Are US bank employees prohibited from discussing financial matters using anything but official channels (email, paper?) per se OR is this about using other channels and failing to preserve records of the conversations?
AFAIK you are allowed to use any channel as long as you preserve records of the conversation. However, meeting the standards for preservation is quite difficult, which is why employees of financial institutions are generally told not to communicate outside person-to-person, or channels vetted by their company (and lawyers thereof).
I um unsure about current status in the States, but in Europe all conversations with a client over the phone where you might discuss commercial terms need to be recorded. Banks just cover their backs, and for customer facing positions all phone calls, no matter if through landlines (or IP telephony) or cell are recorded, either by the PBX software or by the carrier.
Employees are reminded not to use these lines for personal reasons (imagine an employee using the phone line to discuss their health with their doctor, and the employer just recorded extremely sensitive information from an employee), but the alternative means a strong fine from the regulators (usually the local AML authority).
Mostly not. But many interactions such as a Risk and Audit Committee are required to have minutes and signed by all participants. This is usually for all sessions which shape and oversee key policies such as Risk, AML, Audit, etc…
Such a waste of time trying intently to regulate and control communication.
People will just get a second private device that is not managed by the organization, and if there is a mutually beneficial advantage to doing so, the other party will do the same as well.
This has been going on forever, I remember when they kicked up a huge fuss when they found out that people were doing direct pin-to-pin messages on the blackberry (was not logged for boss to read at the time).
Isn't this an argument that doing anything that is illegal but beneficial to the conspirators should be left alone?
If it were totally allowed and widespread how would there be any pretence of fairness in the markets? Of course you could say that at least then people would be appreciating the reality of the situation . . .
It’s actually a bit of a trap - if you are caught using secondary devices, it speaks to intent. Similarly, when you deposit money at a bank and they ask you to certify these are not proceeds of a crime: they aren’t expecting to catch people at that step. But if they catch you later, boom you defrauded a bank by lying and have additional charges.
How is this different from having laws on the books that ensure all citizens are breaking the law at any given time? Doesn't feel like how laws are meant to be used
It's not illegal to own a personal device, it's also not illegal to be friends with your coworkers if you trust them.
There is no "intent" here. What you are describing is an organized criminal conspiracy which is illegal no matter what device or system you're using. What I am talking about here is whether the employer should get to listen in to all your calls and read all your emails and text messages. Why do you think they like BYOD so much? Because they can get a window into your personal life, what apps you have installed, etc.
I think they like byod because they don’t have to buy a device or service it, but can still get at employees at all hours.
It is not illegal to have friends, but if you are in a job that has certain regulations it is illegal to communicate in a non approved way with business partners. This isn’t a wide scope - it’s people who have jobs that are covered by these regulations.
> Such a waste of time trying intently to regulate and control communication.
It's not an overall waste of time, because the goal is to reduce the enormous wastes caused by fraud, crime, and other malfeasance.
I know somebody who worked at a bank. The bank had a mandatory vacation policy: you had to be 100% gone for at least two solid weeks every year. When outsiders heard about this, they were often indignant. Who is the company to tell me how I spend my vacation? I know best when I need to rest. Why are they trying to regulate and control so much?
But the policy was about preventing crime. There are kinds of fraud where one person can keep it going a long time if they're around to fiddle things manually. But a couple of weeks of absence, plus the cross-training that goes with it, can keep those kinds of frauds from ever happening. And when they do happen, they stay much smaller.
As an example of why fighting fraud is vital to a bank, you could look at the failure of Barings Bank. One guy was able to fiddle the accounts to hide his losses, gaining a reputation as a trading genius. He started with a little deception, and it spiraled out of control over the years, eventually destroying a bank that had survived more than two centuries.
When compared with the destruction of the bank, making sure that supervisors can see what an employee is getting up to is a pretty small waste in comparison.
> When compared with the destruction of the bank, making sure that supervisors can see what an employee is getting up to is a pretty small waste in comparison.
But they can't see this according to the comment to which you're responding; that's the problem.
Is this one of those cases where it ends up causing death by regulation?
Take the pharmaceutical industry in the US. One reason it's so expensive for them to operate is the massive amount of rules and regulations that surround their work and cause them to hire tons more highly skilled personnel in order to meet those regulations just to get work done.
Now all those rules exist because someone did something bad and the rules prevent those bad things from happening again, which is a good thing. However, it increases the cost of doing business, and over time, as these rules and regulations pile up, everything gets more and more expensive and complex.
It's unfortunate that we as a society now have to pay for the actions of a bad actor in perpetuity. I don't know of a good alternative, because again these rules exist for a reason. Fraud is obviously bad, and people will constantly take advantage of the system until we regulate it more and more, but then normal rule followers pay the price.
I'm always cynical when I hear arguments like this, I feel like it's the profit motive which is more to blame. They need to justify those prices somehow, and reducing payouts to shareholders or C-levels would be unthinkable.
I don't disagree with you - I'm just pointing out that when profit margins decrease, prices increase and the customer ends up paying for it
in "free market" conditions, there should be players who can compete by not increasing prices, but due to the increasing number of regulations, it becomes impossible for smaller players to enter the market or exist in the market, so nobody can come in and take advantage of lowering prices, so prices just go up and up
Again these regulations usually exist for good reason, it just makes the market less efficient and drives prices up over time
> in "free market" conditions, there should be players who can compete by not increasing prices
In a free market without regulation, the "rational" thing to do is to flood the market with fake "life saving drugs" and reap the (almost) infinite ROI.
In a less hyperbolic sense, the nature of "market" dictates we cut corners wherever possible. When it's a matter of life and death, the public chose to legislate which corners cannot be cut.
Is your contention that the pharmaceutical industry is dying? Or that it has insufficient lobbying power to push back against regulations that don't improve safety in proportion to their costs?
But to answer your direct question, I think the answer is a pretty clear no. Financial companies invest a ton in communications. If there's a buck to be made from improving their tools so that their employees can communicate faster, they'll get around to it eventually. They'll just do it with tools that provide the sort of proper records that they've been obliged to keep since forever.
Not that it's dying at all - it just makes it more expensive for them to do literally anything. That cost ultimately trickles down to the consumer. The entire US healthcare industry contributes to this. It's extremely regulated, usually for good reason, but the consequences are that there are tons of middle men, bureaucracy, and inefficiency that makes the end product more expensive
And the safety is probably correct. It's a problem that I'm not sure how to address
So one, if it's not pharma who's dying, who are you asserting is dying from regulation?
Two, you're ignoring the externalities here. Most regulations exist to account for negative externalities. If I sell big cookies on the street for $5 each and 1 person in 10 dies from eating my cookies, then my $50 in revenue has to be compared against the cost of the death. Food safety regulations have costs to be sure, but we have to measure them against the harm averted.
If a product is more expensive because its makers have to be more careful, then that's not inefficient. It's people having to pay the true costs of the product, which is more efficient overall.
It's also true that regulation can be inefficient, of course. But the solution for that is primarily for producers to be responsible members of society, and secondarily for them to work closely with regulators to find effective regulation at minimal cost.
But if effective regulation that properly places costs kills a company or an industry, I'd argue that industry should not exist in the first place. Something we're seeing rediscovered in real time with people like Sam Bankman-Fried.
It's a bit weird that even though they can communicate person-to-person, where records won't be kept, they are supposed to keep records of electronic communication.
In person conversations could be required to be recorded with a portable voice recording device (like a tape deck or phone). Same for phone calls. The regulatory authorities exempt those communications for now, but it isn't clear that there is any kind of consistent standard / reasoning.
Well, it's incredibly hard to scale fraud only through person-to-person communications. It's not impossible, but think about the scale that online communication would allow.
This has nothing to do with scaling. How do you picture that, some employee would broadcast sensitive information to a WhatsApp group, in order to reach as many others as possible at once?
The offense here is that no effort was done to keep records of the communication. It would have been ok to use WhatsApp if they somehow would have archived all communications.
Records of communications have to be kept so that auditors can verify that no inside trading secrets were communicated to others, for instance.
Now I understand why some of the banks wanted people back in the office as soon as possible. Trying to support their commercial real estate bags is likely another.
The weird step for me is the expansion of regulatory authority from published memos, to all written communication like texts and chats. I get it and don't really object to the end result, but it seems like the law should be updated to match what society desires to be regulated, rather than just relying on a generous interpretation by regulators.
> it seems like the law should be updated to match what society desires to be regulated
This absolutely happens. Usually, however, the regulators are interpreting the law in a way that the legislators agree with. In those cases, there is no need for new legislation.
> for bank traders ALL communications must be kept
One, not every securities professional trades at a bank. Two, this is not true for any of them. Broadly speaking, work-related written communications must be logged. But there is nuance and exception to that.
Also, compliance teams want live or near-live access, and do run dynamic filters on that live content. I can’t imagine a non-criminal* compliance team accepting a solution that is T+1 or that depends on manual action from the employee.
So the law as written regards keeping records of inter-office memoranda, but the regulators have cheerfully expanded the scope of this to include essentially all communication by bank employees (except maybe phone calls).
No, it includes calls now. Traditional calls over copper telephone lines are not recorded, but digital calls over MS Teams or whatever are recorded and kept for review.
You still need a secondary device if you want to have a private conversation.
No, that's just what the outrageous clickbait headline[1] fooled you into thinking.
The banks aren't being fined for using Signal or WhatsApp or any particular technology, they're being fined for failing to keep records of regulated communication they're required by law to present for auditing. Obviously if you use tools that don't keep records, you need to find a way to save it yourself.
[1] Bad in the CNBC original, but actually truncated here on HN to remove the explanatory clause. The original reads "Banks hit with $549 million in fines for use of Signal, WhatsApp to evade regulators’ reach"
Can't speak for the entire Europe obviously, usage varies from country to country, but where I've been it's pretty well entrenched for bot social and business.
WhatsApp is widely used by UK ministers to communicate with potential donors, lobbyists and other politicians. I don't know why it's allowed; in-person meetings are supposed to have a civil servant present and taking notes. WhatsApp gets them off the FOI hook.
I've lived in both eastern and western Europe and it's used a lot almost everywhere. As far as I can tell, the more Russian-influenced countries tend to use other services.
It's still crazy to me how people use Viber en masse in a lot of those places. The UX is abysmal and it's full of manipulative ads. Habits are hard to change.
Also security. WhatsApp end-to-end encryption or even better, Signal where messages can't be replicated to any other device is more reassuring than a custom implementation ...
But it looks like this lawsuit is exactly about the opposite, that messages cannot be accessed and reviewed easily. It's also easy to understand why banks prefer using secured applications like Signal when discussing secret deals rather than taking the risk that such conversations leak to e.g. competitors...
Why risk lying about something like this? It makes no business sense, and I can't imagine the Facebook employees being so loyal as not to spill the beans here.
Buried in the Propublica piece (2021) is the ELI5 of the fundamental uncloaking mechanism:
>WhatsApp reviewers gain access to private content when users hit the “report” button on the app, identifying a message as allegedly violating the platform’s terms of service. This forwards five messages — the allegedly offending one along with the four previous ones in the exchange ...
This may not have much to do with the more specific abuse case of criminal financial conspiracies.
That’s not the point. The issue is whether Facebook has surreptitiously gotten data you don’t think they’d be getting, and get caught doing it. With regard to video audio and metadata the answer is YES. Will you now trust them with your “encrypted” conversation content?
I am still waiting for someone to explain me why you can forward medias (image or videos) in whatsapp to new recipients without uploading it again completely if those images and videos are encrypted with the public keys of your recipients.
Since the forward is instantaneous and not involve a reupload, it looks to me the files are cached on the servers. If the recipient can see thee files and they are encrypted, it means that the server itself encrypted it using their public cryptographic key. If the server can do that, it means it either:
- can decrypt your own files
- cache them unencrypted
Correct me if I am wrong.
It is easy to test by sending a large video recording over a crappy connection, then forwarding it to another recipient. First upload can literally take a minute or more, the second action is immediate.
Not necessarily, sender generates a private key for the piece of media, and shares the public key for that media item along with the download location to person 1&2 over their encrypted chat channels.
Yes, most people are using whatsapp because it was one of the first to use phone number as account handle and to dig into your contacts to find. No risk of mispelling a complicated account name, auto discovery + group chats. The rest is inertia helped by the additions of features like voice messages, video calls, stickers way way way before encryption in order to stay current with the competitions.
If you ask most people how can they be sure that meta is really encrypting end to end, most shrug off saying that meta already knows everything about their lives through FB, Instagram anyway.
Signal is not designed for situations where an intended recipient is intentionally aiding an eavesdropper. It does not prevent an intended recipient from making copies of messages via the regular clipboard even with disappearing messages turned on, and even if it did, could not stop someone from taking a video of their screen.
Well, banks need this to prove their are not fixing price rates (e.g. as the Libor Scandal about 10y ago), and that they did their part in KYC and prevention of AML for the client, or that they not miss-sold a product in case of a legal procedure or claim.
So everything is recorded, encrypted, some is monitored in near RT by engines, and only accessed by human employees when necessary. A full log of who accessed what is kept.
This falls under Fair Use (not sure about the exact term) under GDPR, as is a sensible way for the bank to uphold their legal obligations.
> This falls under Fair Use (not sure about the exact term) under GDPR, as is a sensible way for the bank to uphold their legal obligations.
The term you're likely looking for is "Legitimate Interest", but that's not quite the same. You're looking for the bigger picture.
Full disclosure: I was the DPO of a gambling company and had to interpret the cross-regulation conflicts quite routinely. One of the big things with GDPR is that it can not overrule industry or domain-specific regulations. It will certainly influence how the data may be accessed, but as far as internal collection and storage goes, GDPR changes nothing material in finance.
Banks and trading shops are required to record and store all work-related communications. No exceptions, no excuses. The reasons are as you stated. To prove (or disprove) cases of insider trading, collusion, price fixing, front running, and all the other forms of fraud/abuse that would allow the financial outfits and/or their traders to break the rules and fleece their customers and/or counterparties. (They still manage, but at least it's not as blatant.)
The main impact of GDPR is that the financial industry has one additional reason to purge old records once the statute of limitations has expired.
At least in the UK, group messaging over sms was always broken, and sending pictures still costs me extra money. The phone carriers brought it on themselves.
or how stupid people can be convinced that this is a SMS replacement because it uses phone numbers (When really it's just another internet messaging app that uses phone numbers as IDs). It took off due to social pressure in places with bad mobile texting networks. That's all.
In Turkey when police stops you on a street they take photo of your ID card and then send those images through Whatsapp to a police station. And then you wait for an answer. Happens very often.
I am not aware of such thing. May be they didn't want every police to query the database.
But it appears that there is a face recognition app https://youtu.be/l8R6ZwSTLzU?t=105 the guy who is using the app in the video was the interior minister.
I'm sure it's mostly used for convenience rather than anything nefarious. Most of my doctors are in a medical group that uses an app with built in messaging. It's at least an attempt to allow texting that's compliant.
I think the record is pretty good for banks switching behaviour after being fined for a specific failing. They do know that if they get caught doing the exact same thing again, the punishment will be more costly.
It's far cheaper (and more deniable) to find a slightly different way round the regulations, see if/when you get fined for that, then move on to something else again...
In my experience it's simply down to convenience rather than malice. You have all your colleagues phone numbers, you know that a whatsapp is going to fire a notification that will get noticed whereas an email may not.
Or that email will go to the "work phone" which isn't sitting on the sideboard somewhere rather than in the person's pocket.
That said, there aren't any banks that don't have a comprehensive employee training program on security and compliance, so "I didn't realise" isn't going to be a valid excuse.
That's not to say that there isn't any deliberately malicious use going on, but it's unlikely that malicious use would be uncovered.
No person on Earth (except a very reasonably suspected terrorist perhaps, because he could use that for an attack trigger) should be ever denied privacy. What if I worked at a bank and had to text something urgent to my dear? I would find it asolutely unacceptable for anybody to ever read that, no matter how innocent and banal our conversatioun would be. To me that would be equivalent to tapping into my brain and eavesdropping on my very thoughts.
As per the article, the issue is that employees were using encrypted messaging apps for work purposes. This is strictly forbidden by regulations, or at least failing to preserve your communications is.
I see... This sounds reasonable for some environments. But I doubt the banks are going to differentiate these, they will probably just ban private messengers altogether.
As someone who currently performs information risk management for a financial institution, I'll say that private messaging doesn't need to be banned per-se. It's just that all company business is the responsibility of the leadership, so ultimately, business communications needed to be reserved for business communication platforms over which leadership can enforce policy. Privacy is a component of this.
These banks needed processes and controls to ensure their requirements are being met: Records of electronic communication, technical security controls to ensure the privacy of protected communication, approved communication mediums/channels for different classifications of information, periodic reviews on the adequacy of these controls, etc.
Sometimes the restriction of things like WhatsApp, Signal, etc. are seen as an affront to individual privacy. That's not what this is about. This is about preventing a lot of dangerous scenarios, like:
1. Employees at your bank do something evil that's also against the law, but because they used Signal/WhatsApp, no records of the communication can be used as evidence in court.
2. The bank has invested millions upon millions into an information security program. Someone decides to use Signal/WhatsApp to share sensitive account numbers. Signal/WhatsApp ends up with a vulnerability that exposes the information, rendering the InfoSec program protections ineffective.
3. Like #2, but the information in WhatsApp/Signal is super important. The employees who kept it there all leave and/or get into fatal accidents. How will that impact the bank?
4. Your manager starts a group chat for the team via text message and conversations about work occur. Turns out someone in the conversation is involved with a scandal. Because you talked about work stuff outside of the approved comms channels, your personal phone can now be taken and used as evidence in a court (even if they can't pull the encrypted messages from it!)
It's just better for everyone to keep work communications in one place that the company has control over, and your personal device/apps totally separate from it.
To add to that, there is a difference between personal and professional freedoms. So at work (in some professions) people should have less right to privacy than in personal life. In addition to the examples above: police body cams, communications from politicians, drug tests for pilots or people working heavy machinery...
Those things would be an affront to the average private citizen but are reasonable in some professional contexts.
A baseline typical scenario when you have high compliance requirements etc. is a very strict separate of "personal devices" and "work devices", so these things don't really come up in the way described.
Why would you use work communication or devices for personal messaging? It is still entirely possible to use WhatsApp as a banker, you just can't use it while acting as a banker.
If that is such a concern, it seems as if you should use a personal device for personal matters. Personally I don't care and use devices for both personal and work matters, but it I did, I'd air gap the two uses.
It makes no mention of evading regulation. This fine is for a failure to retain written communications. Which is impossible to do for some of these communications channels.
What do you think we should assume about your communications on encrypted channels? This entire thing is yet another federal effort to criminalize encrypted communications, and it even works on the HN crowd. All they have to say is "big banks bad" and people here go from freedom fighters to government pawns.
This has nothing to do with encryption. Banks are free to encrypt their communications. But they need to keep communication logs and make the plain text available to regulators in certain circumstances.
It's end to end encryption, as in, there are ends on each side where it is decrypted, usually for the humans to read. At the ends the records should have been maintained, the regulations aren't incompatible with E2E.
I'll respond to all three of you: yes it is difficult to retain all potentially work-related communications that take place on your employees' personal devices, so the alternative is to retain all communications.
It is absolutely incompatible with E2E encryption to mandate a third party access to one of the Es for surveillance purposes.
Not retaining written comms is evading regulations - "retain written comms" is one, and using Signal/WhatsApp is evading it.
Nobody working in banking is unaware of the written comms rules. Nobody using Signal or WhatsApp in that context is unaware they can't retain written comms. Can you prove intent? Probably not. Is it clear as daylight why this happened? Uh, yes.
And so the SEC hits them where it hurts at least a little bit, in the wallet.
Also, if you pay attention to the banking space... this is pretty much the usual cast of characters. There's absolutely no surprise.
Keep on carrying water for the NSA. We can live in a total surveilace world just by triggering you with "banks are bad."
People use iMessage/Signal/WhatsApp for myriad reasons: some good, some bad. There's no evidence in this case that any of what was said was in furtherance of a crime. The crime they've been fined for is that people--just people--were talking in totally normal communications channels, and their employer has failed to scrape one end of their E2E communications and save it to show to the SEC whenever it asks.
If you are working in banking, you know you are supposed to archive comms. If you then knowingly don't archive, you are deliberately sidestepping existing regulations.
That's a much stronger issue than "if you've got nothing to hide, you don't need secrecy" nonsense that I suppose your NSA comment is supposed to refer to. Nobody is making that argument here.
As for "it's just people talking" - what else do you suppose a "archive all communications" regulation refers to?
And sure there's no evidence. Hence my "can you prove intent" statement. But if it's a regulatory violation that other banks have already been fined for, years ago, and you still sidestep the regulation, there's a strong question why you keep sidestepping it.
If you don't like that, you might not want to work in a space with regulatory oversight.
You support heavy handed and intrusive violation of the privacy of all people who work in the financial sector. You support big brother. Sugar coat it all you want, but you're the one who is cheering on the NSA to de-network encrypted platforms that depend on network effects for our protection
If you think that's what you're talking about, then go actually learn what happened. As it is, you're just being the NSA's "useful idiot" by trumpeting their agenda without realizing what you're supporting.
Correct. Neither Signal nor WhatsApp is integrated into any corporate messaging system, so the communication flowing through those apps, is neither archived nor discoverable.
It's still not clickbait. It's an honest headline, and a good one because it draws in the reader as is the point of a headline. Headlines are not supposed to replace the article which seems to be the real problem this thread has. The headline would still not be clickbait if they were fined for using sms and the article said "fined for using sms."
Using WhatApp is not a "crime". There were no laws broken. This is just some regulators giving out fines because they can't spy on employee's private messages.
If bureaucrats were on my ass about something so stupid, I would be very pleased once the matter was resolved.
It's a rule that upon being broken allows the SEC to fine you, which is why they are paying a bunch of money.
Are you saying that we should not be able to require banks of a certain size to keep records, so that the highway patrol officers of finance can economically pull you over when you're speeding? Or should we allow everyone to use fuzzbusters effectively making the law pointless?
> Are you saying that we should not be able to require banks of a certain size to keep records
No. I'm saying this is just some boring, annoying regulation, and your grandstanding about wanting people to feel bad about breaking laws is misguided.
No it isn't, the regulation is extremely important and helps keep the financial system following the law. The stakes are extremely high and monitoring records is the bare minimum we should be doing to protect ourselves from criminal financial actors.
Every rule is written in blood. We recently saw guys fixing the LIBOR for a tray of leftover sushi. Thankfully we have records of that.
True but the rules for bank traders do cover this. The rules cover all traders.
In the 90s we had an IT contracter complaining the bank told him not to use a messaging app as the bank could not read it. The issue is the bank is at risk if communications were not recorded. At the time phones were already all recorded.
I have never been in a situation where my private messages could have been read by my employer. This is because I have always used the provided channels for work-related communication. There is no expectation of privacy in those channels so I do not conduct personal business there.
What‘s the solution for the banks here? Officially prohibiting those messenger apps but off-the-record recommending them on private phones to dodge regulators?
At this point I cannot understand why anybody would use Wells Fargo as their bank. WF has proven repeatedly that they are pretty much the opposite of what everybody thinks a good bank should be. Repeated law violations; repeated screwing-over of their customers. Why are they still in business?
As a WF customer... its lock-in. The amount of work I would need to do to switch banks thanks to bill pay, auto-drafts, etc, is not worth the headache.
now that physical branches are not really a differentiator of big banks, a couple hours of your time spread out over a couple months is totally worth the switch to a credit union in lower fees, better service, and supporting a more local economy.
it's completely, undeniably worth it. unless you're a real big shot (worth millions in assets to the bank) who doesn't have to deal with the dehumanizing aspects of corporate "customer service", there is zero reason to be with anything other than a small local bank/credit union.
I don’t think the issue is their customer service not being helpful it’s just that the bank is so predatory. Things like high fees ($10/month) for checking accounts being below a threshold or opening up bogus accounts for people.
Can you switch bills to pull, rather than you push funds? My credit cards, for example pull from my bank. My last “push” payment—bank sends a check—was years ago for a small landlord that didn’t accept digital payments.
I tend to have operating funds in my credit union checking account. This is where most bills are paid from. Savings moves to which never institution has the best rates.
I'm curious, what is the number of 'auto' things for you each month? Seems like there is a cool business idea in helping people work through this.
Of course, trust would be a huge issue, but assuming that could be resolved, I feel like switching banks should be something people do all the time.
You're leaving money on the table during a time where interest rates just keep going up and banks are becoming more and more competitive with each other on rates. You should be earning at least 5.15% on a market savings account today. I doubt WF would pay anywhere near that.
> Seems like there is a cool business idea in helping people work through this.
It's seems crazy to me that that's so difficult in the US.
In the UK, you can open an account with a new bank and just tell them to switch over all your direct debits and give them the account number/sort code.
They'll contact your old bank, get everything moved across and get your old account closed on your behalf. The old bank is also obliged to reroute any payments from your old account for 6 months afterwards too IIRC
As far as I know, there is no service that banks offer to handle switching your direct debits. I mean, there probably is one, but I'm sure you have to have an account of a certain size for that level of customer service. I've just never seen this offered myself.
There is a good chance a credit union might offer that, but they aren't available to everyone as they often have membership requirements.
What others have suggested is the better route, minimize direct debits by using credit cards (which gets you 'free' CC points).
The other thing is to just use multiple banks... I have my 'debit' bank and then I move my savings around to whichever bank I can find with the highest savings rates (either cd's or money market accounts). I link just those two accounts together and can transfer funds as needed. I find that to be pretty easy now, but it took some getting used to.
I think a lot of people are afraid of opening a bunch of accounts in various places and having to track it all. The open account friction is pretty high... you generally have to do a two small deposit dance, which can take days. I have a theory that part of the fear could also stem from the fact that we penalize people's credit scores for opening too many credit card accounts... but the reality is that we don't do that with bank accounts.
We also have a culture of being afraid of touching our money. You're supposed to just put it in an account and forget about it. I think the mental barriers override the actual barriers.
I went through that once, and as a result I stopped using all forms of bank-initiated autopayments. Both so that I can be bank-mobile, but also so that things just don't bill me forever without me being aware of it.
I sort of see it like this: I want people taking my money to "hurt" as in I feel the process every time by having to go in and manually pay the bill. That way I cut things off that I don't want anymore if possible.
It's more work, something I normally despise, but it's with a purpose.
I feel like these days (at least in the US) it's less than a dozen bills/expenses that I have that can't be run through a credit card, making switching your "hub" checking account fairly easy to transition over the course of a couple of months.
IMO it is in your best interest to not use banks at all for personal finances, WF is just the most glaring exemplar of why not to. A better alternative are credit unions which are non-profit organizations set up to benefit their members. Strange to think about, but depositors are a liability to banks. Unless you're taking a loan from the bank you are not really a "customer" in their eyes.
For personal banking, I agree, there's not a lot to recommend them. I use a credit union.
For businesses, they might have the most attractive product and so you go with them. For example, they have an entire practice finance department that lends on favorable terms without SBA fees. However, they require using their checking account as a term of the loan. You could just fund the account and leave it, or use it.
The worst thing that has happened to me with them was they once allowed someone to cash a fake check using my account number. They put the money back but closed the account and I had to change over all my stuff to a new account number. I was a little disturbed that they didn't check the name on the account to the account number before approving the check.
But all of the other horror stories seem to happen on the consumer side.
All the government needs to do to get HN on board with criminalizing encrypted communications is to implicate a bank. Bear in-mind, the SEC didn't find any actual criminal activity here. The banks just failed to retain the conversations that took place by their employees via encrypted channels (a necessary feature of encrypted communication).
It's up to the reader to speculate how much criminal activity took place in the conversations they failed to retain. I, for one, am certain it was all just brokers gabbing about American Idol.
You realize these are just people, right? People who work at banks are people like you and me. They can use iMessage to talk about whatever they want. Should we assume every single Google employee talking to another person in tech using iMessage was talking about how to subvert democracy or dark patterning a new scam? Or are they talking about what time dinner is, who's picking up the kids today, look at this meme, etc...
- A banker answers honestly when interviewed by the regulator because they decide it's better for the Bank to take the fine than lie to regulator and risk personal criminal charges (unlikely, but why take that risk?).
- Regulator asks for evidence of some documentation (like trade confirmation), compliance asks banker, banker doesn't have it and admits it was over this app.
- Whistleblower or other source makes regulator believe there are prohibited communication and regulator demands phones be turned over.
- Other similar banks are caught in violation, and regulator does sweep of similar banks and demands phones be turned over.
The regulator has the ability to shut down the bank. The bank can easily tell the banker to turn over an unlocked phone or face legal action. The banker then turns over the phone.
I'd delete all my messages before doing any of that. I'm not one for deceiving the regulators, but for lack of a better term when it comes to compliance, they cannot handle the truth.
As someone who currently performs information risk management for a financial institution, I'll say that private messaging doesn't need to be banned per-se. It's just that all company business is the responsibility of the leadership, so ultimately, business communications needed to be reserved for business communication platforms over which leadership can enforce policy. Privacy is a component of this.
These banks needed processes and controls to ensure their requirements are being met: Records of electronic communication, technical security controls to ensure the privacy of protected communication, approved communication mediums/channels for different classifications of information, periodic reviews on the adequacy of these controls, etc.
Sometimes the restriction of things like WhatsApp, Signal, etc. are seen as an affront to individual privacy. That's not what this is about. This is about preventing a lot of dangerous scenarios, like:
1. Employees at your bank do something evil that's also against the law, but because they used Signal/WhatsApp, no records of the communication can be used as evidence in court.
2. The bank has invested millions upon millions into an information security program. Someone decides to use Signal/WhatsApp to share sensitive account numbers. Signal/WhatsApp ends up with a vulnerability that exposes the information, rendering the InfoSec program protections ineffective.
3. Like #2, but the information in WhatsApp/Signal is super important. The employees who kept it there all leave and/or get into fatal accidents. How will that impact the bank?
4. Your manager starts a group chat for the team via text message and conversations about work occur. Turns out someone in the conversation is involved with a scandal. Because you talked about work stuff outside of the approved comms channels, your personal phone can now be taken and used as evidence in a court (even if they can't pull the encrypted messages from it!)
It's just better for everyone to keep work communications in one place that the company has control over, and your personal device/apps totally separate from it.
The whole record keeping requirement for written correspondence generally seems completely unreasonable. Presumably telephone calls, zoom calls and in person meetings aren't recorded?
Working in education the last 10 years. I mean all of that seems really unreasonable if that's the case.
Where I work they took my work phone away because I wasn't using it enough. Now if I need to make a call, it's just with my cell phone. No way that's being recorded.
> in person meetings
Presume you don't sit down at the table and set up mics before you start talking?
When I was working in the banking sector a lot of employees were provided with mobile phones to conduct business. If nowadays there is a requirement to record everything, how are voice calls are saved? In general for mobiles and in case of IPhones specifically.
Where I work you absolutely can't use a mobile phone to conduct business. Traders have dedicated lines and those are recorded. Traders also have chats which are also saved. The rest of staff uses teams or whatever. I assume that's recorded as well, but no one cares if you use something else.
> Wells Fargo, the fourth-biggest U.S. bank by assets and a relatively small player on Wall Street, racked up the most fines on Tuesday, with $200 million in penalties.
> “We are pleased to resolve this matter,” said Wells Fargo spokeswoman Laurie Kight.
Unfortunate, penalty appears not big enough.
As another key responsibility, these individuals are forbidden from insider trading... which if they are not keeping records is basically not possible to police.
"Firms may not permit the use of any type of electronic communication if they are unable to satisfy the applicable recordkeeping requirements with respect to that particular type of electronic communication."
Wells Fargo gross profit for the twelve months ending June 30, 2023 was $80.279B. Billion, with a B. A $0.5B fine is both a lot and nowhere near enough.
I imagine a smaller fine would be a more effective deterrent if it was directed at the C-suite instead of the whole corporation. Maybe a little jail time too, as a treat.
His is a pretty balanced take and raises some interesting points:
> I have argued that the SEC has aggressively expanded the recordkeeping requirements. In the olden days, almost all communication was informal and not recorded, and only formal decisions were memorialized in typed and carbon-papered memos, so the SEC had access only to a pretty limited slice of communications. Now, vastly more informal communication is text-based, and texting is a substitute for conversation, not for formal memos.
The rest of the piece and some of his related commentary in the area is worth a read.
I don't see a downside to expanding the record keeping requirements. Record keeping is easier than ever and frankly banks haven't proven themselves worthy of our trust. Sounds great to me.
I assume being able to have face to face off the record conversations providing plausible deniability to participants is one of the big reasons finance and other related businesses like to be in Manhattan.
Perhaps also a factor in why some managers prefer to manage employees in-person rather than remotely.
When it comes to avoiding the record, it doesn't have to be lofty corrupt/ish deals or schemes, but also cases like certain anti-union threats, or even plain personal power-tripping.
I don't think I disagree and I don't think Matt does either.
The point is that from a bank employee perspective, a hallway conversation, a text message, and a WhatsApp chat might seem pretty similar, and no one expected face to face chats to be memorialized in preserved records, so why the other two?
So in a meaningful sense, the requirements around preservation have expanded significantly, and it shouldn't be a surprise that a lot of banks ended up breaking the rules.
> My point here is that when these rules were written, it would have been absurd to say that brokers had to “appropriately conduct their communications about business matters within only official channels.” Everyone understood, in 1948, that only a small sliver of business was conducted in formal letters and memoranda, and that mostly you’d talk about business face-to-face. “As technology changes,” lots of forms of written electronic communication become substitutes not for memoranda, but for face-to-face conversation. So the SEC’s requirements constantly become broader. If you just talk to your colleagues in person, the SEC does not expect you to preserve that. Once you move that chat to WhatsApp, it does.
Now the SEC has run around fining a bunch of institutions and sent a message, and so you can expect compliance will improve.
As an aside, you'll notice that piece was written nearly a year ago, so this isn't exactly a new story.
Work in the sector and once the investigations / fines came out massive notifications went out across the board reminding everyone not to use unapproved comms.
Was this used for nefarious purposes - possibly - but more likely it was general communications between team members using a platform that is more comfortable to them than either 1st party tools or something approved like teams. 99.9% of this was likely reminders for meetings, attendance and coverage messages, a message to a team member who timezone shifted from you and may be off any you need an answer etc. I'd guess most people involved didn't even consider the record keeping because their day to day jobs don't involve actual trading info, and the "encryption" of those services likely made them feel a more comfortable than they should.
Not trying to excuse the behavior - yes the record keeping is important - but I think it's also important to realize this was likely largely innocent.
great - however you are one person, the large banks involved here have staff of a few hundred thousand each across several countries and with various backgrounds and norms, many who are also friends and have contact with each other outside of office hours.
I agree, one needs to keep work comms on approved software, I'm simply stating that while it's fun to be like "oohh big bad bank was hiding secret convos" it was more likely "janet i'm out today can you take the meeting with svp of <insert corp>"
Put another way context matters in terms of how the public should react to the news, not so much the result (fines) or the regulations / requirements.
Worked in an investment bank, although not in a client facing role, and it's not quite as simple as it seems - if your client reaches out with a question via text or WhatsApp, technically you should redirect them to use your bank's secure messaging app of choice.
The problem is no one has ever heard of Symphony, doesn't want to install it so they can ask a simple question, and the user experience is meh at best. If you do the right thing, clients would likely perceive you as difficult to work with and perhaps go elsewhere. To done extent, the inevitable fines might be seen as a necessary cost of doing business. So a pretty severe crackdown was necessary to ensure everyone is properly incentivized to inflict this pain upon clients.
reply