knowledge | 12 February 2021 |
Auto-Delete and Encrypted Messaging Apps: Next in the Regulatory Spotlight?
Automatically deleting or ‘ephemeral’ and encrypted messaging platforms present novel difficulties for regulators in the investigation and supervision of regulated entities.
Ephemeral messaging is the transmission by mobile of messages that automatically delete after the message has been viewed. Examples are SnapChat, Confide, Wickr, and Threema. Encrypted messaging apps on the other hand such as WhatsApp, Messenger and iMessage provide end-to-end encryption for mobile messages, preventing third party monitoring of conversations. While regulators here have yet to raise issues concerning the use of automatically deleting or ‘ephemeral’ and encrypted messaging platforms (“E&E Apps”), the deletion of communications is always problematic in a regulatory environment and acquiescing in employees’ use of apps that automatically delete content may give rise to inferences which may be difficult to displace.
In this regard, organisations should take note of concerns that have already been raised in relation to the use of encrypted messaging apps. For example, on 11 January 2021, the UK’s Financial Conduct Authority (“FCA”) issued a warning to businesses on the rising use of apps such as WhatsApp for business communications during the pandemic.
Enforcement Actions in other Jurisdictions
This is not the first warning shot from regulators. The US Department of Justice specifically called out the use of messaging apps in its 2017 Foreign Corrupt Practices Act Corporate Enforcement Policy, which stipulated that businesses must prohibit employees from “using software that generates but does not appropriately retain business records or communications.” That policy was varied in 2019 and now provides that companies are not required to prohibit the use of such apps but must implement appropriate guidance and controls over such communications. In other words, they must spot the risks posed by such apps and make sure they retain all necessary business records.
Similarly, the US Securities and Exchange Commission has issued guidance prohibiting the use of apps and other technologies that can be readily misused by allowing employees to communicate anonymously, and/or which allow for the automatic destruction of messages or which prohibit a backup.
The issue is increasingly emerging in enforcement actions in other EU Member States and in the UK. The Netherlands Authority for Consumers and Markets imposed a fine of €1.84 million on a company for obstructing a dawn raid by deleting WhatsApp conversations.
The UK’s FCA prosecuted an individual in 2019 for deleting the WhatsApp application from his phone during an insider trading investigation. Although the accused was ultimately acquitted, the FCA indicated after the trial that, “we will take action whenever evidence we need is tampered with or destroyed”.
In its January 2021 warning, the FCA reminded firms that if such apps are used for in-scope activities on business devices, they must be recorded and auditable. The FCA expects:
The FCA emphasised that “there is no specific restriction on the technologies or apps firms can use for communications” but it is difficult to see how a business whose employees communicate using E&E apps can comply with the expectation that apps must be auditable.
Reflecting the increased concern among regulators of the widespread use of WhatsApp during the pandemic, a December 2020 report co-chaired by the Central Bank of Ireland and the Australian Securities & Investments Commission on the impact of COVID-19 on retail market conduct noted that many large banks have begun exploring new technologies to enable the recording of WhatsApp communications. The report referred to “a massive spike in use of the encrypted messaging during the COVID-19 pandemic.”
Although to date there has not been any detailed guidance issued in Ireland and there is no specific restriction on the technologies or apps regulated entities can use for communications in this jurisdiction, the following should be borne in mind by regulated entities:
- Make sure that if encrypted apps are used for in-scope activities on business devices, they are recorded and auditable in accordance with applicable law;
- Remember that competent regulators such as the Central Bank and the ODCE have the power in certain circumstances to require a person to disclose any password necessary to access electronically stored records;
- It is an offence to destroy evidence once the regulated entity is aware of an ongoing or anticipated investigation;
- In the context of civil litigation there is an obligation to preserve all potentially relevant documents once litigation is underway or is reasonably contemplated; and
- Regulated entities should monitor how methods of communications are developing within their organisation due to the pandemic in light of their obligations regarding these communications.
Good information governance requires a full understanding of how your personnel are communicating and you may need to revisit your procedures for retention of business records in light of the pandemic. Mapping your data, up to date technology use policies, training and awareness are critical components of effective compliance.
Also contributed to by Aaron McCarthy
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.