Print Article

The JFSC remind Businesses about personal devices and social media risks


Today [9 June 2021], the JFSC has reminded businesses to be vigilant when using personal devices and social media

  1. These risks include:
    • The misuse of personal devices, such as sharing confidential information via social media and other messaging apps.
  2. Businesses must:
    • Have appropriate safeguards in places such as policies and procedures to ensure staff are using these channels appropriately and to meet record-keeping requirements under the Codes of Practice.
Examples of good practice include:
  1. Training for employees on induction, at regular intervals and on a change/update to the policies and procedures
  2. Consistent compliance with the policies and procedures demonstrated by directors and senior management
  3. Disciplinary action taken against breaches
  4. A culture of separation between business activities and social communications
  5. And users should be minimising the use of colloquial language and/or emojis in communications relating to business activities.
For more information on best practice,
  1. The JFSC refer to its feedback from the 2020 Supervisory Risk Examinations published on 25 May 2021.
In particular, FEEDBACK [NO 8] USE OF TECHNOLOGY – where the JFSC SAY
  1. The JFSC SAY
    • Registered persons contemplating the use of communication methods such as Zoom, Teams, Messenger or WhatsApp in their financial services businesses should carefully consider and document the risks and establish effective systems and controls (including policies and procedures) to manage those risks and ensure ongoing compliance with the regulatory framework
  2. However, the JFSC officers identified several FAILS where Registered Persons were using such tools as WhatsApp, Zoom and Messenger for client communications – the FAILS included
    • Systems and controls (including policies and procedures) concerning the use of the applications by employees had not been established or were ineffective.
    • In addition, policies and procedures did not enable the Registered Persons to demonstrate that record-keeping arrangements were in full compliance with the regulatory framework.
    • Client consent not obtained for using/recording video calls.
  1. Inappropriate use of technology to carry on financial services business may expose consumers of those services to heightened or unacceptable levels of risk.
  2. In addition, ineffective or incomplete business records relating to a Registered Person’s interaction with its clients may result in the Registered Person being unable to demonstrate that it has acted with the highest regard for the interests of its clients.