TABLE OF CONTENTS

      Financial services organizations are subject to strict regulations that require the preservation of all business-related communications. The increasing use of ephemeral messaging—communications that auto-delete after a particular time or upon viewing—presents firms with a significant compliance challenge. 

      Regulatory agencies have made it clear that failure to retain such communications may lead to legal exposure, financial penalties and even criminal charges.

      What is Ephemeral Messaging?

      Ephemeral messaging refers to digital communication where messages automatically disappear after being viewed, leaving no lasting record. These messages are designed to enhance the user’s privacy and security by preventing permanent storage or unauthorized sharing of sensitive information. 

      Popular apps offering ephemeral messaging include WhatsApp, WeChat, Telegram and Signal. Research indicates that as of the end of 2024, over three billion people worldwide were actively using messaging apps. WhatsApp is the world's most popular messaging app, with over five billion downloads and two billion active users.

      Unlike a text message or an email, which will sit in an employee's inbox until they delete it and can be easily recovered by the firm's IT team, ephemeral messaging is designed to be automatically deleted after a set period of time.

      It’s also important to note that although non-ephemeral in nature, common workplace messaging platforms Microsoft Teams and Slack have configurable retention settings that can be set to delete messages after a short period of time if not properly administered.

      Even across ephemeral messaging platforms, there are variations in the control users and administrators have regarding when messages disappear, whether messages can be forwarded or saved and whether metadata or backups may exist on either cloud or device storage.

      With these messaging apps so widely used, companies can no longer ignore the possibility that employees are using them for work-related communications.

      Why Is Ephemeral Messaging So Risky?

      There’s a real risk that employees may use off-channel communications to conceal misconduct, such as sharing insider information or engaging in illegal marketing practices. Even when messages carry no ill intent, the fleeting nature of ephemeral communication raises serious concerns regarding oversight and retention.

      Financial services firms are subject to stringent requirements regarding the retention and accessibility of business communications. The use of ephemeral messaging poses significant compliance risks for companies, including the failure to retain required records, potential obstruction of legal and regulatory investigations and inadequate audit trails.

      Get the Message! Preserve eComms or Face Steep Regulatory Consequences

      Regulatory Requirements for Ephemeral Communications

      “If a firm has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value. They’ll ask about the firm’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things.

      A firm’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability. So when crisis hits, let this be top of mind.”

      Assistant Attorney General Kenneth A. Polite, Jr.

      Regulators including the Department of Justice (DOJ), the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) have issued clear guidance: covered firms must retain all relevant communications, regardless of platform or format. Equally important—firms must be able to produce that data upon regulatory or legal request.

      Under the current administration, it’s less likely that there will be the large-scale SEC enforcement sweeps for books and records violations that the industry experienced in 2023 and 2024. That doesn’t mean that financial services firms are off the hook when it comes to communications records retention, however.

      Regulators will still expect firms to have robust and defensible record retention processes in place as part of regulatory exams and reviews. In addition, employee communications across all key channels are a key source of evidence in both legal and regulatory investigations. Firms will still be required to quickly produce employee communications when requested by regulators and prosecutors, including ephemeral ones.

      Staying Ahead of Regulatory Change in eComms Surveillance

      Stay One Step Ahead of Potential Misconduct

      Communications surveillance isn't just about catching bad actors—it's about creating a system that detects risk early, responds quickly and fosters a compliant culture.

      Communications surveillance technology can help financial services firms and their compliance teams stay ahead of risky employee behavior by providing proactive monitoring, early detection and actionable insights across key channels. Surveillance tools can monitor employee communications for early indicators of potential concerns including:

      • Insider trading or market manipulation
      • Noncompliant marketing practices
      • Unethical sales practices
      • Use of unauthorized communication channels

       

      How to Manage Communications Risk from Ephemeral Messaging

      • Have clear policies tailored to the firm’s risk profile about the use of ephemeral messaging technology expectations, including bring your own device policy, across all channels.
      • Ensure that these policies are distributed and that employees are trained on the rules and implications. Follow up to attest to receipt and understanding of the policy.
      • Implement surveillance and monitoring technology to screen for off-channel messages and capture and retain ephemeral messages across approved channels.
      • Disable auto-delete features and review retention and data collection settings on all licensed business messaging platforms.
      • Prohibit the use of off-channel communications platforms by firm employees.

      How MCO Can Help Firms Effectively Manage Ephemeral Messaging and Communications Compliance

      MCO provides companies with communication compliance solutions that capture, archive, and supervise messages across messaging platforms, including those with ephemeral features, offering:

      • Integration with all popular ephemeral messaging apps such as WhatsApp, WeChat, Signal, and Telegram.
      • Strong, best-in-breed metadata capture mechanisms for catching and flagging message edits, deletions, and other actions indicating an attempt to hide from or circumvent policy supervision.
      • Flexible, configurable retention periods to cover various regional regulatory differences in data retention requirements.
      • Default Lexicon Policies to specifically target textual words and phrases that would indicate an attempt to circumvent current surveillance channels by your firm.
      • AI-based off-channel default lexicon taking a much more contextual approach to flagging and identifying policy circumvention attempts.

      With MyComplianceOffice, companies can ensure that all communications are retained with best efforts in accordance with regulatory requirements and are accessible for audit and investigation.

      • eComms Keep captures and preserves all communications, including those from ephemeral platforms, in a secure, tamper-evident format with full audit trails.
      • eComms Review enables compliance teams to search, monitor, and analyze employee communications across platforms, enabling proactive risk management and audit readiness.

      Contact us today for a demo to learn more. 

       

       

       

      Recent Posts