Morgan Stanley’s  £5.41m ($6.89m) fine for failing to monitor communications is another warning that policies and training don’t always equate to “reasonable steps” in ensuring compliance. Different regulators have different requirements when it comes to recording and monitoring communications, so it’s worth revisiting all your processes to make sure they match up to the relevant rules and your firm’s specific risks. 

Ofgem, the UK energy regulator, fined Morgan Stanley for failing to keep records of communications among its energy market traders after several London-based staff members discussed wholesale energy transactions on WhatsApp. The Ofgem findings are a useful guide to what is required for the recording and monitoring of communications in a world of messaging apps which blur the personal and professional.

Ofgem found that between 2018 and 2020, Morgan Stanley had not complied with Regulation 8 under REMIT, which requires wholesale energy market participants to take reasonable steps to ensure that any electronic communications about trading wholesale energy products are recorded and retained, and to take reasonable steps to prevent the use of electronic communications which cannot be recorded. Ofgem pointed out in the Final Notice the importance of adequate records for the authority to be able to fully investigate and enforce breaches of REMIT.

FCA on recording

The UK energy regulator is not the only one reminding market participants of the importance of adequate audit trail for investigations. The UK’s FCA has reiterated recording obligations under SYSC rules (10A), which require a particular focus in a hybrid working environment. In Market Watch 66, the FCA stressed that firms are expected to take all reasonable steps to ensure that all in-scope activities are carried out via recorded auditable means and to prevent both employees and contractors from using privately-owned equipment where a firm is unable to retain the relevant records.

Equally, firms should be able to demonstrate upon request from the regulator that they have effective and up-to-date recording policies and procedures to meet these recording obligations, and that their approach is subject to management oversight.

Firms arranging and executing transactions are also expected to carry out on-going communication surveillance to detect market abuse. Ensuring all relevant communications are recorded is key in fulfilling this obligation and achieving adequate and effective communications monitoring.

US developments

Similarly, US regulations require firms to record communications pertaining to providing investment advice and transactions, as per Rule 204-2 of the Advisers Act and Section 17 of the Exchange Act. More than 20 financial groups have now been fined $2.5bn collectively for their employees’ use of WhatsApp and other encrypted messaging apps to discuss deals with colleagues and clients. High-profile failures have also been noted regarding the storage of electronic communications.

In 2021, Morgan Stanley was fined $200m by the US regulator, as were a number of other banks including Credit Suisse and HSBC. It forfeited (and clawed back) up to $1m per employee, with individual fines factoring number of messages sent, employees’ seniority and previous warnings received.

Most recently, Goldmans Sachs has shown it takes its obligations seriously, announcing that it was firing its transaction banking chief over communications policy breaches. While no details have been provided, under Goldman’s communications policy employees are required to communicate about firm-related business on channels that have been approved by the bank.

Singapore and Asia

In Singapore, Principle 2.13 of the Trade Surveillance Practice Guide states that brokers should record all communications with people providing instructions on orders and trades for clients’ accounts. It also warns that electronic communication channels, such as messaging platforms, are increasingly common and may require the use of sophisticated monitoring tools; and that the records of such communications, which may provide strong evidence of market misconduct, should be made available to surveillance staff for their review and active monitoring.

Similarly, in Hong Kong, under the Securities and Futures Commission’s (SFC) Keeping of Records Rules, client orders and instructions have to be recorded. A 2018 SFC circular (“Receiving client orders through instant messaging”) addressed the increased use of WhatsApp and similar applications by brokers. It states that IM communications are to be recorded and monitored in line with regulatory requirements to keep proper records of client orders; checks are to be performed on electronic messages to detect irregularities and potential malpractice.

Mitigating risks

If your firm is subject to one or multiple regimes, you should ensure your controls and approach are aligned with the relevant regulators’ expectations. As seen with the Ofgem outcome, each regulator’s approach to what may be ‘reasonable steps’ varies.

The lessons learnt in the Morgan Stanley case are a good starting point for understanding the regulatory expectations in this space. Though specific to REMIT, it demonstrates that a policy and basic training is not enough to prevent and detect breaches around the use of personal devices.

The bank had rules to prohibit the use of WhatsApp for business purposes. It also sent e-mail reminders of the company policy, required employees to sign an undertaking not to use unofficial means to carry out relevant communications and provided training focused on the misuse of WhatsApp and similar messaging systems. Still, Ofgem found that it did not take “sufficient reasonable steps to ensure compliance with its own policies and the requirements of the regulations”.

Further training

Morgan Stanley was only determined to be no longer in breach once it had rolled out further training to employees which reinforced the prohibition on the use of WhatsApp, taken internal action over the use of WhatsApp by employees, and launched an internal investigation into the use of WhatsApp and other non-company-approved messaging systems.

In light of these findings, we are reminded of the importance of carefully drafted internal policies that stand up to scrutiny and provide details on how the firm prevents ongoing unauthorized behaviour, for instance with disciplinary actions. It also highlights that targeted, up-to-date, tailored training is considered an essential part of the toolkit.

It is also crucial that your communication monitoring is commensurate to the size of your business. If a software is used, its key word list should be tailored to your business rather than off-the-shelf. Otherwise, an effective sampling method should be in place, for instance with increased monitoring at sensitive times such as month-end or around announcements.