CHECK YOUR MESSAGES - How should firms protect themselves from employee use of personal devices and ephemeral messaging platforms at work?
The ubiquity of instant messaging platforms means it is very easy for employees to default to use at work. This causes problems for firms as these messages are not automatically captured as part of firms’ record keeping obligations. Regulators worldwide are objecting to the use of instant messaging platforms and so firms should be careful to ensure that employees are aware of which messaging systems they can – and which they cannot – use to communicate.
The Regulatory Approach
The Senior Managers Arrangements, Systems and Controls (SYSC) rules contained in the FCA handbook include a number of recording obligations. For example, SYSC 10A.1.6 requires a firm to take all reasonable steps to record telephone conversations and keep a copy of electronic communications that relate to activities in certain financial instruments referred to in SYSC 10A.1.4R and that are made with, sent from, or received on, equipment provided by the firm that the employee/contractor has agreed to. SYSC 10A.1.7 further requires a firm to take all reasonable steps to prevent an employee or contractor from making, sending, or receiving relevant telephone conversations and electronic communications on privately-owned equipment which the firm is unable to record or copy.
In January 2021, the FCA published supervisory guidance for firms by setting out its expectations surrounding the use of personal devices and more specifically, the use of instant messaging applications. In doing so, the FCA reminded firms of the importance of creating and implementing robust policies to demonstrate compliance with the recording and auditable requirements set out in SYSC 10A. The FCA also highlighted the important role that Senior manager’s play in “establishing and embedding the right culture and governance” in firms.
This approach was reiterated in the FCA’s expectations published on 14 February 2022, in which the FCA confirmed that firms ought to have procedures in place to meet their specific regulatory requirements. It went on to emphasise that any form of remote to hybrid working “should not risk or compromise the firm’s ability to follow all rules, regulatory standards and obligations.” Finally, in October 2022, the FCA was reported to be discussing the use of instant messaging applications within firms.
How can firms protect themselves?
Firms must make it clear to employees which communications platforms they can use. This should be clearly stated in policies, communicated when employees join, and reiterated via training and internal reminders. In this, as in all things, firms should leave employees in no doubt about their expectations and the potential consequences of non-compliance, including possible disciplinary action.
However, the reality is that employees are now accustomed to being able to communicate quickly and easily. Firms should therefore provide employees with easy to use instant messaging platforms. Where a firm chooses to adopt a so-called user-unfriendly messaging platform, this may entice employees to resort to what they know and understand. We recommend firms engage with their staff to find a technological solution that works for all parties and mitigates the temptation for employees to use what they perceive as the easier alternative.
Instant messaging is now part and parcel of all our lives. Firms must not be blind to this and should work to ensure that employees know which apps they can and cannot use. However, firms must also adapt and we recommend considering whether there are platforms that offer ease of use and ensure firms are complying with their record keeping obligations.