The UK Prudential Regulation Authority has censured a bank for wide-ranging significant regulatory failings between December 2016 and May 2020, which spanned breaches relating to large exposure limits, capital reporting, governance and risk controls and PRA Own Initiative Requirements (OIREQs) and, for the first time, failure to capture and retain WhatsApp messages. The seriousness of the breaches justified a fine of £8,515,000, however, since the bank is in wind-down the PRA imposed a public censure as a warning shot to the industry more broadly.
The PRA enforcement action is a clear warning shot to all firms that they need to have comprehensive record keeping in place to capture and enable full context retrieval of all electronic communications. It is entirely likely that the $2bn+ fines imposed in the U.S. for failing to capture unmonitored communication channels is the tip of the regulatory iceberg with regulators around the world increasingly focused on firms’ approach to robust data capture, surveillance and retrieval.
Among the other concerns, the PRA made a robust point that the bank had failed to put in place effective document retention and recordkeeping policies or procedures for its business that took into account technological advances such as those relating to instant messaging platforms (e.g. WhatsApp).