The UK Office of Gas and Electricity Markets (Ofgem) has, for the first time, used its powers to fine a firm over £5.4m for failure to record and retain electronic trading communications. Between January 2018 and March 2020 the firm did not record or retain the communications made by wholesale energy traders, on privately-owned phones via WhatsApp, which discussed energy market transactions. The initial fine was £7,730,213 but as the firm admitted the breach and agreed to settle the matter, the fine was discounted by 30% and, accordingly, the penalty was reduced to £5,411,149.

Ofgem’s powers come from the Enforcement Regulations which provide the regulator with the powers to monitor, investigate, enforce, and sanction. Regulation 8 of the Enforcement Regulations sets out the legal requirement on market participants to record and retain records and specifically requires wholesale energy market participants to take reasonable steps to ensure that any electronic communications about trading wholesale energy products are recorded and retained, and to take reasonable steps to prevent electronic communications taking place which cannot be recorded.

Reasonable steps

The breach came to light when the regulator made information requests to which the firm was unable to respond. The subsequent investigation found that the firm had policies in place which prohibited the use of non-approved messaging systems for firm business, and that the firm ‘took some steps to try and ensure the policy was conveyed to employees.’ The measures included:

• email reminders of the policy
• the requirement for employees to sign an undertaking not to use unofficial means to carry out relevant (ie trading) communications and
• from 2019, training for the trading desk specifically focussed on the misuse of WhatsApp and similar messaging systems. 

However the firm did not take sufficient reasonable steps to ensure compliance with its own policies and the requirements of the regulations. In particular the firm was found to have failed to take reasonable steps to monitor compliance with its policy on the use of non-approved messaging systems and did not assess the risks of non-compliance with its policies. 

Also the firm did not find the breach itself, it was only after the regulator had identified that wholesale energy product traders had used WhatsApp to make relevant communications, that firm took steps to address it. The regulator acknowledges after this happened, the firm ‘did take the discovery of the issue seriously and took action in response’. 

The steps the firm took to remedy its non-compliance included: 

• providing training to employees which reinforced the prohibition on the use of WhatsApp;
• taking internal action over the use of WhatsApp by employees; and, 
• launching an internal investigation into the use of WhatsApp and other non-approved messaging systems.
  
  

Lessons to be learned

As with all enforcement actions there are lessons to be learned and, in this instance, a deliberately strong message to other energy market participants. There are two key aspects to the lessons to be learned.

First off it is simply not enough just to have policies in place, even if employees have signed or certified to say they will comply. Firms must also have in place systems and controls which enable the monitoring that not only policies and procedures are operating as intended but also are effective. 

The other element is that of root cause analysis or reviewing to see whether a similar breach could be happening elsewhere. The enforcement notice states that the firm launched ‘an internal investigation into the use of WhatsApp and other non-approved messaging systems.’ The extent of that review is not known but two or so years after the resolution of the breaches in the UK energy trading desk, a firm in the same group was one of many fined by U.S. regulators for, again, unmonitored communications between at least January 2018 and September 2021. 

Firms would be very well advised when a breach or failure has occurred to undertake the widest possible review to see if the issue could or has arisen elsewhere. Any root cause analysis review should, ideally, not be limited by geography or legal entity but rather take a stand back look at where else in a firm or group that similar misconduct could arise.

Firms are much better off finding regulatory breaches for themselves, self-reporting and remediating as quickly as possible. Whilst a firm may well still be fined, the penalties imposed are likely to be substantially smaller and there is far less likelihood of individual liability.

How Theta Lake can help

Theta Lake’s multi-award winning product suite provides patented compliance and security for modern communications utilizing over 100 frictionless partner integrations that include RingCentral, Webex by Cisco, Microsoft Teams, Slack, Zoom, Movius and more. In addition:

• Theta Lake captures and compliantly archives communications including videos, voice, chat, screen share and file transfer from mobile messaging platforms to SMS and WhatsApp to enable compliance with relevant record keeping and other requirements. It also acts as an archive connector, enabling existing archives and data storage to be utilized without disruption. 
  
  
• AI-enabled automated detection of potential or actual misconduct requiring reporting to the risk committee or regulator. Identified risks are surfaced in an AI-assisted review workflow providing an efficient and effective review process for compliance teams. Theta Lake has more than 85 risk detections which are pre-trained and ready for customer use with customers able to provide feedback and training on the classifiers. 
  
  
• The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to supervisors, regulators or prosecutors. For example, chat messages can be viewed in their native format over the entire history of the conversation with full context retained together with in-meeting communications and images, GIFs, emojis or reactions that change meaning and context. 
  
  
• Theta Lake’s compliance suite is SOC2, Type II audited and maps controls to ISO 27001 so confidential, privileged or sensitive data can be automatically redacted to meet data privacy and other legal obligations. 
  
  

Ways to learn more

• You can find further regulatory perspectives from Theta Lake here. 
  
  
• Get our guide: “Smart Compliance Capture Considerations for Unified Communications” which outlines a buyer's checklist to use when evaluating recordkeeping and capture solutions.
  
  
• Join a weekly 30-minute demo webinar showing Theta Lake’s Smart Capture solution by registering here.