Blog post

The Death of BYOD Within Financial Services?

By Tom Cipolla | January 24, 2023 | 4 Comments

Digital Workplace Infrastructure and OperationsFinancial Services Digital Business Strategy and Innovation

Prior to Gartner, I have been in financial services for most of my career. Mobile BYOD has been an integral part to our strategy for as long as I can remember. But, when fines more than $2 billion were recently levied against many Wall Street firms, it certainly caught my attention. What does this mean for the future of BYOD in financial services?

BYOD within financial services is not a new trend

Mobile BYOD programs have risen to mainstream status over the years. Organizations replaced tightly managed corporate devices with lightly managed personal devices primarily to save money and labor. The savings often failed to fully materialize, due to the requirement to reimburse employees in many states and countries. So, many made the pivot to position their BYOD program as a method to increase employee experience. It’s true that enabling an employee to use the device that they love in their personal life can increase experience. But, what is the cost to the organization?

Many financial services employees are subject to record keeping regulations

Financial services firms are no different in their adoption of BYOD over the years. However, a key complication is the requirement to monitor and archive ALL pertinent electronic communications. Relevant government rules and regulations include:

  • United States: Securities and Exchange Commission (SEC) 17(a)(1) and 17(a)(4);1 FINRA rules 3110 and 3120;Section 204 of the Investment Advisers Act and Rule 204-2(a)(7)3
  • United Kingdom: Financial Conduct Authority (FCA) SYSC 9.1 and 10A.1.6, and Conduct of Business Sourcebook (COBS) 11.84
  • European Union: ESMA MiFID II5
  • Japan: Financial Services Agency — Supervisory Guidelines6
  • Monetary Authority of Singapore: Financial Advisers Regulations (Section 25)7

Watershed Moment

The SEC and CFTC fines were focused on the failure to preserve communications about business matters made through unapproved and unmonitored messaging applications on personal devices. While these firms implemented policies specifically prohibiting communications via non-approved, the SEC and CFTC found that they did not adequately monitor their employees’ use of devices to ensure adherence to those policies. Until these fines, the common belief was that it was sufficient to instruct the employee to only use specific apps for work activities, ensure awareness of these requirements and require employee policy attestation. Regulatory authorities did not agree.

It is now logical to assume that most financial services organizations with mobile BYOD programs for regulated employees could be fined due to a lack of compliance with electronic communications regulations.

Inalienable right to privacy complicates BYOD

The right to privacy is generally considered as an inalienable right, defined as a right that may not be ceded or transferred away even with the consent of the holder. This conflicts with the organization’s requirement to completely ensure compliance to regulations. Since complete manual or electronic inspection of the employee’s personal device is near impossible, most organizations rely on employee attestations to provide evidence of compliance. As found by the SEC, employee attestation is an inaccurate process. Employees are unlikely to self-disclose their violations, as the penalty for non-compliance is harsh and often includes formal reprimand or termination.

It is critical for organizations to validate that their efforts to comply with record-keeping obligations do not trample on their employees’ privacy rights, which will introduce legal challenges and will negatively impact employee morale and culture. Forced monitoring on personal devices is just not feasible. However, the fact that firms face technological and legal challenges to monitor their employees’ personal smartphones has proven to be immaterial to regulators.

The only acceptable solution

Unfortunately, I see the only acceptable solution is to disband mobile BYOD programs for individuals subject to regulation within financial services and issue tightly managed corporate devices. Limit these devices to only applications and services that can be monitored and archived in full compliance with regulations. I recognize that this introduces a large conflict with the rise in importance of employee experience that we have witnessed in the last few years, but the SEC is not seeing this as grey area. In their judgement, you are either in or out of compliance with regulations. The penalties for non-compliance are harsh enough to ensure that they don’t become an acceptable “cost of business”8.

What about the “at the end of the day” argument?

I hear the following question frequently. “But, at the end of the day, won’t employees simply not use their corporate device for work, and instead use their personal device?” Sure, they have a plethora of personal technology options available that enable them to easily violate regulations. So why should you abandon your BYOD program when there are so many ways that rogue employees can choose to be non-compliant? The answer is simple. None of their personal technology options were provided by you. You are obligated to ensure that technology you provide to your employees is fully compliant with all regulations and to ensure complete awareness of the policies exist. Rogue employees will always exist and no policy alone will ensure complete compliance, but these should not be used as excuses to prevent or delay moving towards the fulfillment of your regulatory requirements.

A big special shout out goes to my co-authors Erin Pierre and Pankil Sheth.

Evidence

1 SEC Interpretation: Electronic Storage of Broker-Dealer Records, U.S. Securities and Exchange Commission.

2 3110. Supervision and 3120. Supervisory Control System, FINRA.

3 Observations from Investment Adviser Examinations Related to Electronic Messaging, Office of Compliance Inspections and Examinations.

4 FCA Handbook, Financial Conduct Authority.

5 MIFID II, European Securities and Markets Authority.

6 Supervisory Guidelines and Policies, Financial Services Agency.

7 Financial Advisers Regulations, Singapore Statutes Online.

8 PLI Broker/Dealer Regulation and Enforcement 2021, U.S. Securities and Exchange Commission.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment

4 Comments

  • Eric Sockwell says:

    I work for a company like this, We are not BYOD. Is this for Text massging in itself, Or for apps like Whats app. Snapchat, And Facebook and Instagram, because they all have Encypted text messagin apps in them. Can we please get a Clarification on what kind of apps they used. Because we allow those apps. So far.

    Thanks

    • tcipolla says:

      Thanks for the question. This applies to all unmonitored by permitted apps, and includes iMessage, text messaging, along with the apps you mentioned as well. For corporately owned devices, the best recommendation I can make is to restrict the apps and services to only those that are compliant with your record keeping requirements. You may be able to physically inspect the devices periodically to assess adherence to the compliance policy, but that will be labor intensive and not as complete as a technical block. Of course, review these decisions with your legal and compliance team, as they should be in the lead for these decisions, with IT only carrying out the directives of those teams.

  • Mike R. says:

    Not sure I agree here Tom, but there could be info I’m not privy to or am missing entirely.

    What’s the difference between providing Mobile Application Management and Mobile Device Management if the data is secured and archived properly? Ownership of the “host” device shouldn’t matter.

    We never hear any worries about a BYOD users Gmail or Yahoo mail app on their personal device because in a corporate BYOD scenario the user is provided a secured corporate email application. Why then would it not be appropriate to provide a secure SMS messaging app like CellTrust or Multiline given the text heavy culture we’ve moved toward?

    These software based solutions enable the user to be in compliance while keeping the employee experience intact and removing the frustration of having to keep up with a second device.

    Enablement (not restriction) is the key to compliance in my eyes. A bad actor is going to find a way to act badly regardless and a user attempting to navigate restrictions is prone to mistakes. Creating a culture of enablement through compliant software methods is the integral piece of the puzzle here.

    • Tom Cipolla says:

      Great questions, and ones that I get asked about quite frequently.

      Disclaimer: Regulatory compliance and policy is an issue best addressed by internal compliance and legal teams within your organization. I am not a lawyer and can only offer my non-legal opinion, based on my research.

      One of the key recurring themes in the findings is the lack of ability to ensure that the policy is being followed. Inspection of a personally owned device is a core challenge, due to privacy concerns. Inspection of a corporately owned device is possible, as it is a company issued piece of work equipment; there is not a reasonable expectation of individual privacy.

      The SEC finding summary included this statement:
      “Each of the 15 broker-dealers was charged with violating certain recordkeeping provisions of the Securities Exchange Act of 1934 and with failing reasonably to supervise with a view to preventing and detecting those violations.”

      And each of the individual finding summaries, available from the link above, include statements almost identical to these:
      12. maintained certain policies and procedures designed to ensure the retention of business-related records, including electronic communications, in compliance with the relevant recordkeeping provisions.
      13. employees were advised that the use of unapproved electronic communications methods, including on their personal devices, was not permitted, and they should not use personal email, chats or text-messaging applications for business purposes, or forward work-related communications to their personal devices.
      14. Messages sent through -approved communications methods were monitored, subject to review, and, when appropriate, archived. Messages sent through unapproved communications methods, such as WhatsApp and those sent from unapproved applications on personal devices, were not monitored, subject to review or archived.
      15. Firm policies were designed to address supervisors’ supervision of employees’ training in the firm’s communications policies and adherence to books and recordkeeping requirements. Supervisory policies noted that electronic communications were subject to surveillance by the firm. had annual training for all employees on recordkeeping policies, including training for new supervisors that required, among other things, self-attestation of having reviewed recordkeeping requirements.
      16. , however, failed to implement a system of follow-up and review to determine that supervisors were reasonably following the firm’s policies. While permitting employees to use approved communications methods, including on personal phones, for business communications, failed to implement sufficient monitoring to assure that its recordkeeping and communications policies were being followed.

      So, the issue isn’t really related to the device or the apps or the awareness of the policy, but to the ability to implement sufficient monitoring to assure that policies are being followed. Until there is an ability (and willingness) to continually inspect a personally owned device, the only solid recommendation is to issue a corp issued device that limits the communications channels to only those that are compliant with the recordkeeping requirements.

      Incidentally, many financial services organizations are now being forced to comb through personal phones and PCs to capture pertinent communications made from those devices that should have been archived, but weren’t. The operational cost of that, added to the fine, materially impacts their earnings. Also, some organizations are going so far as to fine employees anywhere from $1000 to $1M for their personal violation of the policies. The privacy implications of this alone are astounding (is the a special master that is responsible for reviewing messages on personal devices to determine their relevance?)..

      You will always have bad actors and people do make mistakes, but if you issue the corporate device with the restrictions applied and state clearly that personal devices are not to be used in any way for work, you can deal with the bad actors separately as they are found and eliminate the possibility for mistakes.

      Do I like this answer? Absolutely not.. It conflicts dramatically with the rise in importance of employee experience. But when faced with a $125M fine, increase regulatory scrutiny and large operational costs to retrieve messages, I see no other choice.

      Gartner clients can request an inquiry to discuss this, and many other topics in depth.