Ofgem issues significant fine for failures to record and retain trader communications sent through WhatsApp

The Electricity and Gas (Market Integrity and Transparency) (Enforcement etc) Regulations 2013, SI 2013/1389 (the REMIT Enforcement Regulations) confer significant powers on Ofgem to impose civil financial penalties for breaches of REMIT. [1]

Regulation 8 contains a requirement on firms to record and retain 'relevant communications' and to enable Ofgem to have access to these, including for enforcement purposes.  However, Regulation 8(6) goes further and places a specific obligation on the firm to take reasonable steps to prevent the making, sending or receiving of any relevant communication (including on privately-owned equipment) that it cannot ensure is recorded, or of which a copy cannot be retained as part of record keeping requirements.

On 23 August 2023, Ofgem announced a fine of approximately £5.4m against an investment bank for breach of regulation 8 of the REMIT Enforcement Regulations. This fine is the first of its kind by Ofgem in respect of regulation 8 requirements.  The reasoning focused on the firm's approach to the obligation to prevent the making, sending or receiving of relevant communications (in this case WhatsApp instant messages) that it could not ensure were recorded and retained.

We consider the decision is significant not only for energy firms subject to REMIT, but for financial services firms more widely.  The FCA's Handbook contains similar (though not identical) requirements to the ones Ofgem enforced in this case, particularly in SYSC chapters 9.1 and 10A (at 10A.1.6R and following). [2] SYSC 10A.1.7R, for example, requires a firm within scope to "take all reasonable steps to prevent an employee or contractor from making, sending, or receiving relevant telephone conversations and electronic communications on privately-owned equipment which the firm is unable to record or copy".  The PRA Rulebook (Record Keeping section) also imposes broad record keeping requirements on firms relating to the PRA's supervision and enforcement activity.

Ofgem's Final Notice focusses on systems and controls: the extent and effectiveness of the firm's measures to prevent the use of non-company approved messaging systems for company business, and to ensure that relevant communications were recorded and retained. There is no suggestion in the Final Notice that any wrongdoing by individuals was missed.

Ofgem found the firm did have policies in place to prohibit the use of non-company approved messaging systems, and that it 'took some steps to try and ensure the policy was conveyed to employees'.  However, it also found that, prior to March 2020 (the end of the period covered by the Final Notice), the measures it took were not sufficient to meet the requirements of regulation 8.

In particular, Ofgem found that during the relevant period the firm did not assess the risks of non-compliance with its policies, or take reasonable steps to monitor compliance with them. 

However, in March 2020, the firm strengthened its compliance regime by: 

• providing further staff training to reinforce its prohibition on the use of WhatsApp;
• taking internal action over the use of WhatsApp by employees; and 
• launching an internal investigation into the use of WhatsApp and other non-company approved systems by staff.

A key learning from the case is that Ofgem found the firm's original (pre-2020) approach (which in our experience is relatively common – including email reminders to staff and a requirement on them to sign an undertaking not to use unofficial means of communication) were not sufficient to meet the 'take reasonable steps to prevent' requirement.

Ofgem took a broader approach, covering not just the existence and acknowledgement of the policies and procedures, but also the firm's measures to understand the risk of non-compliance and to ensure that policies were enforced (including, where appropriate, via the conduct of an internal investigation).  The measures Ofgem appears to have expected and found were satisfactory did however focus on people (staff training, discipline, etc) rather than on technology.  This approach appears to recognise, at least implicitly, that, on the current law and technology, end-to-end encrypted messaging systems on personal devices cannot themselves usually be monitored using technology in the way other systems can.

In our view, Ofgem's enforcement decision sends a strong message to energy firms regulated under REMIT that they will need to be able to demonstrate not only the existence of policies and procedures, but also effective enforcement of them.  We believe, however, that there are useful lessons from this case for financial services firms more generally, as Ofgem's approach is likely to be shared by other regulators including the FCA and PRA.  It can also reasonably be seen as a part of a pattern of enforcement action around this issue.

Regulatory focus on end-to-end encrypted messaging services is not new.  Seen from a regulator's perspective, there are clear risks of such systems being used for unlawful purposes (for example insider dealing, price fixing, market abuse or similar) whilst at the same time enabling the user to avoid the creation of evidence and/or to evade detection. 

In January 2021, during the Covid-19 pandemic, the FCA highlighted the rapid transition to home working and associated increases in the use of unmonitored and/or encrypted communication applications to send and receive business-related information. Firms were reminded of the need to record and make these communications auditable, and of the need for robust policies and training.  The FCA commented in particular:

"Firms should assess policies and controls for the use of privately owned devices to connect to their organisational networks and access work-related systems and potentially sensitive or confidential data, to ensure that these provide sufficient scope for effective recording. This might include ensuring clear policies banning the use of privately owned devices for in-scope activities where recording cannot be carried out by the firm."

In October 2022, the FCA was reported to be asking banks for information on the use of WhatsApp by staff, conducting a stock-taking exercise on various players in the financial sector. The FCA's information requests were said to focus on frequency, content, and purpose of staff exchanges through texting on personal devices, and were directed at a range of UK authorised firms, not limited to those already subject to existing regulatory enquiries.  

There have also been a number of examples of UK enforcement activity in which end-to-end encrypted messaging services have featured.  These include:

• in 2017, the FCA issued a fine against an individual banker for a breach of APER Statement of Principle 2 in relation to WhatsApp communications containing disclosures of confidential client information;
• in 2020, the FCA brought a criminal prosecution against a former banker in the UK alleging a document destruction offence had been committed under FSMA, as a result of the deletion of WhatsApp from a mobile telephone after the FCA required this to be produced as part of an investigation.  The individual pleaded not guilty and was later acquitted in court;
• in 2022, the FCA issued a fine against a broker firm which was directed predominantly at other issues (a failure to disclose certain transactions).  However, part of the FCA's reasoning in the Final Notice concerned the firm's lack of formal policies and procedures prohibiting the use of personal phones and devices to take instructions from customers, and lack of training provided to staff on restrictions around the use of such personal devices; and 
• in 2023, the PRA censured a bank for a series of regulatory failings, particularly breaches of Fundamental Rule 3, including the failure to have or put into place formal record keeping policies or procedures to manage or retain WhatsApp messages exchanged by its staff on both firm-issued and personal mobile phones.  The firm's activity was found to be in breach of part of the PRA Rulebook (Record Keeping Rule 2).

There has also been extensive enforcement in this area elsewhere in the world, particularly in the United States.

Generative AI has already been widely adopted in some investment activities, for example by the use of chat-bots to give clients instant pricing and analytics. The fact that it is a machine and not a person doing the communicating does not alter the record keeping requirements. GenAI technology creates its own issues in relation to data collection and retention and firms should position themselves to be able to demonstrate that these issues have been both identified, and tackled, in a way which meets the regulatory standards. 

The recent Ofgem enforcement is an example of a regulatory authority holding a firm to account for failing to take reasonable steps to prevent communications that it could not record or retain.  It provides some indication of the kinds of steps that are to be considered reasonable.  We consider it is of significance not only to energy firms and those subject to REMIT, but also to financial services firms more widely.

Recognising that, by their nature, end-to-end encrypted messaging services installed on personal devices are generally outside of firms' monitoring capabilities, at least on current law and technology, firms need to be able to demonstrate the steps taken to restrict their use, to deal effectively with breaches where those come to light, and to enforce relevant policies and procedures generally.

[1]  REMIT, or more specifically, Regulation (EU) No 1227/2011 on wholesale energy market integrity and transparency, retained in UK law post-Brexit by means of regulation 1 of the Electricity and Gas (Market Integrity and Transparency) (Amendment) (EU Exit) Regulations 2019, SI 2019/534, governs the integrity of the UK's wholesale energy markets and sets out a regulatory framework designed to promote good conduct and restrict market abuse. The relevant conduct regulator, the UK’s Gas and Electricity Markets Authority, acting via the Office of Gas and Electricity Markets (Ofgem) is responsible for enforcing standards and sanctioning those who fall short.

[2]  These apply to some but not all financial services firms.