Texts and the City: UK punishes trader WhatsApp breaches 

UK energy regulator Ofgem has fined Morgan Stanley £5.41m after traders were found to be using unrecorded WhatsApp channels to discuss energy market business between January 2018 and March 2020. These communications were made by wholesale energy traders, on privately-owned phones via WhatsApp, which discussed energy market transactions. 

In a significant development, the UK has once again demonstrated its commitment to addressing the use of unapproved communication platforms.  

No firm is safe from the wrath of issuing bodies, as evidenced by the recent £5.41 million fine against Morgan Stanley for discussing business matters on WhatsApp, violating its own policies against using WhatsApp for trading and risking market integrity. Surprisingly, this penalty was levied by the energy regulator, Ofgem.  

First joining the US in the war against illicit communication methods back in April 2023, the UK Prudential Regulation Authority (PRA) censured Wyelands Bank for breaching large exposure limits and failings in its governance.  

For the first time in PRA history, it served a final notice to Wyelands Bank for insufficient policies for monitoring the use of messaging platforms (WhatsApp, Signal, Telegram) and personal devices in August 2023.  

Across the pond, US regulators are adopting a “zero-tolerance” approach to record-keeping, off-channel communications, and data processing non-compliance. All Wall Street and foreign banks operating in US financial markets must comply with laws that protect investors and promote market integrity. 

In August 2023, the Commodity Futures Trading Commission (CFTC) and SEC jointly initiated civil actions against high-profile banks. These charges were against firms for using illicit communication methods, and non-compliance that extended even to senior management, resulting in total fines of nearly $550 million. 

Christy Goldsmith Romero, CFTC Commissioner, marks the enforcement actions against Wells Fargo, BNP Paribas, Societe Generale and Bank of Montreal as “another victory in holding banks accountable for their pervasive use of unauthorized communication methods.” 

The CFTC has defined these breaches as a “red flag about bank culture”. Further to the violation of federal laws, the firms’ widespread use of unapproved communication methods breached their own internal policies and procedures. 

“The Commission’s message could not be more clear—recordkeeping and supervision requirements are fundamental, and registrants that fail to comply with these core regulatory obligations do so at their own peril,” Director of Enforcement, CFTC, Ian McGinley. 

Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, added that if firms embrace the playbook of self-reporting, cooperation and remediation, then there will be a better outcome than waiting for regulatory intervention.  

‘Zero-tolerance’ to non-compliance 

As the first-ever fine issued in the UK for breaching legal requirements to record and retain electronic communication in relation to trading wholesale energy products, Ofgem’s Regulatory Director of Enforcement and Emerging Issues, Cathryn Scott, believes the fine “sends a strong message to market participants that they must comply with all REMIT rules or face enforcement action.” 

Ofgem’s fine against Morgan Stanley is for not recording or retaining electronic communications between January 2018 and March 2020.  

On 8 August, the SEC charged 10 firms for “longstanding failures by the firms and their employees to maintain and preserve electronic communications,” including messaging on their personal devices, including iMessage, WhatsApp, and Signal. The firms have agreed to pay combined penalties of $289 million and will work to improve their compliance policies to address the breaches.  

To date, the SEC has brought 30 enforcement actions and over $1.5 billion in fines, emphasizing the message that “compliance with the books and records requirements of the federal securities laws is essential to investor protection and well-functioning markets.” And non-compliance will not be tolerated.  

On the same date, the CFTC conducted a sweep of examinations against firms suspected of using internal and external unapproved communication methods. In some cases, there were missing communications records which instigated the regulators to dig deeper and discover that thousands of employees had violated laws. 

Deterring bad actors  

On top of the eye-watering fines, the CFTC has mandated all firms to admit wrongdoing to the public. CFTC Commissioner Romero believes that holding companies accountable for their actions, will prevent future misconduct and promote fairness of markets.  

“Deterrence can be achieved from a defendant having to admit wrongdoing, combined with a penalty,” said Romero.  

As part of the retribution, banks will need to resolve their internal policies, ensuring that they are robust enough to prevent, detect and correct unauthorized illegal communications.   

The CFTC alongside the SEC “will not tolerate efforts that evade our regulatory oversight – oversight that these entities signed up for when they registered with the Commission.” This includes foreign banks operating in US markets.  

Sanjay Wadhwa, Deputy Director of Enforcement at the SEC, adds, “We know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues.” 

The events of 8 August have proved that the SEC and CFTC will be flushing out bad actors to protect the integrity of markets and ensure businesses are held accountable for their wrongdoing.  

Top-down culture is crucial for success 

Most of the penalties against firms involved widespread non-compliance from senior management, demonstrating the need for top-down integrated compliance. The CFTC’s investigation uncovered a culture “of evasion” and “keeping regulators in the dark”. The instances of non-compliance reveal that real change is needed within senior management teams, whether that be through training or ensuring the right individuals are at the C-suite level.  

Tone at the top significantly shapes a bank’s culture and as the CFTC has highlighted, this tone must change to not only avoid fines but to achieve transparency, accountability, and fairness in markets. To achieve this, the tone at the C-suite level needs to change for compliance over evasion.  

“Wall Street institutions do not get to keep regulators in the dark while enjoying all of the benefits of being a regulated entity in US financial markets. Those choosing to participate in US financial markets are on notice – The era of evasive communications practices is over. The CFTC will hold you accountable,” said Romero.  

CUBE comment 

The compliance landscape is intensifying, and the regulatory response is far more than a slap on the wrist. The recent enforcement actions by the CFTC and SEC serve as a reminder that issuing bodies are committed to flushing out bad actors and firms will be held responsible for their wrongdoings.  

Compliance with federal securities laws in relation to record-keeping and off-channel communications should no longer be an afterthought. The repercussions of non-compliance are clear: the CFTC and SEC will respond with enforcement actions.  

To ensure your firm complies with every recordkeeping and off-channel communication law, leverage CUBE’s automated regulatory intelligence (ARI). CUBE’s regulatory change management software can alert your firm with relevant regulations, any changes to these laws and what you need to act on – without lifting a finger.  

With CUBE’s help, reduce the risk of crippling enforcement fines and reputational damage. Instead, ensure complete compliance and investor confidence.  

To ensure your firm complies with off-channel and recordkeeping regulations, speak to CUBE.