Is WhatsApp Facilitating Banking Fraud?
Sharing confidential information is a data protection issue with more and more red tape every day. With more and more apps differentiating encryption methods, this becomes even harder to manage for authorities. Below Finance Monthly hears about the potential for banking fraud via apps such as WhatsApp from Neil Swift, Partner, and Nicholas Querée, Associate, at Peters & Peters LLP.
As ever greater quantities of sensitive personal data are shared electronically, software developers have been quick to capitalise on concerns about how susceptible confidential information may be to interference by hackers, internet services providers, and in some cases, governmental agencies. The result has been an explosion in messaging apps with sophisticated end-to end encryption functionality. Although ostensibly designed for day to day personal interactions, commonplace services such as WhatsApp and Apple’s iMessage use end-to-end encryption to transmit data, and more specialised apps offer their users even greater protection. Signal, for example, allows for its already highly encrypted messages to self-destruct from the user’s phone after they have been read.
The widespread availability of sophisticated and largely impregnable messaging services has led to a raft of novel challenges for law enforcement. The UK government, in particular, has been outspoken in its criticism of the way in which end-to-end encryption offers “safe spaces” for the dissemination of terrorist ideology.
Financial regulators are becoming increasingly conscious of the opportunity that these messaging services present to those minded to circumvent applicable rules, and avoid compliance oversight. 2017 saw Christopher Niehaus, a former managing director at Jeffries, fined £37,198 by the Financial Conduct Authority for sharing confidential client information with friends and colleagues via WhatsApp. Whilst the FCA accepted that none of the recipients needed or used the information, and the disclosure was simply boasting on Neihaus’ part, it was only his cooperation with the regulator that saved him from an even more substantial fine.
That same year saw Daniel Rivas, an IT worker for Bank of America, investigated by the US Securities and Exchange Commission and plead guilty to disclosing price sensitive non-public information to friends and relatives who used that information. One of the means of communication was to use Signal’s self-destructing messaging services. Rivas’ prosecution saw parallels with the 2016 conviction of Australian banker Oliver Curtis, an equities dealer, for using non-public information that he received from an insider via encrypted Blackberry messages.
These examples are likely to prove only the tip of an iceberg; given that encrypted exchanges are by definition clandestine, understanding the true scale of the issue, outside resorting simply to anecdote, is itself an unenviable task for regulators and compliance departments. Whilst those responsible for economic wrongdoing have often been at pains to cover their tracks – perhaps by using ‘pay as you go’ mobile phones, and internet drop boxes to communicate – access to untraceable and secure communication is now ubiquitous. It is difficult to imagine that future regulatory agencies will have access to the material of the same volume and colour that was obtained as part of the worldwide investigations into alleged LIBOR and FX manipulation.
How then can regulators respond? And how are firms to discharge their obligations both to record staff business communications, and monitor those communications for signs of possible misconduct? Many firms already ban the use of mobile phones on the trading floor, but such edicts – even where rigorously enforced – will only go so far. Neither Mr Rivas, nor Mr Neihaus, would have been caught by such a prohibition.
There may be technological solutions to technological problems. Analysing what unencrypted messaging data exists to see which traders are notably absent from regulated systems, or looking for perhaps tell-tale references to other means of communication (“check your mobile”), may present both investigators and firms with vital intelligence. Existing analysis of suspicious trading data may assist in identifying prospective leads, although prosecutors may need to become more comfortable in building inferential cases.
Fundamentally, however, such responses are likely to be both reactive, and piecemeal. Unless the ongoing wider debate as to the social utility of freely available end-to-end encryption prompts some fundamental rethink, the need to effectively regulate those who participate in financial markets – and thus the regulation of those markets themselves – may prove increasingly challenging.