

Take into consideration that even the somewhat more run-of-the-mill communications channels such as persistent group chat tools like Instant Bloomberg are no easier to review in either their native XML export or once converted to email. The search function isn’t really compatible with the content; the rooms often have hundreds of participants who come and go throughout the time span, which creates join/leave events that can hide message content. In some cases it can take up to half an hour just to review a single transcript.

That’s before you’ve even started on the other four communications tools used during that time span, including the phone conversation.  Just searching retrospectively requires multiple user interfaces to be learnt, searches to be conducted and result sets to be merged. Consider also the Supervision requirement of MiFID II and the obligation to proactively highlight dubious content across all channels of communication employed by the regulated users.

How long will it take for the reviewer to realise there were four minutes during that time where no communications tool was used? What was he doing then? Had someone stopped by his desk, or is there another channel being used that you don’t know about?

Personal privacy concerns drive security in consumer communications, so there will continue to be business and technical challenges surrounding control and capture as individuals attempt to bring them into the enterprise. Blocking everything that isn’t email or corporate Unified Communications, isn’t the answer either as this could alienate the potential customer-base, resulting in them using a different supplier or alternatively drive the communications underground, neither of which is desirable. Most eComms networks, whether consumer or commercial have some level of service that provides a way for organisations to capture, control and monitor traffic, so there are truly viable alternatives for compliance aside from blocking.

Despite this, embracing newer electronic communications tools can be daunting for IT and compliance departments, but creating multiple archives for each type of communication is not the answer.

Electronic communications are forever evolving, increasing the number of networks, their complexity, and the volume of communications. Regulations such as MiFID II and GDPR are keeping pace, putting the content and context of conversations into the spotlight, irrespective of the network being used. The cost to organisations is potentially huge. Both in terms of tying up resources by using reviewers to do tasks that could be automated, and delays in discovery that increase regulatory risks.

Regulatory Technology (RegTech) aims to reduce the burden on firms maintaining compliance. For example, one particular segment is looking to artificial intelligence for cognitive or behavioural analytics to determine motivation or how a human reviewer would treat the content being analysed. But without a centralised content store of good quality data that provides an open interface for other developers to leverage, deriving value from these next-gen technologies will be expensive and drawn out as they need be integrated with all the communications tools ahead of any tuning that can take place.

Until firms centralise their communications archive and deliver it to reviewers in a single screen that contextualises the conversation, reviewing electronic communications will continue to be an onerous task.

As for the investment banker sharing confidential client information over WhatsApp, he might have been trying to impress those he was communicating with, but the Financial Conduct Authority (FCA) took a rather different view of the situation. Fully understanding the context and motivation behind his actions they said he “failed to act with due skill, care and diligence”, and his bank balance is somewhat lighter as a result.

Latest blogs

Nish Kotecha and Noslen Suárez PhD Finboot

How blockchain can help us have trust in the food we eat

Today’s food supply chains are global, connected and generally efficient, but the COVID-19 pandemic has shone a spotlight on areas of weakness. The urgent need for robust and resilient systems and processes has been brought sharply into focus, and Read more »

Chris Miller RSA Security

Back to Normality: Five Steps to Stay Resilient After Disruption

The financial services sector has lived through many global disruptions, but the nature of recent events has put an unprecedented strain on operational resilience; from needing to ensure critical functions could continue with skeleton staff and Read more »


How Technology Has Disrupted the Used Car Buying Experience

We’ve seen many fields change rapidly as a result of the integration of modern technological advancements over the last couple of decades. And it looks like more is coming on the horizon as well, judging by current trends. One of the markets that Read more »

Shuvo G. Roy Mphasis

Reboot 1.0: How financial services technology can enable the supply chain to support a post-lockdown boom

Ground control and Captain Tom When veteran Captain Tom Moore decided to walk one hundred laps of his garden before his 100th birthday to raise funds to support NHS heroes battling Covid-19 from the frontline, he never imagined that he would Read more »

Lisa Gutu Salt Edge

Building a PSD2 compliant channel: challenges and opportunities for financial institutions

PSD2 obliges ASPSPs including banks, e-wallets, prepaid cards and other companies that offer payment accounts to provide at least one channel for secure communication with third party providers (TPP). Even neobanks or e-money institutions, including Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel