Staff had already been instructed to “stick to approved channels” for conversations about business matters. Now the messaging platforms have been rendered inaccessible on work phones and computers. The bank is estimated to have 60,000 staff and 19 million customers.
“Like many organisations, we only permit the use of approved channels for communicating about business matters, whether internally or externally,” NatWest said in a statement.
Off-channel comms
The move comes as UK regulator the FCA is reported to be considering action on off-channel comms. In the US, fines totalling over $2.8 billion have been handed out by financial regulators to banks found to be in breach of comms recordkeeping rules (you can find a comprehensive list on GRIP).
But so far in the UK the only such fine issued has come from energy regulator Ofgem – which fined Morgan Stanley £5.4m ($6.89m) over calls made on private phones using WhatsApp. In the wake of that fine, the FCA sent a letter to investment banks and sell-side firms highlighting to importance of conduct and culture. And Sarah Pritchard, the regulator’s executive director for markets and international, appeared to signal a harder line on monitoring messaging.
Asked if the FCA was intending to co-ordinate work on the issue with US authorities she said: “Where we know that action is taken by other regulatory authorities overseas we remain in contact with them because it’s important that where our firms operate cross-border we have those good supervisory relationships with our fellow international regulators.”
“It is clearly an area of FCA focus and we can predict future enforcement action with a high degree of certainty.”
Laura Bridgewater, litigation partner at Macfarlanes
That message is certainly being heard. Laura Bridgewater, litigation partner at Macfarlanes, said: “FCA enforcement action in respect of monitoring of ‘off-channel’ communications and record keeping is very likely in the short to medium term.
“Reports indicate that the FCA is currently conducting a survey of bank data relating to breaches of policies relating to unmonitored and / or encrypted communications channels as part of an intelligence gathering exercise. It is clearly an area of FCA focus and we can predict future enforcement action with a high degree of certainty.
“The PRA has already taken enforcement action in relation to inadequate record keeping of WhatsApp messages. In April 2023 the PRA censured Wyelands Bank Plc for ‘poor retention of WhatsApp messages,’ among other failings.
“Many institutions have banned the use of WhatsApp and other off channel messaging services for several years. No doubt other institutions will follow NatWest in blocking the apps altogether.”
Public sector
In the UK, there have been issues too in the public sector, with questions arising during the inquiry into the handling of the COVID-19 crisis about the use of messaging apps by civil servants and politicians.
And in the US, the Consumer Financial Protection Bureau has just banned staff and contractors from using mobile phones for work-related calls after hackers linked to China breached the US telecoms infrastructure. The CFPB stressed this was a proactive measure, and that there is no evidence the CFPB was directly targeted.
While no one can claim not to be aware of the issues around having a compliant and robust comms policy, the challenge is how to stop people using tools that they have closely integrated into their everyday routines. Jamie Bell, the FCA’s head of secondary market oversight, was in uncompromising mood when this subject came up at an industry event organized by compliant comms company Global Relay earlier this year.
“I’m not very sympathetic to the idea that we have to pander to the way people want to work,” he said. “Some things are required, and if social media poses an unacceptable risk, don’t use it. We all make compromises to earn money.”
But Rupert Evill, founder of compliance consultants Ethics Insight, doubts how effective such a blunt approach will be. “If you expect people to be always “online” and available, they will understandably favour tech they use outside work,” he says.
He thinks companies need to consider whether the approved tools or technology offer comparable functionality and ease of use, because “you’ll need a very compelling reason to make everyone use tech they don’t like using. That requires being open about the nature and extent of the threats/problems the prohibited tech poses.
“I’ve yet to meet an employee who responds well to the ‘trust us because we don’t trust you’ school of communication.”