person walking past a large bank, looking down and typing on their phone

What $1B in Fines for WhatsApp Use Tells Us About Usability and Compliance

August 29, 2022 Digital Workplace
Sharon O'Dea
By Sharon O'Dea

Banking giants including JPMorgan Chase, Citigroup and Bank of America have been hit with $1 billion in fines for employees' use of unapproved messaging tools, including email and WhatsApp.

The banks have been investigated over traders' use of these messaging services to discuss meetings and investment terms, which violates compliance requirements.

The fines are the latest — and perhaps the most expensive — illustration of the role unauthorized tools play in the digital workplace, and the risks they create for business. The fines are also a timely reminder why businesses of all kinds need to balance the competing demands of employees, customers and compliance to protect their data and their bottom line.

Shadow IT Points to Unmet User Needs

Use of unofficial tools, known as shadow IT, is an indication that you’re not meeting your users’ needs. Employees always need a quick and frictionless way to communicate with one another and with clients.

If employers don’t offer secure and intuitive tools for communication, people will use whatever they find the easiest to get the job done. This creates a gulf between the perception and reality of security, particularly in regulated industries.

Over the years a string of enterprise ‘WhatsApp killers’ have emerged, from Cisco Jabber to Microsoft’s Kaizala, promising to offer the same one-to-one and group chat in a secure enterprise environment. None have made a dent in WhatsApp’s meteoric growth, fueled by familiarity, interoperability and network effects.

Because it’s not simply about providing appropriate features, but ensuring those tools are easy to use and well understood by users. If tools are clunky and hard to use then people will find workarounds, or avoid using them altogether, pushing employees back to unauthorized platforms.

It’s against this background that WhatsApp emerged as the Swiss Army Knife of enterprise collaboration.

Related Article: Why Shadow IT Is Your Best Friend in the Digital Workplace

... and Unmet Client Needs

Clients expect to be able to contact their service providers on the channel of their choice. So when they contact the organization on one channel, and are asked to move to a secure, approved channel to continue the conversation, it feels like poor customer experience.

When consumers began contacting firms via social media, those companies were forced to adapt. Processes for social media complaint handling were developed, and vendors like Sprinklr and Salesforce stepped in to deliver these capabilities at scale over a decade ago.

Neither organizations nor enterprise vendors have adapted to the reality of WhatsApp or SMS use. But critics in financial services say blanket bans fail to reflect the nuances of modern day deal-making and client management.

A Delicate Balancing Act

Organizations have to balance the needs of users and the business against requirements for regulation, compliance and information security. The threat of fines understandably focuses minds on the latter.

Too often this leads to tools being configured in ways that make them difficult to use, with the focus on preventing misuse rather than on enabling productive work.

For example, when I work with organizations I find even where there are good quality tools and mature internal collaboration behaviors, access to these tools from outside of default corporate locations is limited. This pushes external or client collaboration back to email — or to WhatsApp.

Cybersecurity strategist Nick Drage, who advises firms on how to get ahead of these problems, explained:

"The security and compliance teams in financial services firms are considering the risk to the entire organization, which can dominate technology choices. Meanwhile users are rightly focused on their own situation and day to day needs, and an indistinct concept of organizational risk is hard to balance against timely communication with colleagues and customers. If organizations don't appreciate the difference in these two points of view early enough, they face the regulatory issues we're seeing at worst, but at best getting into an adversarial situation with their own employees over the applications used."

This balancing act has become more difficult for IT as user expectations have evolved. Much of the tech we rely on today has become so ubiquitous that it’s part of our everyday language. We don’t search, we Google. I don’t message you, I WhatsApp you. Once technology is part of the fabric of our everyday life it’s hard for IT teams to credibly bar its use unless they’re providing an alternative that allows people to work at the pace they’ve become used to.

Related Article: Communication and Collaboration at a Crossroads

Signs of Progress and Pragmatism

There are some encouraging signs of progress. As the market has matured, the usability of tools has rapidly improved. The arrival of Slack finally made enterprise collaboration lovable, and upped the game for vendors. Microsoft Teams, while harder to love, is a marked improvement on its predecessors.

This has put good quality tools in the hands of a great many more employees. While regulators fear the growth of working from home has caused a rise in use of shadow IT due to reduced management supervision, COVID-19 hugely accelerated the use of collaboration tools, particularly Teams. Bringing more employees inside the tent could pay dividends for compliance in the longer term.

Highly regulated industries face a greater challenge. But here, too, there’s growing pragmatism. Where once entire groups of regulated roles might simply be left out of collaboration programs, IT teams are finding ways to make these interactions compliant.

Swiss lender Credit Suisse designed a 'collaborative chat solution' to mirror WhatsApp in a secure environment in order to monitor staff communication. The tool, known internally as MyChat, allows the bank to record texts exchanged between employees, and to record messages sent via WhatsApp itself, while providing a consumer-grade experience for bank staff.

Goldman Sachs’ own secure, compliant messaging platform was considered sufficiently successful that it was spun off into a new company, Symphony Communications. A consortium of banks invested $66 million in its development, and today Symphony counts over half a million users across more than 1,000 financial institutions.

Symphony’s CEO, Brad Levy, said concerns on managing risk while staff work from home had led to a surge in interest for software to make conversations on tools like WhatsApp recordable.

Related Article: Cybersecurity Isn't an IT Risk, It's a Business Risk

Where End User Responsibility Comes In

Ultimately, though, compliance is not solely a technology problem. While poor usability or the desire to appease a client can drive a frustrated user to unapproved tools, so too can an explicit wish to evade monitoring.

Many of the traders using WhatsApp at these banks did so intentionally, in the full knowledge they were breaking the rules. Compliance-friendly software won't stop someone intent on subverting systems for personal gain, but organizations at minimum can inform employees in concrete terms about the risks involved. 

As Nick Drage said: "The key is for a security team to communicate the risk, and consequences, for both the organization and its staff. Too often compliance training is an annoying tickbox exercise worked through over a coffee break. More engaging training grabs the users' attention, then showing possible personal consequences keeps it. Will all of the users' WhatsApp messages be under investigation? Other online messaging they've used from the same devices? What will that reveal?"

With the rapid adoption and use of tools such as Teams, more of our workplace conversations than ever are on record. Text chats are discoverable by default, while use of transcription tools and automated note-taking create searchable records of voice and video calls too.

This, in turn, makes more of our conversations potentially available to lawyers. While this risk should be familiar to those in regulated industries, the potential for bad behavior to be discoverable in the event of litigation now exists in every industry. In a recent high-profile British libel trial, a series of unflattering WhatsApp messages proved the undoing of the celebrity bringing the case, in spite of what the court found were considerable efforts to hide them.

Employees should be reminded that while they can dance like nobody’s watching, they ought to email or text like it’ll be read aloud in court.

Related Article: The Risks and Consequences of Information Mismanagement

Beware the Knee-Jerk Response

The scale of these fines is sure to focus minds on unauthorized messaging tools. The risks involved in their use are significant, and not just in regulated industries like banking.

But IT decision-makers should be wary of knee-jerk reactions like banning their use altogether. Instead we need to take a pragmatic approach, putting good quality, frictionless messaging tools in the hands of every employee, understanding the realities of staff and customer communication needs, while communicating clearly about risks and trade-offs.

About the Author

Sharon O’Dea is an experienced digital strategist advising complex organizations on communication, collaboration and digital workplace technologies. Organizations Sharon has collaborated with include Credit Suisse, Allen & Overy, Standard Chartered Bank, Shell, Barnardo’s, the Houses of Parliament, UK Research and Innovation and the Department for International Trade.


Featured Research

Related Stories

Large red sign that promotes the strength of a community

Digital Workplace

5 Ways an Intranet Can Help With Talent Retention

rocket launch

Digital Workplace

Microsoft Gives Employee Experience a Viva Boost, LumApps Debuts Campaigns, More

brightly colored paint being rolled onto a wall

Digital Workplace

Designing the Workplace of the Future

Digital Workplace Experience Q4: October 12-13, 2022

DWX22 - Q4