Work and personal communications: blurring the lines in the modern workplace – part two

Compounding this difficulty, employees often blur the lines, using personal devices and servers for business-related communications, and work devices and servers for personal communications. This generates an increasingly prevalent problem for compliance departments and legal teams dealing with evidence and disclosure in a regulatory context.

In this series, we discussed in part one the challenges this raises for commercial litigants. In this part two we consider the particular issues and practicalities faced by regulated entities.

The need to monitor

Regulators around the world have imposed duties on employers to monitor employees’ workplace communications. Recently they have gone further and been willing to impose significant financial penalties for failures to comply with these monitoring obligations. Beyond the regulated sector, even unregulated entities have anti-bribery and corruption obligations which require them to monitor employee communications.

Regulators around the world have imposed duties on employers to monitor employees’ workplace communications. Recently they have gone further and been willing to impose significant financial penalties for failures to comply with these monitoring obligations. Beyond the regulated sector, even unregulated entities have anti-bribery and corruption obligations which require them to monitor employee communications.

In late-2022, the US Securities & Exchange Commission (SEC) announced charges against multiple Wall Street firms for persistent failures to maintain and preserve their electronic communications, as required by US federal law. The financial firms in question agreed to pay combined penalties of almost $2B USD. Amongst those firms was Morgan Stanley, which punished culpable employees by imposing financial penalties upon them, ranging from several thousand dollars to over $1M USD per individual, according to their seniority and level of misconduct.

In the UK, the Financial Conduct Authority (FCA) requires firms subject to Chapter 10A of its Senior Management Arrangements, Systems and Controls Sourcebook to take all reasonable steps to record telephone conversations and keep copies of electronic communications from work devices for a minimum of five years. Firms must also take all reasonable steps to prevent employees having telephone conversations and sending electronic communications on private devices from which the firm cannot take recordings or copies.

In the UK in late-2022, the brokerage firm Sigma was fined by the FCA over £500,000 and two of its directors were prohibited following multiple market abuse reporting failures. Amongst the regulatory failures, the FCA also found that Sigma provided no staff training on the use of personal devices for work purposes and that traders on its CFD desk used encrypted messaging services on their personal devices to deal with clients without the firm’s knowledge or approval.

Whilst the FCA did not make a formal finding on Sigma’s lack of personal device and encrypted messaging policies, the regulator has been warning firms about the risks associated with employees’ use of unmonitored and/or encrypted communications applications for years. In January 2021, when it published Issue 66 of its Market Watch newsletter, the FCA stressed the issue further in the context of the Covid-19 lockdown. The pandemic saw a global move towards remote working, which meant monitoring and record-keeping obligations became even more difficult for firms to comply with. As work and home life became increasingly blurred, so did the use of devices and messaging services for personal and business-related communications.

The FCA highlighted in its Market Watch the “significant compliance risks” in this area for banks and other financial institutions, and further warned of the risks of misconduct from remote working and use of unmonitored communications. This is a real challenge for firms. They are subject to the regulatory requirement that all work-related communications be recordable and auditable, yet the use of personal devices is widespread, largely uncontrollable and the volume of communications is vast. One proposed "solution", which acknowledges the use of personal devices cannot be prohibited entirely, is the use of software installed on personal devices to monitor work-related communications. Understandably, employees are often unwilling to allow their personal device to be monitored in the same way as their official work devices. This also brings with it a host of data protection and GDPR concerns.

In a related statement in December 2021, Gary Gensler, Chair of the SEC said:

“As technology changes, it's even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications."

Risks on the horizon

The FCA has specifically singled out WhatsApp as a particular concern and states that it has acted against firms and individuals for arranging deals and providing investment advice using the platform. This is expected to remain an area of focus for the FCA.

To avoid regulatory action being taken against them, the FCA suggests firms ensure their recording policies, procedures and management oversight are effective and up-to-date, and that this can be demonstrated to the regulator. Any necessary further measures should be adopted before a firm allows the use of a new medium of communication. If private devices are used, there should be “sufficient scope for effective recording” and the FCA also suggests that clear policies are implemented which ban the use of private devices for in-scope activities where the firm cannot record the communications.

Simply prohibiting staff from using applications like WhatsApp will not work, and has been unsuccessful so far, leading to calls for an alternative messaging system to be rolled out, including from former FCA officials. However, these solutions already exist. Applications like Slack and Microsoft Teams are widely used for internal communications because they provide a user-friendly instant messaging service and can be easily monitored by employers.

Indeed, one of the reasons that WhatsApp is so widely used is because it provides greater privacy than alternative messaging systems. This is often attractive to clients and so they may prefer to use it; firms subject to these preferences will be reluctant to refuse or impose stringent conditions on the use of these platforms as they fear losing the client’s business. Additionally, it is almost inevitable that close working relationships will lead to employees having both personal and work-related conversations with clients, colleagues and contacts, some of which employees would likely rather keep private even if they have not committed any wrongdoing.

However, these privacy concerns must be balanced against firms’ monitoring and reporting obligations, which must be strictly adhered to. If a business is to avoid falling foul of FCA rules, it will need strict policies and training to limit, or more likely prohibit, the use of personal devices for work-related communications. The firms must be seen to be doing all they can. Issuing employees with a phone for work-related communications is standard and inevitably helps employees (in theory) to better separate their personal and professional lives. Employers should continue to make it clear to their employees that the contents of that work device will be subject to monitoring and recording regulations, and employers should be alert to any indication that conversations may have been conducted on personal devices. Firms need to demand strict standards and enforce this through policies, training and monitoring in line with their data protection obligations.

This article was co-authored by trainee Matthew Pimley.