The UK Prudential Regulation Authority has censured a bank for wide-ranging significant regulatory failings between December 2016 and May 2020, which spanned breaches relating to large exposure limits, capital reporting, governance and risk controls and PRA Own Initiative Requirements (OIREQs) and, for the first time, failure to capture and retain WhatsApp messages. The seriousness of the breaches justified a fine of £8,515,000, however, since the bank is in wind-down the PRA imposed a public censure as a warning shot to the industry more broadly.
The PRA enforcement action is a clear warning shot to all firms that they need to have comprehensive record keeping in place to capture and enable full context retrieval of all electronic communications. It is entirely likely that the $2bn+ fines imposed in the U.S. for failing to capture unmonitored communication channels is the tip of the regulatory iceberg with regulators around the world increasingly focused on firms’ approach to robust data capture, surveillance and retrieval.
Among the other concerns, the PRA made a robust point that the bank had failed to put in place effective document retention and recordkeeping policies or procedures for its business that took into account technological advances such as those relating to instant messaging platforms (e.g. WhatsApp).
Record keeping failures
The PRA found that the bank lacked formal document retention and record keeping policies or procedures for its business. In particular, the firm’s designated client files did not contain all the conditions to the availability of the facilities it entered into or all relevant email correspondence.
Whilst the bank kept minutes of its board and committee meeting discussions, there was no formal record keeping policy or procedure in place to manage the use of WhatsApp messages in respect of the firm’s actual or potential transactions, its business and strategy, or to retain those messages. The WhatsApp exchanges were deemed important by the regulator as they contained information about the firm’s actual or proposed transactions and business affairs that was not always available to, or shared with, the board and firm’s relevant transaction committees.
In addition to not having any policies and procedures regarding the retention of such business-related messages on mobile devices (whether firm issued or personally owned), the firm also did not have any policies and procedures regarding its ability to retrieve on a timely basis business-related messages held on such users’ devices.
As a result, the board and the firm’s risk function were hindered in their ability to exercise effective scrutiny and oversight of the bank’s business proposals and transactions, as key details were in a number of cases only communicated between individual board members or senior executives outside of scheduled meetings and formal email correspondence, and what email correspondence there was could not be relied upon as being on the designated client files.
In addition, the bank was deemed to have failed to keep sufficient records to enable the PRA to both effectively supervise the firm, and carry out its investigation into the firm.
How Theta Lake can help
Theta Lake’s multi-award winning product suite provides patented compliance and security for modern communications utilizing over 100 frictionless partner integrations that include RingCentral, Webex by Cisco, Microsoft Teams, Slack, Zoom, Movius and more.
- Theta Lake captures and compliantly archives communications including videos, voice, chat, screen share and file transfer from mobile messaging platforms to SMS and WhatsApp to enable compliance with relevant record keeping and other requirements. It also acts as an archive connector, enabling existing archives and data storage to be utilized without disruption.
- AI-enabled automated detection of potential or actual misconduct requiring reporting to the risk committee or regulator. Identified risks are surfaced in an AI-assisted review workflow providing an efficient and effective review process for compliance teams. Theta Lake has more than 85 risk detections which are pre-trained and ready for customer use with customers able to provide feedback and training on the classifiers.
- The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to supervisors, regulators or prosecutors. For example, chat messages can be viewed in their native format over the entire history of the conversation with full context retained together with in-meeting communications and images, GIFs, emojis or reactions that change meaning and context.
- Theta Lake’s compliance suite is SOC2, Type II audited and maps controls to ISO 27001 so confidential, privileged or sensitive data can be automatically redacted to meet data privacy and other legal obligations.
Theta Lake’s regulatory and data science teams are happy to discuss any of the issues in greater detail. You can find further regulatory perspectives from Theta Lake here or you can join a weekly 30-minute demo webinar here.