back to article Ever suspected bankers used WhatsApp comms at work? $1.8b says you're right

Ever given a colleague a quick Signal call so you can sidestep a monitored workplace app? Well, we'd hope you're not in a highly regulated industry like staff at eleven of the world's most powerful financial firms, who yesterday were fined nearly $2 billion for off-channel comms. Banking giants including Goldman Sachs, Credit …

  1. steviebuk Silver badge

    They admitted to it...

    ..because they probably have their backup plan in action already to carry on with burner phones. If they admit guilt and can afford to pay the fine then they probably know they can easily get away with it again, make more money and know what they'd look for so know what how to hide better. Burner phones would be the way to go, set to not backup to the cloud and when asked to hand them over, accidently drop them in salt water (the sea).

    1. Cederic Silver badge

      Re: They admitted to it...

      Ah. Check with Rebekah Vardy regarding that last suggestion.

      1. anothercynic Silver badge

        Re: They admitted to it...

        Not Vardy. Vardy's PR agent.

        1. Gordon 10

          Re: They admitted to it...

          Allegedly. ;)

    2. JimboSmith Silver badge

      Re: They admitted to it...

      I’m slightly surprised no one has created an encrypted banking chat app. You’d have an auto purge for messages after a set period of time and possibly a self destruct/delete of the of the program if the wrong password is entered. Then these people could easily continue their nefarious behaviour on a burner device without worry.

      1. Yet Another Anonymous coward Silver badge

        Re: They admitted to it...

        Because all that is the easy part.

        The hard part is how do you know that "Spazz69" is really a trader at Deutsche and not a kid in a basement, or a Russian bot, or an SEC agent ?

        Even if you met them and confirmed it how do you know their account hasn't been taken over or that they aren't now cooperating with the Feds ?

        You need 100% provable identity when making deals and 100% anonymity and deniability when caught - that's mathematically tricky

        1. DS999 Silver badge

          Re: They admitted to it...

          I'm not sure what the question is, but I'm betting someone will come along before long and tell us the answer is blockchain!

          1. Anonymous Coward
            Anonymous Coward

            Re: They admitted to it...

            Blockchain!!!

          2. Michael Wojcik Silver badge

            Re: They admitted to it...

            Very funny, but of course the real answer is AI. Maybe with some DevOps.

        2. katrinab Silver badge
          Pint

          Re: They admitted to it...

          You know that because you met them personally at a pub, and they are known to your circle of friends, and you exchanged details there.

          1. Michael Wojcik Silver badge

            Re: They admitted to it...

            That doesn't scale well, and provides no protection against account compromise.

            Admittedly, few things provide much protection against account compromise, but at least when you use proper channels there's some chance someone is monitoring those systems for IoCs and taking similar measures.

            1. Mark 65

              Re: They admitted to it...

              It doesn't need to scale well - most traders will commit these "special trades" with counterparties known to them personally not just any old spod in the market. When you're dealing with traders in certain markets that can deal in size and/or have a greater freedom to trade you're down to a limited set of individuals. Whilst markets seem large most players know each other - you'd be surprised.

            2. katrinab Silver badge

              Re: They admitted to it...

              The groups are maybe 4 or 5 people. It is not supposed to scale well.

        3. Charlie Clark Silver badge

          Re: They admitted to it...

          Quite easy, really. Keys are only handed to admins of member companies and the app only runs on company devices. Think of what BlackBerry used to be or Bloomberg terminals.

        4. Mark 65

          Re: They admitted to it...

          The hard part is how do you know that "Spazz69" is really a trader at Deutsche and not a kid in a basement, or a Russian bot, or an SEC agent ?

          Pretty sure you'd use signal and confirm the contact personally when setting up using "Verify Safety Number" i.e. when you're out on the piss with the counterparty (at the start of the session for obvious reasons). At this point you're secure. If it changes you're alerted and you'd cease comms until re-confirmed.

      2. Steve Button Silver badge

        Re: They admitted to it...

        You mean SnapChat?

      3. johnfbw

        Re: They admitted to it...

        From experience some banks have their emails set to auto purge for this very reason

        1. MachDiamond Silver badge

          Re: They admitted to it...

          "From experience some banks have their emails set to auto purge for this very reason"

          That could be a criminal offense. Some banking regulations require that all communications are logged and maintained for years and if they are even subpoenaed and found missing, it's a big problem. A big reason for using out-of-band comms that aren't properly logged is to get away with making deals that aren't cricket.

          1. johnfbw

            Re: They admitted to it...

            Presumably you are referring to SEA Rule 17a-4 which says 3-6 years, but only 2 years 'easily accessible' ie good luck after that. MiFID 2 is five year. This only refers to people directly affecting trades.

            The FCA rules only required 6 months... (interesting bit of quick research)

            Doesn't change the fact the fact that banks do auto purge - often after 3 months. They just don't remove it from that one backup - only accessible with a highly focused legal demand

      4. MachDiamond Silver badge

        Re: They admitted to it...

        "I’m slightly surprised no one has created an encrypted banking chat app. You’d have an auto purge for messages after a set period of time and possibly a self destruct/delete of the of the program if the wrong password is entered."

        Maybe they have which is why they copped to using the other services. No LEO keeps looking once they've found something. If the perp confesses, they are even more likely to stop looking.

    3. Steve Button Silver badge

      Re: They admitted to it...

      With the amount of money at stake they probably have burner phones to hand over, plus another burner which is the actual ones they use for out-of-band comms. And very very small phones which you can hide in places that I'll leave to the imagination. If they can smuggle them into prisons, where an intrusive search is quite common, it would be far easier to smuggle them into a trade floor.

      So, no need to drop them into salt water, just hand over the dummy burner.

      I hope I'm not giving them ideas, I'm sure they have already thought of this, but if not I'm available for side projects in consulting.

      1. Yet Another Anonymous coward Silver badge

        Re: They admitted to it...

        For the LIBOR rigging totally reasonable cooperation they were using burner phones connected to wifi hubs in windows on other building across the road.

        1. Mark 65

          Re: They admitted to it...

          That's the thing - compared to the money you can cream off the top on these deals, any cost of setting the system up pales into insignificance. As do the fines for that matter.

    4. MachDiamond Silver badge

      Re: They admitted to it...

      "accidently drop them in salt water (the sea)."

      First put them in a ziplock with vinegar (acetic acid) or a cola (phosphoric acid). The insides will just be a load of green goo. Leaving the battery in and the phone on is a good move too.

    5. Anonymous Coward
      Anonymous Coward

      Re: They admitted to it...

      …. Yet they weren’t smart enough to use disappearing messages, given evidence was found on phones. Smart yet simultaneously a bit thick.

  2. Anonymous Coward
    Anonymous Coward

    Fine bribe

    So a 1.1 Billion $ Fee, and nobody goes to jail. Makes you wonder how many more billions they made illegally to pay that "Fee" without a complaint.

    Rich people have it so easy, just commit crimes and pay off the regulators.

    No wonder these crimes are common, there are no repercussions that matter, just a tax/fee/fine/bribe.

    1. Steve Button Silver badge

      Re: Fine bribe

      Well indeed. And this sort of thing is more common that you might imagine.

      A lot of people think that China is the worst country in the world for corruption (or the best?) but most of that is low level bribes. There's a lot of it going on, but the big money bribes / corruption are really happening in the west.

      There's a fascinating Freakonomics Radio episode explaining it, well worth a listen.

      https://freakonomics.com/podcast/is-the-u-s-really-less-corrupt-than-china/

      1. Anonymous Coward
        Anonymous Coward

        Re: Fine bribe

        I once ran a scientific program in West Africa - we budgeted $100 in cash bribes to get gear cleared out of airport and loaded onto a truck.

        The same project went to central America and cost us $3000 in customs/carnet/processing/legal fees to ship it through Florida

        But if there had been any American citizens on the project it would have been extremely illegal for them to pay $20 to an African customs official.

        1. ChoHag Silver badge

          Re: Fine bribe

          Ah but over here our corruption has been written down and codified so it's not called "corruption" any more, it's "government".

          Exactly the same but it's 30 times as expensive.

      2. Mark 65

        Re: Fine bribe

        In the past these guys would just meet in the pub at lunchtime to arrange the trades.

  3. Evil Auditor Silver badge
    Coffee/keyboard

    "Finance, ultimately, depends on trust..."

    Yeah right. And why again do I have the impression that "big finance" has been doing whatever they can to destroy that trust?

  4. Paul Smith

    "Finance, ultimately, depends on trust..."

    Duh, no it doesn't.

    Finance depends on having an edge and the biggest edge you can have is knowing what is going to happen before the rest of the market. Traders have always shared that knowledge among other traders to earn or repay favors. Before phones were invented, those back channel communications took place in coffee shops which is why financial institutions are packed so tightly together into places like wall street or the square mile.

    1. MachDiamond Silver badge

      Re: "Finance, ultimately, depends on trust..."

      "Finance depends on having an edge and the biggest edge you can have is knowing what is going to happen before the rest of the market. "

      Which is why Trading Places was so funny when the old guys are trying to corner the market on FCOJ before everybody else sees what they are doing. If you know the day before that a company is going to blow right through what the analysts have been predicting in either direction, you can make enough money to live very well in a non-extridadition country for the rest of your life. If you don't have enough money to do that, you might make enough to take the next year off while traveling the world.

  5. TheRealRoland
    Devil

    This is my surprised and shocked face ->

  6. Mike 137 Silver badge

    A privileged elite?

    "Banking giants [...] agreed to pay $1.1 billion in penalties from the US Securities and Exchange Commission (SEC) and $710 million in fines from the Commodity Futures Trading Commission (CFTC)"

    Anyone else (except maybe a tech behemoth) would just be told to pay up, no agreement necessary.

  7. Commswonk

    That Reminds Me...

    When I read the inset section Who's paying what? I was immediately reminded of the famous line from "Casablanca": Round up the usual suspects.

    1. Yet Another Anonymous coward Silver badge

      Re: That Reminds Me...

      "I'm shocked — shocked! — to find that gambling is going on in here!"

      "Your winnings, sir."

      "Oh, thank you very much.

  8. VoiceOfTruth

    Fines mean nothing to banks

    The money is merely taken from the shareholders by way of lower dividends.

    You can be banned from driving for using a mobile phone. Ban the bankers using unapproved comms from banking for 1 year for the first offence, then 5 years for the inevitable second offence.

    This is insider trading and it is not victimless. The victims are everyone who has shares or trades and is not a member of the gang. You go to a bank or a foreign exchange shop to get some foreign currency, which somebody has manipulated in their favour. You are the victim of a crime. It may only be a few £$€ to you, but added up it's millions. You buy some shares not knowing what insider traders know. Again you are the victim of a crime.

    What do the regulators do? Make a little bit of a noise and let them get away with it.

    1. Paul Smith

      Re: Fines mean nothing to banks

      I can't agree with that. You do the best deal you can with the information available to you. If someone else has better information then you, that is neither their fault not their problem.

      1. VoiceOfTruth

        Re: Fines mean nothing to banks

        Do you actually know what insider trading is?

        1. Yet Another Anonymous coward Silver badge

          Re: Fines mean nothing to banks

          Apparently neither does the SEC

  9. Anonymous Coward
    Anonymous Coward

    Actually, they missed out on a second fine..

    Any of the organisations that were using WhatsApp in Europe very likely broke EU privacy laws as well, unless they can demonstrate permission of every single personal entry in their address book to have their contact details shipped to Zuckerberg.

    WhatsApp is use is about the easiest way to get a company into trouble, even if they are not in finance.

    That said, the sort of fines that most EU privacy regulators can levy would represent a mere rounding error on their balance sheet. The joy of much lobbying from the volume offenders.

  10. Anonymous Coward
    Anonymous Coward

    Having worked in the investment banking industry within a department with a partial responsibility to ensure regulatory compliance is met, I can tell you that the biggest problem is that no one wants to upset the star bankers by saying "No, you can't do that" **and preventing them doing so** for the fear of losing them to the competition. And likewise, no banker wants to tell his client "No, I can't do that anymore" for fear of losing the client to someone who will.

    1. Anonymous Coward
      Anonymous Coward

      Also some of the traders at my place have historically been so stupid that they have quite happily carried out business on whichever telecommunications device they happened to answer... which of course meant their own personal mobile or a phone line that wasn't recorded.

      These are also people so stupid that when we got company mobiles one of them highly suggested that the company purchase some (no doubt overpriced) suitably coloured cover/bumper so they could tell their devices apart. Because, it's not like they were so skint they couldn't afford to pick a cheapy one up somewhere.

      In the first case even I a lowly Linux sys admin know that such communication must be proper channels and on the second at the time both my own personal mobile and work mobile were a 6S and I didn't have problems figuring out which was which.

      1. Yet Another Anonymous coward Silver badge

        >Also some of the traders at my place have historically been so stupid

        Repeat after me: do the illegal shit on the phone with the red cover, do the ordinary work on the phone with the blue cover.

        1. Anonymous Coward
          Anonymous Coward

          Ah, that explains Trump's red iPhone.

    2. Claptrap314 Silver badge

      "Personal liability" is what we're talking. Having their license stripped would fix their attitudes real quick, I believe. And that would be an administrative punishment, not criminal.

  11. YetAnotherXyzzy

    Do as we say, not as we do

    Meanwhile on the U.S. military base where my wife is a civilian employee, most communication is via WhatsApp. It's not supposed to be used but meh, our rules apply to you, not to ourselves.

    1. Anonymous Coward
      Anonymous Coward

      Re: Do as we say, not as we do

      You allow phones onto a military base?

      When I briefly worked for the extreme branch of scouting, nothing electronic went on or off site, even remote car key fobs got left at the guard hut.

      Although given that the CIA agents recorded the perimeter of their secret training camps on Strava and your CinC stores classified material with the pool boy (don't worry he doesn't speak English)

      1. YetAnotherXyzzy

        Re: Do as we say, not as we do

        "You allow phones onto a military base?"

        Not me. When I become an evil overlord, one of my rules will be "no personal cell phones in the hollow volcano lair". Minions will have to make their TikToks on their own time.

        But you were probably asking about Uncle Sam, yes he does, and my wife guesses that a quarter of the phones she sees on base are from Huawei. Winnie the Pooh says thank you for your service.

        1. MachDiamond Silver badge

          Re: Do as we say, not as we do

          ""You allow phones onto a military base?""

          It's government. They take a good exposé in the tabloids to see when they are doing stupid things.

          I remember a story about soldiers wearing FitBits and the data gave a great look at security patrol patterns as well as where people exercised and at what time. Not the sort of data you want published about a secure facility.

      2. Anonymous Coward
        Anonymous Coward

        Re: Do as we say, not as we do

        When I worked at a UK site that shall remain nameless (no, not in Cheltenham) we quickly learned to ensure WiFi and mobile phones were switched off before we even left the hotel in the morning to go onsite It would literally not take a minute before site security had triangulated such signals signal and came walking in.

        The Warrant Officer we then had to deal with was in general a nice guy, but very direct about enforcing the site rules - there were few repeats after a little chat with him. IMHO fair enough, rules are rules, just the speed by which they pinged offenders was impressive, they certainly weren't slack there.

        1. MachDiamond Silver badge

          Re: Do as we say, not as we do

          "When I worked at a UK site that shall remain nameless (no, not in Cheltenham) we quickly learned to ensure WiFi and mobile phones were switched off before we even left the hotel in the morning to go onsite It would literally not take a minute before site security had triangulated such signals signal and came walking in."

          Some photographers thought it would be a good way to get a jump on sales if they fitted their remote cameras taking photos of rocket launches at Cape Canaveral with WiFi. In journalism, often times the first person to have photos into the editor of a news service was the one that got the sale. Needless to say, there was a big stink since they had to scrub a launch and figure out where the signals were coming from. They like to have photography of the launches, but they don't want realtime images in case it shows something that shouldn't be photographed. There is also the matter of interference with range safety devices (bombs on the rocket) and sensors place by the range for monitoring. There shouldn't be an issue, but since they haven't tested it, it's a problem. Now they very specifically tell the photographers that any radio broadcasts can lead to a fine and/or jail so make sure that all Wi-Fi/BT is turned off if it's installed in the camera and don't use any external transmitting device.

    2. Evil Auditor Silver badge

      Re: Do as we say, not as we do

      As much as this is indeed wrong, I would also question what kind of contemporary communication means are provided?

      When facing the same WhatsApp problem, some military service on the other side of the pond responded with deploying a similar but more secure and more private app.

    3. Charlie Clark Silver badge

      Re: Do as we say, not as we do

      To be honest, as long as WhatsApp is using the Signal protocol, this is better than most of the other options: end-to-end encryption, no data stored on servers. This is why Facebook Meta is desperate to introduce advertisting on WhatsApp.

      But there's lots of metadata such as location that is leaking and that's probably worse at a forces base. Remember the Strava incident? And the US and others are probably pulling similar stunts on Russian military personnel.

      1. Anonymous Coward
        Anonymous Coward

        Re: Do as we say, not as we do

        To be honest, as long as WhatsApp is using the Signal protocol, this is better than most of the other options

        Ah, you fell for the misdirection. WhatsApp has never been about the contents of messages, which is why Zuckerberg was so quick to add decent encryption and crow about it. WhatsApp had two goals from its inception: personal details (it ships your entire address book wholsesale to the US instead of the hashing match which every other messenger uses) and relationships, als know as meta data. In other words, what Zuck is after is whom you communicate with.

        Did you really think Zuck renamed FB into "Meta" for any other reason? I have to reluctantly admire the sheer gall of being so brutally blatant about it that nobody picked that up..

  12. Matthew "The Worst Writer on the Internet" Saroff
    Holmes

    This won't change until senior executives are frog-marched out of their offices in handcuffs.

  13. johnrobyclayton

    The security and anonymity options in communications technology are only going to improve

    It is a fiercely competitive market.

    Everyone will have to adapt to the reality of not being able to monitor, track, trace or even be aware that communications between any pair of communicators is taking place.

    It is even possible to have communications take place without the communicators being capable of knowing who each other is unless identity information is exchanged.

    There are a lot of laws and regulations that are completely or partly dependent on there being some way to determine some details of a communication.

    These need to adapt to an environment where this information is simply not going to be available.

    Regulators and legislators can grump and moan all they like (it is always amusing to read about it on this site), but it is not going to stop completely anonymous, secure and private communications becoming more and more of a reality.

    If you cannot make legislation or regulation that can handle a complete inability to monitor communications then you simply will not be able to enforce such legislation or regulation.

    If you are in a position to need the protections of legislation or regulation that need to be able to access elements of communication that cannot be compelled to be available, change your position.

    1. Persona

      Re: The security and anonymity options in communications technology are only going to improve

      It is a fiercely competitive market.

      It is, but banking is also based on trust. Knowing your counterparty is not only a legal requirement, it is vital. If you accidently pay $1billion to the wrong counterparty they will return it as soon as you ask. If you don't ask I suspect they would sit on it, but you notice and ask as soon as the counterparty who should have received 'politely' enquires why you have missed the payment deadline. I am aware of this exact scenario happening despite 3 people having checked the outgoing payment details.

    2. MachDiamond Silver badge

      Re: The security and anonymity options in communications technology are only going to improve

      "Regulators and legislators can grump and moan all they like (it is always amusing to read about it on this site), but it is not going to stop completely anonymous, secure and private communications becoming more and more of a reality."

      Ok, the punishment should then be life in prison since the chances of being caught will be so low.

      There will always be people looking to game the system and get around the rules in some manner at least they can explain is completely legal. Since not even attorneys and judges can know all of the millions of laws on Earth, it's not possible. The only thing that can be done is to establish a framework that says certain financial activities must be tracked and logged a particular way. Anybody caught diddling the regs is out on their ear and the company they work for gets a very substantial fine and a visit by a herd of Dark Clarks to make sure it's not something systemic.

      The best way you hurt rich people is by turning them into poor people. ~Eddie Murphy in Trading Places

      1. Cliffwilliams44 Silver badge

        Re: The security and anonymity options in communications technology are only going to improve

        "Paulie hated phones. He wouldn't have one in his house. He used to get all his calls second hand, then you'd have to call the people back from an outside phone. There were guys, that's all they did all day long was take care of Paulie's phone call."

        The mobsters are smarter than the finance guys!

  14. Potemkine! Silver badge

    Finance, ultimately, depends on trust

    I thought that Finance ultimately depended on screwing the biggest number for the sake of the smallest one. I feel better now.

    == Bring us Dabbsy back! ==

    1. Ropewash

      "screwing the biggest number"

      Yes, but we 'trust' that they will do exactly that.

  15. Gordon 10

    Interesting

    I did a project at one of those banks a few years ago where we looked at just the official chat and messaging channels. Even just counting them we got to 30 different chat/email/comms methods and they were the permitted channels.

    One of the more interesting hard to track comms methods was scrawling bitmap or vector handwritten notes in MS paint or Word and then sending as an attachment.

  16. FirstTangoInParis Bronze badge
    Mushroom

    GDPR and all that

    Had a similar issue when GDPR came in at our local church. Had to ruthlessly move all the data and email onto Google Workspace and set up “business” email accounts. Cue moaning from the PCC of “I don’t want two email accounts” and “why can’t I store stuff on my laptop, it’s easier”. Sternly pointed out that if they mistyped someone’s private email address, that woluld constitute a breach, and then you’ve got 72 hours to fess up to ICO and the data subjects and wait for the inevitable (and possibly hefty) fine. They got the message and we got along just fine after that.

  17. imanidiot Silver badge

    Hey ho, hey ho, back to the office they go

    So now they all get called back to working in the office only and doing their chatting around the water cooler (the one with extra loud compressor and is checked for recording devices every morning)?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like