WhatsApp and confidential data: where to draw the line with social media

An investment bank employee has been investigated by the Financial Conduct Authority (FCA) after sharing confidential client information over WhatsApp. While a reasonable level of employee social media use at work may be acceptable, it is still important to have clear social media policies. Jessica Clough, trainee chartered legal executive at Boyes Turner, explains why.

The facts

Christopher Niehaus was a managing director of the investment banking division of Jefferies International Limited.

He was an "approved person" under FCA regulations, holding a controlled function CF30 status within the company. As part of his role, he was privy to confidential client and market sensitive information.

Niehaus used WhatsApp to boast to a friend (and client) about certain deals and how much money he could make from them.

During the exchanges he revealed confidential information about a number of clients, one of whom was a competitor to his friend's company, in an attempt to impress his friend. When these breaches were discovered he was suspended but later resigned before the disciplinary process could be completed.

The FCA also investigated. Niehaus made a full confession and the FCA found that his behaviour had been foolish but not motivated by financial gain.

Nevertheless, the regulatory body imposed a penalty fine of £38,198 (reduced from £53,140 for his cooperation) under Principle 2 of the FCA Code of Practice for Approved Persons, for failing to act with due skill, care and diligence.

Personal accountability

The FCA is increasing its focus on the behaviour of individuals within regulated firms, its aim being to promote cultural change through increased personal accountability.

Since March 2017, the scope of the FCA rules has expanded to apply to most, rather than just certain levels of, employees of relevant firms based in the UK or who deal with customers in the UK.

The FCA is also consulting on expanding the scope of the Senior Managers and Certification Regime to all UK financial services firms, which could mean that all financial services personnel fall under the FCA's scrutiny in the future.

The FCA already regularly targets senior managers and issues fines against them on a personal basis for breaches or failures to uphold conduct rules. According to the FCA website, in 2016 fines of £16 million were issued to just 13 individuals.

The consequences for individuals are severe - but that does not mean employers are off the hook.

The penalties for companies are not insignificant, with the FCA website revealing that in 2016 they issued fines to eight companies, altogether totalling £19.4 million.

Under FCA Principle 3 (Management and Control), a firm can be in breach of the FCA code if it has "failed to take reasonable care and skill to organise and control its affairs responsibly or effectively".

Focusing on social media and communications in particular, the FCA Conduct of Business Sourcebook states that employers should take "reasonable steps to prevent an employee… from making, sending or receiving relevant telephone conversations and electronic communications on privately owned equipment which the firm is unable to record or copy".

As a result, companies subject to FCA rules will usually record all emails and phone calls by, or to, their staff over work devices.

However, use of apps and personal devices are becoming increasingly common and are difficult to police.

What can employers do to protect themselves?

1. Have a robust social media policy

Although the Niehaus example relates to an FCA-regulated company, the misuse of social media applies to all organisations.

It is important for all organisations to have policies in place to regulate the use of social media by their employees whether such use is during working hours or privately. FCA-regulated firms must also be able to demonstrate adequate control over and monitoring of their employees' communications.

2. Review and update social media policies regularly

Use of social media is a rapidly developing field. While companies might have policies banning all personal use of the internet during office hours, this is no longer seen as reasonable by many employees. Regularly review policies to ensure you do not get caught out.

3. Training

Do you train your people on your policy? Do you explain to them the pitfalls of inappropriate communications? Do they know how private posts or tweets can have an impact on their employment?

For authorised persons in particular, they will need to be aware of their duties and responsibilities in this area in order to remain FCA-compliant.

4. Bring Your Own Device (BYOD) policies

There has been a huge increase in employees using their own devices (such as tablets and smartphones) to connect to company IT networks.

A recent survey of UK-based chief information officers found that half of the surveyed companies' IT networks had been compromised that year due to use of personal devices and that only a small proportion of these companies had BYOD policies in place.

What happens now?

As a result of cases like this one, financial institutions have begun limiting or banning the use of certain apps, such as WhatsApp and Snapchat, on company phones.

However, there is still the problem of employees wanting to use personal devices and social media to maintain contact with clients on a more social level.

Companies must make sure that they have robust social media policies in place and that all staff are trained to understand what the consequences could be, not just to the firm, but to themselves personally, if their behaviour causes a breach of FCA rules and/or company policies.

With the FCA's rules applying to even more staff in relevant firms, and the likely future expansion of these rules, employers should review their policies and training regime now to make sure they have the tools in place to protect themselves from FCA penalties.