Prior to Gartner, I have been in financial services for most of my career. Mobile BYOD has been an integral part to our strategy for as long as I can remember. But, when fines more than $2 billion were recently levied against many Wall Street firms, it certainly caught my attention. What does this mean for the future of BYOD in financial services?
BYOD within financial services is not a new trend
Mobile BYOD programs have risen to mainstream status over the years. Organizations replaced tightly managed corporate devices with lightly managed personal devices primarily to save money and labor. The savings often failed to fully materialize, due to the requirement to reimburse employees in many states and countries. So, many made the pivot to position their BYOD program as a method to increase employee experience. It’s true that enabling an employee to use the device that they love in their personal life can increase experience. But, what is the cost to the organization?
Many financial services employees are subject to record keeping regulations
Financial services firms are no different in their adoption of BYOD over the years. However, a key complication is the requirement to monitor and archive ALL pertinent electronic communications. Relevant government rules and regulations include:
- United States: Securities and Exchange Commission (SEC) 17(a)(1) and 17(a)(4);1 FINRA rules 3110 and 3120;2 Section 204 of the Investment Advisers Act and Rule 204-2(a)(7)3
- United Kingdom: Financial Conduct Authority (FCA) SYSC 9.1 and 10A.1.6, and Conduct of Business Sourcebook (COBS) 11.84
- European Union: ESMA MiFID II5
- Japan: Financial Services Agency — Supervisory Guidelines6
- Monetary Authority of Singapore: Financial Advisers Regulations (Section 25)7
The SEC and CFTC fines were focused on the failure to preserve communications about business matters made through unapproved and unmonitored messaging applications on personal devices. While these firms implemented policies specifically prohibiting communications via non-approved, the SEC and CFTC found that they did not adequately monitor their employees’ use of devices to ensure adherence to those policies. Until these fines, the common belief was that it was sufficient to instruct the employee to only use specific apps for work activities, ensure awareness of these requirements and require employee policy attestation. Regulatory authorities did not agree.
It is now logical to assume that most financial services organizations with mobile BYOD programs for regulated employees could be fined due to a lack of compliance with electronic communications regulations.
Inalienable right to privacy complicates BYOD
The right to privacy is generally considered as an inalienable right, defined as a right that may not be ceded or transferred away even with the consent of the holder. This conflicts with the organization’s requirement to completely ensure compliance to regulations. Since complete manual or electronic inspection of the employee’s personal device is near impossible, most organizations rely on employee attestations to provide evidence of compliance. As found by the SEC, employee attestation is an inaccurate process. Employees are unlikely to self-disclose their violations, as the penalty for non-compliance is harsh and often includes formal reprimand or termination.
It is critical for organizations to validate that their efforts to comply with record-keeping obligations do not trample on their employees’ privacy rights, which will introduce legal challenges and will negatively impact employee morale and culture. Forced monitoring on personal devices is just not feasible. However, the fact that firms face technological and legal challenges to monitor their employees’ personal smartphones has proven to be immaterial to regulators.
The only acceptable solution
Unfortunately, I see the only acceptable solution is to disband mobile BYOD programs for individuals subject to regulation within financial services and issue tightly managed corporate devices. Limit these devices to only applications and services that can be monitored and archived in full compliance with regulations. I recognize that this introduces a large conflict with the rise in importance of employee experience that we have witnessed in the last few years, but the SEC is not seeing this as grey area. In their judgement, you are either in or out of compliance with regulations. The penalties for non-compliance are harsh enough to ensure that they don’t become an acceptable “cost of business”8.
What about the “at the end of the day” argument?
I hear the following question frequently. “But, at the end of the day, won’t employees simply not use their corporate device for work, and instead use their personal device?” Sure, they have a plethora of personal technology options available that enable them to easily violate regulations. So why should you abandon your BYOD program when there are so many ways that rogue employees can choose to be non-compliant? The answer is simple. None of their personal technology options were provided by you. You are obligated to ensure that technology you provide to your employees is fully compliant with all regulations and to ensure complete awareness of the policies exist. Rogue employees will always exist and no policy alone will ensure complete compliance, but these should not be used as excuses to prevent or delay moving towards the fulfillment of your regulatory requirements.
1 SEC Interpretation: Electronic Storage of Broker-Dealer Records, U.S. Securities and Exchange Commission.
3 Observations from Investment Adviser Examinations Related to Electronic Messaging, Office of Compliance Inspections and Examinations.
4 FCA Handbook, Financial Conduct Authority.
5 MIFID II, European Securities and Markets Authority.
6 Supervisory Guidelines and Policies, Financial Services Agency.
7 Financial Advisers Regulations, Singapore Statutes Online.
8 PLI Broker/Dealer Regulation and Enforcement 2021, U.S. Securities and Exchange Commission.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.