Big banks face $1.8B in fines for employee messaging record-keeping blunder

The news: The Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have levied fines totaling more than $1.8 billion against eight banks and three other financial institutions for failing to retain employee messages, per MarketWatch.

The FIs involved include Barclays, Bank of America, Merrill Lynch Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs, Morgan Stanley, UBS, Jefferies, Nomura, and Cantor Fitzgerald.

Missing text messages: The banks will pay $125 million each, and the three other FIs will pay between $10 million and $50 million each as part of a settlement with the SEC for text and chat messages sent between January 2018 and September 2021.

• The messages were sent between employees’ personal devices, and the banks failed to collect these messages from employees for retention purposes. The messages were sent between all job levels at the banks.
• The banks will also pay more than $700 million combined in fines to the CFTC.

Fundamental miscommunication: Rumors that the fines were coming swirled back in August, and now that the case has been settled, the amounts are official. The fines correspond with the penalty JPMorgan paid last year for similar offenses related to employee messaging record-keeping.

• JPMorgan employees used non-compliant messaging apps like WhatsApp to conduct business from January 2018 through November 2020.
• JPMorgan admitted it violated record-keeping law and said the issue was widespread throughout the company.
• The $125 million fine by the SEC was the largest the regulatory agency had ever imposed for a record-keeping violation.

New ways of working: Communication via non-company-approved devices or platforms is highly risky. If allegations of misconduct arise, a company must be able to produce records for regulatory agencies to investigate. Failing to retain messages could land the company in serious trouble. But the bigger question that FIs must solve is “Why are employees opting to communicate using non-approved methods”?

• The timeframe of the violations suggests the use of non-company-approved communication methods spiked during the pandemic, when many employees were forced to work from home.
• At that time, companies scrambled to find ways to maintain collaboration among physically dispersed employees. But despite the widespread availability of collaboration tools, FIs struggled to implement new, easier-to-use tools quickly enough.
• Employees may have found approved methods of communication cumbersome and inefficient, and instead turned to familiar technologies used in their personal lives to make their work easier.

Banks and FIs face tight regulation around record retention and other security and compliance requirements. Though some tools on the market may be more efficient, IT departments understandably need time to fully vet new tools before scaling them to the broader organization.

The big takeaway: The JPMorgan case led to a wider investigation into other FIs, which in turn led to the discovery of these missing messages. But no allegations of misconduct have been brought against the banks, signaling that no malicious intent has been imputed to employees’ use of personal devices and apps. The case does, however, highlight the need for IT departments within FIs to prioritize providing more efficient communication tools for their employees, and for compliance departments to develop rules and expectations around the use of company-approved solutions. These groups must not be afraid to enforce the rules, even at the executive level.

This article originally appeared in Insider Intelligence’s Banking Innovation Briefing—a daily recap of top stories reshaping the banking industry. Subscribe to have more hard-hitting takeaways delivered to your inbox daily.

• Are you a client? Click here to subscribe.
• Want to learn more about how you can benefit from our expert analysis? Click here.