His is a pretty balanced take and raises some interesting points:
> I have argued that the SEC has aggressively expanded the recordkeeping requirements. In the olden days, almost all communication was informal and not recorded, and only formal decisions were memorialized in typed and carbon-papered memos, so the SEC had access only to a pretty limited slice of communications. Now, vastly more informal communication is text-based, and texting is a substitute for conversation, not for formal memos.
The rest of the piece and some of his related commentary in the area is worth a read.
I don't see a downside to expanding the record keeping requirements. Record keeping is easier than ever and frankly banks haven't proven themselves worthy of our trust. Sounds great to me.
I don't think I disagree and I don't think Matt does either.
The point is that from a bank employee perspective, a hallway conversation, a text message, and a WhatsApp chat might seem pretty similar, and no one expected face to face chats to be memorialized in preserved records, so why the other two?
So in a meaningful sense, the requirements around preservation have expanded significantly, and it shouldn't be a surprise that a lot of banks ended up breaking the rules.
> My point here is that when these rules were written, it would have been absurd to say that brokers had to “appropriately conduct their communications about business matters within only official channels.” Everyone understood, in 1948, that only a small sliver of business was conducted in formal letters and memoranda, and that mostly you’d talk about business face-to-face. “As technology changes,” lots of forms of written electronic communication become substitutes not for memoranda, but for face-to-face conversation. So the SEC’s requirements constantly become broader. If you just talk to your colleagues in person, the SEC does not expect you to preserve that. Once you move that chat to WhatsApp, it does.
Now the SEC has run around fining a bunch of institutions and sent a message, and so you can expect compliance will improve.
As an aside, you'll notice that piece was written nearly a year ago, so this isn't exactly a new story.
I assume being able to have face to face off the record conversations providing plausible deniability to participants is one of the big reasons finance and other related businesses like to be in Manhattan.
Correct. Neither Signal nor WhatsApp is integrated into any corporate messaging system, so the communication flowing through those apps, is neither archived nor discoverable.
At this point I cannot understand why anybody would use Wells Fargo as their bank. WF has proven repeatedly that they are pretty much the opposite of what everybody thinks a good bank should be. Repeated law violations; repeated screwing-over of their customers. Why are they still in business?
IMO it is in your best interest to not use banks at all for personal finances, WF is just the most glaring exemplar of why not to. A better alternative are credit unions which are non-profit organizations set up to benefit their members. Strange to think about, but depositors are a liability to banks. Unless you're taking a loan from the bank you are not really a "customer" in their eyes.
For personal banking, I agree, there's not a lot to recommend them. I use a credit union.
For businesses, they might have the most attractive product and so you go with them. For example, they have an entire practice finance department that lends on favorable terms without SBA fees. However, they require using their checking account as a term of the loan. You could just fund the account and leave it, or use it.
The worst thing that has happened to me with them was they once allowed someone to cash a fake check using my account number. They put the money back but closed the account and I had to change over all my stuff to a new account number. I was a little disturbed that they didn't check the name on the account to the account number before approving the check.
But all of the other horror stories seem to happen on the consumer side.
As a WF customer... its lock-in. The amount of work I would need to do to switch banks thanks to bill pay, auto-drafts, etc, is not worth the headache.
now that physical branches are not really a differentiator of big banks, a couple hours of your time spread out over a couple months is totally worth the switch to a credit union in lower fees, better service, and supporting a more local economy.
it's completely, undeniably worth it. unless you're a real big shot (worth millions in assets to the bank) who doesn't have to deal with the dehumanizing aspects of corporate "customer service", there is zero reason to be with anything other than a small local bank/credit union.
I feel like these days (at least in the US) it's less than a dozen bills/expenses that I have that can't be run through a credit card, making switching your "hub" checking account fairly easy to transition over the course of a couple of months.
I'm curious, what is the number of 'auto' things for you each month? Seems like there is a cool business idea in helping people work through this.
Of course, trust would be a huge issue, but assuming that could be resolved, I feel like switching banks should be something people do all the time.
You're leaving money on the table during a time where interest rates just keep going up and banks are becoming more and more competitive with each other on rates. You should be earning at least 5.15% on a market savings account today. I doubt WF would pay anywhere near that.
I went through that once, and as a result I stopped using all forms of bank-initiated autopayments. Both so that I can be bank-mobile, but also so that things just don't bill me forever without me being aware of it.
I sort of see it like this: I want people taking my money to "hurt" as in I feel the process every time by having to go in and manually pay the bill. That way I cut things off that I don't want anymore if possible.
It's more work, something I normally despise, but it's with a purpose.
Can you switch bills to pull, rather than you push funds? My credit cards, for example pull from my bank. My last “push” payment—bank sends a check—was years ago for a small landlord that didn’t accept digital payments.
I tend to have operating funds in my credit union checking account. This is where most bills are paid from. Savings moves to which never institution has the best rates.
At least in the UK, group messaging over sms was always broken, and sending pictures still costs me extra money. The phone carriers brought it on themselves.
I'm sure it's mostly used for convenience rather than anything nefarious. Most of my doctors are in a medical group that uses an app with built in messaging. It's at least an attempt to allow texting that's compliant.
In Turkey when police stops you on a street they take photo of your ID card and then send those images through Whatsapp to a police station. And then you wait for an answer. Happens very often.
Also security. WhatsApp end-to-end encryption or even better, Signal where messages can't be replicated to any other device is more reassuring than a custom implementation ...
But it looks like this lawsuit is exactly about the opposite, that messages cannot be accessed and reviewed easily. It's also easy to understand why banks prefer using secured applications like Signal when discussing secret deals rather than taking the risk that such conversations leak to e.g. competitors...
Signal is not designed for situations where an intended recipient is intentionally aiding an eavesdropper. It does not prevent an intended recipient from making copies of messages via the regular clipboard even with disappearing messages turned on, and even if it did, could not stop someone from taking a video of their screen.
Well, banks need this to prove their are not fixing price rates (e.g. as the Libor Scandal about 10y ago), and that they did their part in KYC and prevention of AML for the client, or that they not miss-sold a product in case of a legal procedure or claim.
So everything is recorded, encrypted, some is monitored in near RT by engines, and only accessed by human employees when necessary. A full log of who accessed what is kept.
This falls under Fair Use (not sure about the exact term) under GDPR, as is a sensible way for the bank to uphold their legal obligations.
I've lived in both eastern and western Europe and it's used a lot almost everywhere. As far as I can tell, the more Russian-influenced countries tend to use other services.
It's still crazy to me how people use Viber en masse in a lot of those places. The UX is abysmal and it's full of manipulative ads. Habits are hard to change.
Can't speak for the entire Europe obviously, usage varies from country to country, but where I've been it's pretty well entrenched for bot social and business.
or how stupid people can be convinced that this is a SMS replacement because it uses phone numbers (When really it's just another internet messaging app that uses phone numbers as IDs). It took off due to social pressure in places with bad mobile texting networks. That's all.
Are US bank employees prohibited from discussing financial matters using anything but official channels (email, paper?) per se OR is this about using other channels and failing to preserve records of the conversations?
AFAIK you are allowed to use any channel as long as you preserve records of the conversation. However, meeting the standards for preservation is quite difficult, which is why employees of financial institutions are generally told not to communicate outside person-to-person, or channels vetted by their company (and lawyers thereof).
Also, compliance teams want live or near-live access, and do run dynamic filters on that live content. I can’t imagine a non-criminal* compliance team accepting a solution that is T+1 or that depends on manual action from the employee.
It's a bit weird that even though they can communicate person-to-person, where records won't be kept, they are supposed to keep records of electronic communication.
Such a waste of time trying intently to regulate and control communication.
People will just get a second private device that is not managed by the organization, and if there is a mutually beneficial advantage to doing so, the other party will do the same as well.
This has been going on forever, I remember when they kicked up a huge fuss when they found out that people were doing direct pin-to-pin messages on the blackberry (was not logged for boss to read at the time).
So the law as written regards keeping records of inter-office memoranda, but the regulators have cheerfully expanded the scope of this to include essentially all communication by bank employees (except maybe phone calls).
No, it includes calls now. Traditional calls over copper telephone lines are not recorded, but digital calls over MS Teams or whatever are recorded and kept for review.
You still need a secondary device if you want to have a private conversation.
No, that's just what the outrageous clickbait headline[1] fooled you into thinking.
The banks aren't being fined for using Signal or WhatsApp or any particular technology, they're being fined for failing to keep records of regulated communication they're required by law to present for auditing. Obviously if you use tools that don't keep records, you need to find a way to save it yourself.
[1] Bad in the CNBC original, but actually truncated here on HN to remove the explanatory clause. The original reads "Banks hit with $549 million in fines for use of Signal, WhatsApp to evade regulators’ reach"
As someone who currently performs information risk management for a financial institution, I'll say that private messaging doesn't need to be banned per-se. It's just that all company business is the responsibility of the leadership, so ultimately, business communications needed to be reserved for business communication platforms over which leadership can enforce policy. Privacy is a component of this.
These banks needed processes and controls to ensure their requirements are being met: Records of electronic communication, technical security controls to ensure the privacy of protected communication, approved communication mediums/channels for different classifications of information, periodic reviews on the adequacy of these controls, etc.
Sometimes the restriction of things like WhatsApp, Signal, etc. are seen as an affront to individual privacy. That's not what this is about. This is about preventing a lot of dangerous scenarios, like:
1. Employees at your bank do something evil that's also against the law, but because they used Signal/WhatsApp, no records of the communication can be used as evidence in court.
2. The bank has invested millions upon millions into an information security program. Someone decides to use Signal/WhatsApp to share sensitive account numbers. Signal/WhatsApp ends up with a vulnerability that exposes the information, rendering the InfoSec program protections ineffective.
3. Like #2, but the information in WhatsApp/Signal is super important. The employees who kept it there all leave and/or get into fatal accidents. How will that impact the bank?
4. Your manager starts a group chat for the team via text message and conversations about work occur. Turns out someone in the conversation is involved with a scandal. Because you talked about work stuff outside of the approved comms channels, your personal phone can now be taken and used as evidence in a court (even if they can't pull the encrypted messages from it!)
It's just better for everyone to keep work communications in one place that the company has control over, and your personal device/apps totally separate from it.
Work in the sector and once the investigations / fines came out massive notifications went out across the board reminding everyone not to use unapproved comms.
Was this used for nefarious purposes - possibly - but more likely it was general communications between team members using a platform that is more comfortable to them than either 1st party tools or something approved like teams. 99.9% of this was likely reminders for meetings, attendance and coverage messages, a message to a team member who timezone shifted from you and may be off any you need an answer etc. I'd guess most people involved didn't even consider the record keeping because their day to day jobs don't involve actual trading info, and the "encryption" of those services likely made them feel a more comfortable than they should.
Not trying to excuse the behavior - yes the record keeping is important - but I think it's also important to realize this was likely largely innocent.
great - however you are one person, the large banks involved here have staff of a few hundred thousand each across several countries and with various backgrounds and norms, many who are also friends and have contact with each other outside of office hours.
I agree, one needs to keep work comms on approved software, I'm simply stating that while it's fun to be like "oohh big bad bank was hiding secret convos" it was more likely "janet i'm out today can you take the meeting with svp of <insert corp>"
Put another way context matters in terms of how the public should react to the news, not so much the result (fines) or the regulations / requirements.
Readit News
https://www.bloomberg.com/opinion/articles/2023-08-08/don-t-...
His is a pretty balanced take and raises some interesting points:
> I have argued that the SEC has aggressively expanded the recordkeeping requirements. In the olden days, almost all communication was informal and not recorded, and only formal decisions were memorialized in typed and carbon-papered memos, so the SEC had access only to a pretty limited slice of communications. Now, vastly more informal communication is text-based, and texting is a substitute for conversation, not for formal memos.
The rest of the piece and some of his related commentary in the area is worth a read.
The point is that from a bank employee perspective, a hallway conversation, a text message, and a WhatsApp chat might seem pretty similar, and no one expected face to face chats to be memorialized in preserved records, so why the other two?
So in a meaningful sense, the requirements around preservation have expanded significantly, and it shouldn't be a surprise that a lot of banks ended up breaking the rules.
As he writes in another piece (https://news.bloomberglaw.com/mergers-and-acquisitions/matt-...):
> My point here is that when these rules were written, it would have been absurd to say that brokers had to “appropriately conduct their communications about business matters within only official channels.” Everyone understood, in 1948, that only a small sliver of business was conducted in formal letters and memoranda, and that mostly you’d talk about business face-to-face. “As technology changes,” lots of forms of written electronic communication become substitutes not for memoranda, but for face-to-face conversation. So the SEC’s requirements constantly become broader. If you just talk to your colleagues in person, the SEC does not expect you to preserve that. Once you move that chat to WhatsApp, it does.
Now the SEC has run around fining a bunch of institutions and sent a message, and so you can expect compliance will improve.
As an aside, you'll notice that piece was written nearly a year ago, so this isn't exactly a new story.
can't push jail on customers...
Deposits at credit unions are also a liability to the credit union. The nonprofit and local angles, however, are germane.
For businesses, they might have the most attractive product and so you go with them. For example, they have an entire practice finance department that lends on favorable terms without SBA fees. However, they require using their checking account as a term of the loan. You could just fund the account and leave it, or use it.
The worst thing that has happened to me with them was they once allowed someone to cash a fake check using my account number. They put the money back but closed the account and I had to change over all my stuff to a new account number. I was a little disturbed that they didn't check the name on the account to the account number before approving the check.
But all of the other horror stories seem to happen on the consumer side.
I suspect for most consumers they don't know or notice the difference, but I wish they did.
Credit Unions FTW!
https://en.m.wikipedia.org/wiki/Wells_Fargo
it's completely, undeniably worth it. unless you're a real big shot (worth millions in assets to the bank) who doesn't have to deal with the dehumanizing aspects of corporate "customer service", there is zero reason to be with anything other than a small local bank/credit union.
Of course, trust would be a huge issue, but assuming that could be resolved, I feel like switching banks should be something people do all the time.
You're leaving money on the table during a time where interest rates just keep going up and banks are becoming more and more competitive with each other on rates. You should be earning at least 5.15% on a market savings account today. I doubt WF would pay anywhere near that.
I sort of see it like this: I want people taking my money to "hurt" as in I feel the process every time by having to go in and manually pay the bill. That way I cut things off that I don't want anymore if possible.
It's more work, something I normally despise, but it's with a purpose.
I tend to have operating funds in my credit union checking account. This is where most bills are paid from. Savings moves to which never institution has the best rates.
That convenience sucks to give up out of principle but it's long overdue in my case.
It's wild how entrenched it is in every aspects of society, from social to business.
Goes to show you how far good UX, simplicity and ease of use can take you.
[1] ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp - https://ico.org.uk/about-the-ico/media-centre/news-and-blogs...
Why the extra steps?
But it looks like this lawsuit is exactly about the opposite, that messages cannot be accessed and reviewed easily. It's also easy to understand why banks prefer using secured applications like Signal when discussing secret deals rather than taking the risk that such conversations leak to e.g. competitors...
so they claim… not that fb has ever given us a reason to trust them.
I guess people don't care unless someone sues
So everything is recorded, encrypted, some is monitored in near RT by engines, and only accessed by human employees when necessary. A full log of who accessed what is kept.
This falls under Fair Use (not sure about the exact term) under GDPR, as is a sensible way for the bank to uphold their legal obligations.
It's still crazy to me how people use Viber en masse in a lot of those places. The UX is abysmal and it's full of manipulative ads. Habits are hard to change.
Never heard of Whatsapp? Try removing the comments where you talk about it then.
* I’m barely using hyperbole
People will just get a second private device that is not managed by the organization, and if there is a mutually beneficial advantage to doing so, the other party will do the same as well.
This has been going on forever, I remember when they kicked up a huge fuss when they found out that people were doing direct pin-to-pin messages on the blackberry (was not logged for boss to read at the time).
You still need a secondary device if you want to have a private conversation.
The banks aren't being fined for using Signal or WhatsApp or any particular technology, they're being fined for failing to keep records of regulated communication they're required by law to present for auditing. Obviously if you use tools that don't keep records, you need to find a way to save it yourself.
[1] Bad in the CNBC original, but actually truncated here on HN to remove the explanatory clause. The original reads "Banks hit with $549 million in fines for use of Signal, WhatsApp to evade regulators’ reach"
As someone who currently performs information risk management for a financial institution, I'll say that private messaging doesn't need to be banned per-se. It's just that all company business is the responsibility of the leadership, so ultimately, business communications needed to be reserved for business communication platforms over which leadership can enforce policy. Privacy is a component of this. These banks needed processes and controls to ensure their requirements are being met: Records of electronic communication, technical security controls to ensure the privacy of protected communication, approved communication mediums/channels for different classifications of information, periodic reviews on the adequacy of these controls, etc.
Sometimes the restriction of things like WhatsApp, Signal, etc. are seen as an affront to individual privacy. That's not what this is about. This is about preventing a lot of dangerous scenarios, like:
1. Employees at your bank do something evil that's also against the law, but because they used Signal/WhatsApp, no records of the communication can be used as evidence in court.
2. The bank has invested millions upon millions into an information security program. Someone decides to use Signal/WhatsApp to share sensitive account numbers. Signal/WhatsApp ends up with a vulnerability that exposes the information, rendering the InfoSec program protections ineffective.
3. Like #2, but the information in WhatsApp/Signal is super important. The employees who kept it there all leave and/or get into fatal accidents. How will that impact the bank?
4. Your manager starts a group chat for the team via text message and conversations about work occur. Turns out someone in the conversation is involved with a scandal. Because you talked about work stuff outside of the approved comms channels, your personal phone can now be taken and used as evidence in a court (even if they can't pull the encrypted messages from it!)
It's just better for everyone to keep work communications in one place that the company has control over, and your personal device/apps totally separate from it.
They could in theory run _e.g._ `sigtop` every couple of months and encrypt it (e.g. age or veracrypt).
It's a complicated workflow but I imagine they have a pipeline for emails that isnt much less complicated, but also isnt E2EE.
https://github.com/tbvdm/sigtop
Was this used for nefarious purposes - possibly - but more likely it was general communications between team members using a platform that is more comfortable to them than either 1st party tools or something approved like teams. 99.9% of this was likely reminders for meetings, attendance and coverage messages, a message to a team member who timezone shifted from you and may be off any you need an answer etc. I'd guess most people involved didn't even consider the record keeping because their day to day jobs don't involve actual trading info, and the "encryption" of those services likely made them feel a more comfortable than they should.
Not trying to excuse the behavior - yes the record keeping is important - but I think it's also important to realize this was likely largely innocent.
I would tell people to fuck off if they wanted to invade my personal device with work chatter. Boundaries are good
I agree, one needs to keep work comms on approved software, I'm simply stating that while it's fun to be like "oohh big bad bank was hiding secret convos" it was more likely "janet i'm out today can you take the meeting with svp of <insert corp>"
Put another way context matters in terms of how the public should react to the news, not so much the result (fines) or the regulations / requirements.