US Bank Dinged on Messaging Fails
US Bank is the latest financial firm sanctioned for employees’ use of off-channel messaging apps, fined $6 million on Tuesday by the Commodities Futures Trading Commission. At this point these cases are hardly news any more, but the US Bank enforcement does have a few twists that warrant a compliance officer’s attention.
First, as outlined in the CFTC settlement order, US Bank employees apparently have been engaging in off-channel messaging violations from 2019 through to present day. That’s astonishing because federal regulators have been cracking down on messaging abuses for more than two years, and by now dozens of financial firms have been sanctioned for messaging offenses — some of them facing fines as high as $200 million. This is no longer an exotic new compliance risk catching banks unaware.
Still, according to the CFTC, US Bank’s messaging offenses were “firm-wide and involved employees at all levels of authority” as recently as, like, Tuesday. It demonstrates just how persistent off-channel messaging offenses can be, and just how difficult it can be for compliance officers to change the corporate culture’s view of messaging practices.
Even worse, the off-channel messaging was no secret to bank management. On the contrary, US Bank supervisors who were supposedly in charge of policing against messaging abuses were themselves communicating about bank regulatory matters on unapproved apps on their personal devices.
We don’t know exactly when this happened; perhaps it was in 2019 or thereabouts, before banks fully understood that regulators were now taking off-channel communications seriously. The settlement order doesn’t expressly say whether compliance officers engaged in these messaging abuses, or some other managers who had responsibility for enforcing the rules over their own teams.
Either way, it’s not a good look for a company’s culture of compliance when the very stewards of that culture are engaged in the same misconduct they are telling other folks to avoid. Yuck.
Compliance Goes Beyond a Policy
Let’s also take a look at the specific compliance failures that drew the CFTC’s wrath.
One important point is that throughout the period in question (2019 through Tuesday), US Bank did have policies and procedures that prohibited employees from using off-channel messaging apps. Employees were supposed to use bank-approved apps to talk about business, and when they did, those messages were monitored and archived as required by regulation.
Except, plenty of employees just ignored those policies and used off-channel apps. Those communications, such as on WhatsApp or personal text messages, were generally not monitored and archived, which is a violation of federal securities rules.
The lesson here is that simply having a policy against using the apps isn’t enough. You need to enforce that policy, both through technical measures to prevent off-channel communications and a strong disciplinary culture when employees evade those technical measures and use off-channel apps anyway.
Hence these off-channel messaging enforcement actions always come with a lengthy list of compliance remediation steps the offending firm promises to undertake, and that remediation always falls into several buckets:
- An assessment of the technical solutions and surveillance the firm uses to prevent off-channel messaging;
- A review of the written policies and procedures to confirm whether they sufficiently clear and comprehensive;
- Enhanced training to help employees understand when and why they must use only bank-approved apps; and
- A review of the disciplinary framework the bank uses to punish employees who violate the messaging policy.
Compliance officers at other companies looking to improve your messaging compliance efforts might think of the above criteria as the four legs of a sturdy stool upon which your messaging compliance program can sit. Technical measures, written policies, training, disciplinary enforcement: you need them all.
US Bank did agree to perform a review that covered all four criteria. The bank did not, however, need to hire a “compliance consultant” to oversee its review, perhaps because the bank voluntarily self-disclosed its violations to the CFTC.
Anyway, I’m sure we’ll have more off-channel messaging enforcement in the future. Whenever such a settlement provides telling advice for the compliance community as a whole, we’ll be there to tell you about it too.