LISTEN TO AUDIO VERSION:
The WhatsApp problem in a nutshell
Financial institutions are on guard: with employees using WhatsApp at work, the world’s largest banks had to pay high fines imposed by the United States Securities and Exchange Commission (SEC). In Germany, instant messaging providers are a thorn in the side of the German Federal Financial Supervisory Authority (BaFin) in particular because such apps do not allow any control of internal and external communication. When using these apps, bank employees could share sensitive information or delete data that would have to be archived according to compliance or legal requirements. Fines are therefore also likely in Germany. It’s time for financial institutions to find an alternative to communication solutions such as WhatsApp and the like which are mostly used on mobile phones.
In order to ensure compliance with laws and the trustworthiness of the German financial system, it is quite of interest for BaFin to know how bank employees and board members communicate with each other and whether they use unauthorized solutions. Common instant messengers such as WhatsApp neither meet the requirements of professional business communication with regard to their functioning, nor do they offer the transparency needed to implement compliance and legal requirements – for example, for data protection and security or audit-proof archiving. These include BaFin requirements stating that written service agreements must be stored for at least three months, as well as the MiFID II Directive, which requires telephone call recordings to be stored for up to five years.
However, documentation and archiving are not possible via messengers such as WhatsApp. The same applies to messaging apps that are said to be secure, such as Signal or Telegram: here as well, the possibilities for archiving and controlling the communication are insufficient.
Attractive alternatives instead of desperate bans
Banning the use of WhatsApp and the like – as DekaBank handles it according to Bloomberg – only helps to a limited extent. Although many financial institutions use professional unified communication and collaboration solutions such as MS Teams – primarily on laptops and at fixed workstations – these communication tools also fall into a legal gray area. Here, data protection supervisory authorities and also the European Court of Justice are always watching further developments concerning GDPR compliance.
Nevertheless, bank employees in particular, who do not sit at their desktop PC all day, almost instinctively reach for their mobile phone to quickly send a message or exchange information internally, but also externally. IT departments and management should therefore by no means underestimate the force of habit. Of course, a ban is a first step in the right direction. However, what will be the alternative to instant messaging?
Seven tips for financial institutions to leverage messenger apps
It is crucial to understand the communication behavior of bank employees and to take communication habits into account – without losing sight of the associated risks for data protection and compliance requirements. The following seven tips will help you find and productively use a secure and GDPR-compliant alternative to WhatsApp that is suitable for the company and, above all, acceptable to employees.
1) Create transparency and awareness in business communications
It is important to get an overview of the communication behavior of the employees on the one hand and of the corporate guidelines on the other:
What communication rules apply? What tools are already available? How are they used? What weaknesses do they have? Or put another way: When do employees leave this predetermined framework of communication solutions and why? What are the consequences for employees and for the financial institution? What does communication require for banking experts outside the business premises? What must an appropriate solution look like?
These questions shed light on how and why WhatsApp was able to establish itself and what measures financial institutions should introduce.
2) Make messaging a default part of the company’s communications structure
Although MS Teams or similar solutions are probably becoming the primary communication and collaboration channel in many financial institutions, there can and should be an alternative if this tool cannot be used for unpredictable reasons. Even then, fast real-time dialog as well as cross-departmental and cross-location exchange must be possible. It is important to define when which communication channel may be used.
Therefore, it is important to not only open an authorized instant messaging channel, but to also integrate it into business communications. Financial institutions have to ensure that the requirements for documentation and audit-proof archiving can be met. This not only reassures supervisory authorities, but also promotes investor and bank customer confidence.
3) Ensure modern, location-independent business communications – even for hybrid workers and bank experts on the go
If instant messaging is part of the communication culture, it should be able to map employees’ internal communication processes and preferences, as well as be convenient and easy to use – in addition to e-mail, telephone or MS Teams – especially on mobile devices.
Instant messaging solutions for business communications should enable an exchange with colleagues in the branch, with or within headquarters, and from anywhere, without employees necessarily having to resort to their personal device or, worse, an insecure messenger like WhatsApp.
But a messenger can only be accepted as an alternative if it can be operated intuitively as usual and is also equipped with business-relevant communication functions – such as video conferencing, voice-over-IP and video calls.
4) Provide your employees with a secure, GDPR-compliant messaging solution
There are a number of different messenger solutions on the market suitable for companies that excel in their user-friendliness and at the same time are classified as secure, as the current Forrester Wave for secure communication shows. Only with an authorized, legally compliant solution can employees operate one hundred percent secure instant messaging. This also includes ensuring that this communication channel – unlike privately used apps such as WhatsApp and the like – remains controllable by the company at all times so as not to offer a target for cyberattacks.
In addition, it is advisable to integrate instant messaging into the IT structure based on the zero trust model. This allows bank employees to benefit from all the advantages of messaging as usual, while guaranteeing the greatest possible security of business communications for the financial institution.
5) Ensure that IT always retains control over instant messaging
To counteract the problem of lack of control, which is one of the points of criticism by the supervisory authorities, and to follow the zero-trust approach, comprehensive administration and control options are required, such as for user management as well as data ownership and analysis.
A business messaging application should be preinstalled on all employee devices via Multi Device Management (MDM) or Unified Endpoint Management (UEM), set up quickly using a simple rollout concept and administered conveniently by IT via an administrator portal.
6) Ensure maximum data security and digital ownership in your financial institution by becoming independent from US tool and hosting providers
To achieve this, a messaging solution for the banking sector should be able to be hosted in a self-sufficient, secured public or private cloud or via an on-premises model. This is the only way that financial institutions can meet the high standards of data protection and security and ensure internal communications even in the event of a failure of the core IT infrastructures.
In addition, encryption, GDPR compliance and ISO 27001-certified data centers are important criteria that also have to be taken into account in a second solution so that the high security standard in the company can be maintained without any gaps.
7) For a secondary channel, also consider the communication needs of your customers and investors
Check whether, in addition to internal communication, external information exchange with customers as well as business partners should also be possible. Guest accounts, chat widgets or even a privacy-compliant WhatsApp connection can be attractive solutions for making live communication as convenient as it is secure in the sense of conversational banking.
Use instant messaging in a compliant manner
The task of banks and financial institutions is to provide employees with an adequate but no less convenient replacement for WhatsApp and the like as quickly as possible. On the one hand, this involves avoiding unnecessary fines and reducing safety risks. In the form of a dangerous shadow IT in the company, messengers like WhatsApp elude any corporate and administrative control.
On the other hand, instant messaging is obviously an important communication channel that needs to be appropriately integrated into communications alongside primary collaboration tools such as MS Teams. However, financial institutions should not compromise on compliance, security and data protection – and they don’t have to. Because a business-suitable instant messaging app is not at odds with this; however, there needs to be an awareness at all levels of what secure business communications mean. This not only applies to the banking sector.