A new survey of compliance officers finds most of them with grave doubts about their company’s ability to police against employees’ improper use of messaging apps, and are enacting bans mostly as gestures to demonstrate their effort at compliance obligations — but few believe such bans actually work.
So says a report from Global Relay, a software vendor that sells archiving solutions to help companies with their recordkeeping compliance obligations. The company released the report last week based on a survey of several dozen compliance officers working in the financial services sector. Even with the admittedly small sample size (39 people), the report’s findings feel right. They also make for glum reading.
Among the findings:
- 59 percent of respondents have banned employees’ use of WhatsApp, WeChat, and similar messaging apps for business communications;
- 56 percent don’t believe such bans will work very well, and only 2.6 percent say bans are effective;
- 54 percent worry that they can’t monitor all communication channels employees might use; and
- 52 percent opt for Bring Your Own Device policies rather than giving employees corporate devices, mostly because giving everyone corporate-issued phones and tablets is too expensive.
So overall, we have lots of companies trying to do something about messaging apps, but not addressing the problem very well simply because this is a really hard problem to solve. It’s window dressing to convince the Justice Department and other regulators that, hey, at least you tried; even if your efforts didn’t prevent compliance violations.
This is on my mind because as recently as the other week, we saw the Securities and Exchange Commission sanction two more financial firms for their poor management of employees’ “off-channel communications.” That comes on top of a much larger crackdown against more than a dozen firms last year, which came on top of an enforcement action against JPMorgan Chase in 2021.
The risks are even higher for broker-dealers and other financial firms regulated by FINRA, which doesn’t like messaging apps any more than the SEC or the Justice Department. Earlier this year, for example, FINRA fined one financial firm $200,000 for bungling an effort to block iMessages on firm-owned iPhones. FINRA fined another firm $1.5 million in 2022 for letting its employees conduct business via unapproved text messages in violation of company policy.
OK, there’s the regulatory pressure for strong compliance. But what actually works?
Compliance officers who participated in Global Relay’s survey said their biggest frustrations were getting employees to obey policy (cited by 61 percent of respondents), followed by monitoring all communication channels (cited by 54 percent). Difficulty capturing and storing communications was a distant third, cited by 23 percent.
Employees being reluctant to embrace a new company policy — especially one as intrusive as communication monitoring — is nothing new. The challenge here is more about changing group behavior more than anything else, and executive teams need to pull multiple levers to achieve such change. For example, you’d need:
- Clear, frequent messages (no pun intended) from senior management about why the new policy is necessary, and for the good of the enterprise;
- Clear written policies explaining exactly what employees must do;
- Easy internal reporting channels to ask for help, especially for something as technology driven as messaging apps;
- Disciplinary action, applied consistently, to all groups, over a long period of time.
To my thinking, the most important detail to get right is a blend of the first and last bullet points above. It’s about enforcing discipline especially against managers and executives who violate your messaging policy. That’s why we’ve seen regulators crack down especially hard on firms where supervisory employees also participated in unauthorized messaging groups; and it’s why banks like Morgan Stanley have implemented disciplinary programs for messaging where the more senior the offender is, the worse the financial penalty he or she is likely to face.
Still, as much as we all like to talk about organizational behavior, the bigger compliance challenge here might be on the technical front. Messaging technology is zooming ahead so fast that the tools to monitor employee messaging, and then to capture and store those messages, are woefully behind. One anonymous compliance officer in the Global Relay report even dared speak the awkward truth:
I do think there is a limit on the return on investment for compliance and surveillance controls. When you factor in how easy it is to bypass certain controls (hello burner phone), it does make you reconsider the cost of automating, the complexities of natural language processing, including foreign languages, industry slang and cultures.
We all hate to say it, but this person is right. Sometimes the technology controls to meet our compliance obligations simply are too expensive to be worth the bother. In that case, compliance officers need to double-down on building a highly ethical culture.
BYOD Policies — by Default?
Survey respondents also reported a range of approaches to BYOD policies, with the most popular being to allow employees to use their own devices while the company monitors business-related communications. See Figure 1, below.
Again, none of this is surprising. The plain truth is that issuing company-owned devices costs a lot of money, employees don’t like carrying multiple devices on their person, and in the end you can’t be sure employees won’t just use unauthorized apps on their own devices anyway. So why bother with the expense and administrative stress of giving everyone a company phone?
Financially sensible, but it drives up the importance of your technical prowess to monitor communications and of your ethical culture. I wonder how many firms are up to that challenge.