Shadow IT failings cost Morgan Stanley $200m as CIOs continue to grapple with WhatsApp use
Morgan Stanley has been fined $200 million for a “the use of unapproved personal devices” as well as inadequate record keeping requirements, the investment bank revealed in its earnings this week.
The fine comes seven months after US regulators imposed a similar fine on rival bank JPMorgan, saying that even managing directors and other senior supervisors at the bank had evaded regulatory scrutiny by using WhatsApp or personal email addresses for work-related communication, in a damning report.
“As technology changes, it’s even more important that registrants ensure that their communications are appropriately recorded and are not conducted outside of official channels in order to avoid market oversight,” said SEC Chair Gary Gensler, as the SEC said its investigation had found that JPMorgan’s “employees often communicated about securities business matters on their personal devices, using text messages, WhatsApp, and personal email accounts. None of these records were preserved by the firm as required.”
Citigroup is also facing scrutiny for use of “unapproved electronic messaging channels” it said in February.
British government’s WhatsApp use backed by court
With the shift to remote work organisations and even governments around the world are struggling to persuade staff to move away from the sheer convenience and ubiquity of WhatsApp and Telegram.
In March 2022 transparency campaigners accused British ministers of conducting “government by WhatsApp” in the UK’s third-highest court, emphasising that the widespread use by ministers and civil servants of self-destructing messages “on insecure platforms” is unlawful and undemocratic, arguing that such use spanned areas of public importance relating to the pandemic response and the awarding of government contracts.
“Vast sums of public money pass hands following deals cooked up, in whole or in part, through these untraceable channels. They make it difficult or impossible for civil servants to act as proper stewards of public money. They pose a profound risk to national security – only last week it was revealed that private channels used in Number 10 had been hacked. And their use guts the clear public interest… in good record-keeping.”
See also: The Big Interview with JPMorgan Global CIO Lori Beer
That was according to non-profit the Good Law Project, which brought the case.
Yet despite finding that “Ministers, civil servants and unpaid Government advisors” had used WhatsApp widely, including its auto-delete function, the High Court on April 29, 2022 agreed with ministers including the Prime Minister that there was no legal duty on them to avoid the use of either WhatsApp or self-deleting messages.
Whilst there was legitimate public interest in retaining public messages, there was no legally binding requirement under the 1958 Public Records Act, the court found, saying the law left a “wide margin of discretion to the relevant body” and adding that Cabinet Office guidance explicitly urged the use of instant messaging.
The Good Law Project described this as “a decision with profoundly troubling consequences for those with interests in transparency, national security, and public record-keeping”.
Digital transformation expert and behavioural scientist David Loseby, who has led change management programmes involving adoption of new software for multi-billion procurement efforts, told The Stack: “My favoured approach from a leadership perspective would be to look at what would motivate employees to adopt the right behaviour of compliance where we consider the theory that users will not comply with the rules if they know that breaking them will not be followed by punishment. Thus intrinsic motivation and extrinsic motivation comes into play where Intrinsic motivation comes from within the individual, which usually leads to engaging in behaviour that is personally rewarding. In this context, people are not driven by the idea of an external incentive, rather by their own desires. Extrinsic motivation, on the other hand, results from the hope of gaining an external reward or avoiding punishment for specific conduct.
“An approach that removes the technology that is not desired (can’t download software onto mobile devise such as WhatsApp) in this case and that there are sanctions for using personal devices that have real “teeth” and then a rewards system, not necessarily financial that might offer a platform with better functionality. Further, I can see a case where advising all clients, stakeholders, service providers, etc. that if they are communicated via non authorised channels this is putting them at risk as well as the person(s) using them too! This latter approach is defined as an ethical nudge that guides people to using the right channels of communication (in this case).”
Weaning staff off favoured communications or other software platforms is a challenging art. How has your organisation approached it? We’d love to hear from our readers on this issue, particularly those in regulated industries where non-compliance carries the kind of risk Morgan Stanley et al found themselves exposed to.