Of Course Bank Execs Communicated Via Encrypted Messaging, But That’s Not The Fault Of Encryption (original) (raw)

from the this-is-always-going-to-happen dept

I don’t think this is a surprise to anyone, but the SEC and the CFTC combined to issue fines on a bunch of Wall Street firms for execs communicating across encrypted messaging in a manner that wasn’t recorded and preserved as required. Being in a regulated industry means having to deal with all sorts of compliance requirements, that includes preservation of communications. But, of course, that freaks people out, so… they do what everyone does, and figure out ways to communicate outside of “official” channels such that it’s not recorded.

This could come in the form of… talking in person. Or over the phone. Or… by using third party messaging services that are widely available. And, if you’re going to do that, it’s no surprise that you’d use end-to-end encrypted services like Signal or WhatsApp.

The Securities and Exchange Commission today announced charges against 10 firms in their capacity as broker-dealers and one dually registered broker-dealer and investment adviser for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications. The firms admitted the facts set forth in their respective SEC orders. They acknowledged that their conduct violated recordkeeping provisions of the federal securities laws, agreed to pay combined penalties of $289 million as outlined below, and have begun implementing improvements to their compliance policies and procedures to address these violations.

That’s from the SEC side. From the CFTC we get:

The Commodity Futures Trading Commission today issued orders simultaneously filing and settling charges against swap dealer and futures commission merchant (FCM) affiliates of four financial institutions for failing to maintain, preserve, or produce records that were required to be kept under CFTC recordkeeping requirements, and failing to diligently supervise matters related to their businesses as CFTC registrants.

The settling registrants admit the facts detailed in the orders, are ordered to cease and desist from further violations of recordkeeping and supervision requirements, and are ordered to engage in specified remedial undertakings.

There’s some overlap. Wells Fargo, BNP Paribas, and SG Americas/Société Générale) gets hit by both agencies.

The details are pretty much exactly what you’d expect:

The SEC’s investigation uncovered pervasive and longstanding “off-channel” communications at all 11 firms. As described in the SEC’s orders, the firms admitted that from at least 2019, their employees often communicated through various messaging platforms on their personal devices, including iMessage, WhatsApp, and Signal, about the business of their employers. The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws. By failing to maintain and preserve required records, certain of the firms likely deprived the Commission of these off-channel communications in various SEC investigations. The failures involved employees at multiple levels of authority, including supervisors and senior executives.

I’ve seen some people using this as yet another opening to bash encryption, but encryption is not the problem here at all. First of all, encryption did not stop these banks from getting caught and fined. Second, as noted up top, people are always going to try to figure out ways to communicate that isn’t recorded. These messaging apps were convenient.

Indeed, if anything, these fines should (hopefully?) serve to get employees at these banks to be much more careful about how they communicate to avoid future fines. I still expect there to be plenty of attempts to get around the regulatory requirements to preserve communications, and it seems likely that bankers are going to get used to making phone calls or talking in person since that can’t be preserved in the same manner.

But, really, any time you have regulations requiring such archiving of so many communications, you just know that this kind of thing is likely to happen. There’s a reason why these industries are so heavily regulated… but there’s also a reason why the people in those industries really don’t want their communications preserved for future legal enquiries. There’s no perfect answer here, but these kinds of fines, (which, in total, added up to over half a billion dollars) at least suggest that there are financial penalties available for the banks that basically go “off-channel” as a standard way of communicating.

Filed Under: banks, cftc, communications, encryption, preservation, sec
Companies: bnp paribas, sg americas, wells fargo