To the surprise of no one, Matt Levine has written about this a few times (there's some other linked issues in here as well):<p><a href="https://www.bloomberg.com/opinion/articles/2023-08-08/don-t-do-deals-on-linkedin" rel="nofollow noreferrer">https://www.bloomberg.com/opinion/articles/2023-08-08/don-t-...</a><p>His is a pretty balanced take and raises some interesting points:<p>> I have argued that the SEC has aggressively expanded the recordkeeping requirements. In the olden days, almost all communication was informal and not recorded, and only formal decisions were memorialized in typed and carbon-papered memos, so the SEC had access only to a pretty limited slice of communications. Now, vastly more informal communication is text-based, and texting is a substitute for conversation, not for formal memos.<p>The rest of the piece and some of his related commentary in the area is worth a read.
At this point I cannot understand why anybody would use Wells Fargo as their bank. WF has proven <i>repeatedly</i> that they are pretty much the opposite of what everybody thinks a good bank should be. Repeated law violations; repeated screwing-over of their customers. Why are they still in business?
Ha, in Europe WhatsApp is even used by doctors and teachers to discuss patient/student matters, and even some government offices use it.<p>It's wild how entrenched it is in every aspects of society, from social to business.<p>Goes to show you how far good UX, simplicity and ease of use can take you.
Are US bank employees prohibited from discussing financial matters using anything but official channels (email, paper?) per se OR is this about using other channels <i>and failing to preserve records of the conversations</i>?
Reposting my comment here: <a href="https://news.ycombinator.com/item?id=37050595">https://news.ycombinator.com/item?id=37050595</a><p>As someone who currently performs information risk management for a financial institution, I'll say that private messaging doesn't need to be banned per-se. It's just that all company business is the responsibility of the leadership, so ultimately, business communications needed to be reserved for business communication platforms over which leadership can enforce policy. Privacy is a component of this.
These banks needed processes and controls to ensure their requirements are being met: Records of electronic communication, technical security controls to ensure the privacy of protected communication, approved communication mediums/channels for different classifications of information, periodic reviews on the adequacy of these controls, etc.<p>Sometimes the restriction of things like WhatsApp, Signal, etc. are seen as an affront to individual privacy. That's not what this is about. This is about preventing a lot of dangerous scenarios, like:<p>1. Employees at your bank do something evil that's also against the law, but because they used Signal/WhatsApp, no records of the communication can be used as evidence in court.<p>2. The bank has invested millions upon millions into an information security program. Someone decides to use Signal/WhatsApp to share sensitive account numbers. Signal/WhatsApp ends up with a vulnerability that exposes the information, rendering the InfoSec program protections ineffective.<p>3. Like #2, but the information in WhatsApp/Signal is super important. The employees who kept it there all leave and/or get into fatal accidents. How will that impact the bank?<p>4. Your manager starts a group chat for the team via text message and conversations about work occur. Turns out someone in the conversation is involved with a scandal. Because you talked about work stuff outside of the approved comms channels, your personal phone can now be taken and used as evidence in a court (even if they can't pull the encrypted messages from it!)<p>It's just better for everyone to keep work communications in one place that the company has control over, and your personal device/apps totally separate from it.
Sounds like this is less about Signal/WA and more about them not archiving methods.<p>They could in theory run _e.g._ `sigtop` every couple of months and encrypt it (e.g. age or veracrypt).<p>It's a complicated workflow but I imagine they have a pipeline for emails that isnt much less complicated, but also isnt E2EE.
Work in the sector and once the investigations / fines came out massive notifications went out across the board reminding everyone not to use unapproved comms.<p>Was this used for nefarious purposes - possibly - but more likely it was general communications between team members using a platform that is more comfortable to them than either 1st party tools or something approved like teams. 99.9% of this was likely reminders for meetings, attendance and coverage messages, a message to a team member who timezone shifted from you and may be off any you need an answer etc. I'd guess most people involved didn't even consider the record keeping because their day to day jobs don't involve actual trading info, and the "encryption" of those services likely made them feel a more comfortable than they should.<p>Not trying to excuse the behavior - yes the record keeping is important - but I think it's also important to realize this was likely largely innocent.
Worked in an investment bank, although not in a client facing role, and it's not quite as simple as it seems - if your client reaches out with a question via text or WhatsApp, technically you should redirect them to use your bank's secure messaging app of choice.<p>The problem is no one has ever heard of Symphony, doesn't want to install it so they can ask a simple question, and the user experience is meh at best. If you do the right thing, clients would likely perceive you as difficult to work with and perhaps go elsewhere. To done extent, the inevitable fines might be seen as a necessary cost of doing business. So a pretty severe crackdown was necessary to ensure everyone is properly incentivized to inflict this pain upon clients.
"We are pleased to resolve this matter"<p>Nobody should ever be "pleased" with knowingly breaking the law. When will we ever get serious about law enforcement for this type of crime?
All the government needs to do to get HN on board with criminalizing encrypted communications is to implicate a bank. Bear in-mind, the SEC didn't find any actual criminal activity here. The banks just failed to retain the conversations that took place by their employees via encrypted channels (a necessary feature of encrypted communication).
If anyone is a glutton for punishment there are overlapping records requirements, but this is the one that is the one that is probably most relevant to those in the securities industry <a href="https://www.finra.org/rules-guidance/key-topics/books-records#electronic-communications" rel="nofollow noreferrer">https://www.finra.org/rules-guidance/key-topics/books-record...</a><p>"Firms may not permit the use of any type of electronic communication if they are unable to satisfy the applicable recordkeeping requirements with respect to that particular type of electronic communication."
The whole record keeping requirement for written correspondence generally seems completely unreasonable. Presumably telephone calls, zoom calls and in person meetings aren't recorded?<p>Why should that be different if it's written?
What‘s the solution for the banks here? Officially prohibiting those messenger apps but off-the-record recommending them on private phones to dodge regulators?
> Wells Fargo, the fourth-biggest U.S. bank by assets and a relatively small player on Wall Street, racked up the most fines on Tuesday, with $200 million in penalties.<p>> “We are pleased to resolve this matter,” said Wells Fargo spokeswoman Laurie Kight.<p>Unfortunate, penalty appears not big enough.<p>As another key responsibility, these individuals are forbidden from insider trading... which if they are not keeping records is basically not possible to police.
Wells Fargo gross profit for the twelve months ending June 30, 2023 was $80.279B. Billion, with a B. A $0.5B fine is both a lot and nowhere near enough.<p>I imagine a smaller fine would be a more effective deterrent if it was directed at the C-suite instead of the whole corporation. Maybe a little jail time too, as a treat.
No person on Earth (except a very reasonably suspected terrorist perhaps, because he could use that for an attack trigger) should be ever denied privacy. What if I worked at a bank and had to text something urgent to my dear? I would find it asolutely unacceptable for anybody to ever read that, no matter how innocent and banal our conversatioun would be. To me that would be equivalent to tapping into my brain and eavesdropping on my very thoughts.