A settlement is near in the US involving banks' illegal use of personal messenger apps. Those banks involved, including UBS, are facing fines of up to $200 million each, according to media reports.

Banks, which for months have been subject to investigations by the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) into unauthorized communication via messaging apps, are close to reaching an agreement, according to a report in the «Wall Street Journal» (behind paywall), citing sources familiar.

The banks under investigation would concede in a settlement their employees violated regulatory requirements by using personal messaging apps such as WhatsApp or Signal. The fines are expected to be up to a total of $200 million per bank, according to the report, with the cumulative amount likely to exceed $1 billion. The settlement is expected to be announced by the end of September.

September Settlement

The affected banks include UBS, Bank of America, Barclays, Citigroup, Deutsche Bank, Goldman Sachs, and Morgan Stanley, according to the statement. Jefferies and Nomura are also said to be close to reaching an agreement with regulators, but due to their smaller size, they would pay lower fines.

The SEC and CFTC planned to announce the settlements by the end of the fiscal year on September 30, so that the results could be included in the government's annual enforcement statistics. Neither the agencies nor the banks would comment to the newspaper.

JP Morgan as Benchmark

The expected settlements would be modeled on the agreement reached with the brokerage unit of JP Morgan Chase last December where JP Morgan Securities paid $200 million. That included a $125 million payment to the SEC and $75 million to the CFTC, and admission over a failure of due diligence over record keeping.

Authorities have been investigating how traders and brokers used encrypted apps to discuss investment terms, client meetings, and other business. Brokerage firms are required to retain and monitor their employees' written communications to provide evidence to regulators examining compliance with investor protection laws.

Gateway for Hackers

With the onset of the pandemic and the introduction of the home office, the use of these non-compliant channels increased. In addition to compliance violations, authorities are also concerned about security vulnerabilities that can arise from mixing work and personal apps as well as devices, which could allow hackers to gain access to sensitive systems, according to the paper.

Still, given the multiple points of vulnerability, it is likely to remain difficult for banks to completely police the use of such apps, as finews.com reported. Given that a messaging service goes through a user’s entire phonebook and uploads all contacts – potentially including client contact information - to a server located abroad, installing the chat app can represent a violation of the banking act and banking secrecy laws.

 «The sheer act of installing Whatsapp for example on an unprotected phone can pose more than just a data breach,» Urs Kuederli, PwC Switzerland's cybersecurity and privacy lead, told finews.com in a January interview.