What’s up with WhatsApp?

The Morgan Stanley fine shows why good tech lawyers take a broad approach.

Morgan Stanley’s fine for failing to record energy traders’ messages not only shows how Ofgem’s reach extends beyond energy companies, but also serves as a useful frame for thinking about the risks of ‘tech blinkers’ when it comes to matters of tech law.

Ofgem, the energy regulator for Great Britain, fined investment bank Morgan Stanley & Co International plc £5.4m last month for breaching regulations aimed at preventing insider dealing and market abuse in wholesale energy markets. The regulator found the bank breached reg 8 of the Electricity and Gas (Market Integrity and Transparency) (Enforcement etc) Regulations 2013 (2013/1389) after it failed to record messages linked to energy market transactions sent by traders via WhatsApp on their privately-owned mobile phones.

Ofgem’s action is noteworthy for several reasons.

  • It is the first-ever fine issued in Great Britain for an offence under reg 8.
  • The action was taken against a bank, rather than an energy company.
  • The regulator found the bank liable for failures even in areas unable to be readily policed by it, including in private domains.

The target of Ofgem’s enforcement action reinforces the extent of the regulator’s oversight, and highlights the risks to entities in sectors which, on a more conventional view, might have been thought to be beyond Ofgem’s reach.

However, it is the way that technology encroached on the legal landscape and how liability then attached to the bank that is particularly interesting. After all, Morgan Stanley was fined by Ofgem as a result of messages sent via commonplace third-party communication apps on privately-owned mobile handsets. The bank had policies in place to warn its traders against such conduct, and it ran training programmes specifically focused on the misuse of messaging systems. Yet Ofgem still found Morgan Stanley had failed to take reasonable steps to prevent the making, sending, or receiving of the relevant communications and to ensure they were recorded and retained in accordance with reg 8.

The issues identified in Ofgem’s investigation (as well as the regulations themselves) serve as a useful frame in which to think about the risks of tech law silos—how these could cause problems of the sort that Morgan Stanley experienced, and how they could also cause the best solutions to a problem to be overlooked. Whatever solution to reg 8 might at first glance seem the most suitable for a client’s needs, the issues the regulations give rise to are not, I suggest, those which a lawyer who positions themselves as an expert in ‘[insert latest tech domain here]’ would necessarily be best placed to advise on.

That’s not to say that tech law specialisms (and tech law specialists) don’t have their place. There are times when very deep knowledge and specific expertise may be of benefit. However, a quick run-through of reg 8 reveals why it could prove problematic for a client to focus on a given tech law specialism too early on in the process. Instead, the best result is more likely to come from a broad, technology-neutral analysis of the client’s problem, with proper consideration of all the legal and technology issues that arise.

The problem with starting with the solution

Organisations subject to the 2013 regulations must take reasonable steps to ensure communications made for the purpose of entering into a transaction for wholesale energy products are recorded (para 3(a)). Those communications must be retained by the organisation for a period of at least six months (para 4(a)), and stored in a way that is readily accessible by the relevant authority (here, Ofgem) (para 5(a)). The authority must be able to easily ascertain if the record of a communication has been amended, and it must also be able to ascertain the content of the record prior to any amendment having been made (paras 5(b)(i) and (ii)). Where an organisation cannot comply with these requirements, it must take reasonable steps to prevent the communications from being made, sent or received (para 6).

On a hasty reading of reg 8, the obligations appear fairly straightforward. Data needs to be stored. Data needs to be accessed. Data needs to be compared. If the data cannot be stored, accessed or compared, it needs to be stopped. Job done.

A specialist blockchain-focused lawyer might leap to advise the client on the suitability of blockchain for dealing with these requirements, particularly if the client has approached them with an inkling of this technology in mind. Blockchain can certainly create immutable records of communications, thereby checking off paras 3(a) and 4(a) of the regulations. As a typically distributed solution, those records can fairly readily be accessed remotely too, taking care of the client’s obligations under para 5(a). From those records, redline document comparisons can also be made, meeting the requirements of paras 5(b) (i) and 5(b)(ii). Simple! Or so it seems. As usual, the devil is in the detail.

Blockchain’s immutability does initially make it attractive. However, the stored messages could contain personal data. This seems particularly likely in the context of the problems that beset Morgan Stanley, as the traders were using personal handsets. Personal data engages privacy issues, where legal advice on GDPR compliance will be needed. It potentially raises employment law issues as well, given reg 8 may require an organisation to monitor its employees’ communications. The messages will, in any event, likely contain commercially sensitive information, which an organisation would not want to be freely accessible on a public blockchain. Permissioned solutions now seem a more appropriate way forward, and off-chain storage also starts becoming an attractive alternative.

However, off-chain storage means bringing the data in-house, or hosting it in a private third-party application or repository. Both engage further GDPR issues, and the former (at least) raises other concerns for which data security advice will be needed, potentially with guidance on how to deal with ransomware demands, how breaches are regulated, and how organisations must respond to a breach, should one arise.

The involvement of third-party providers, if this route is pursued, also engages licensing and intellectual property questions, such as who owns the technology and who owns the data. It is very likely that any third-party solution will need a suitable technology supply contract to protect the organisation against the possibility of the vendor’s failure, to manage architectural risks, to address resilience concerns, and to ensure key performance indicators (KPIs) and warranties are in place so that a regulator can access any communication record ‘readily’ and ‘easily ascertain’ any changes made to it in accordance with paras 5(a) and 5(b).

Paras 5(a) and 5(b) introduce wider legal compliance challenges as well. It is unclear whether ready access and easy ascertainment can come from an authority being able to submit a request for certain records to an organisation and for that organisation to then provide the corresponding data by means of a manual reply. Human intervention in this procedure could prove problematic though, as the regulations demand that records must not be manipulable or alterable unless any amendments are recorded and easily ascertained. Here, the inclusion of humans could increase the risk of inadvertent (or even surreptitious) alterations being made, or of records being corrupted. (You may recall how the million-row limit on Microsoft’s Excel spreadsheet software caused issues for Public Health England during the Covid pandemic, when sets of test results exceeding this limit were processed using the software and, in consequence, lost. Simple things, like choosing the wrong document format, could similarly lead to compliance issues under reg 8.)

A web-based solution, directly accessible by the authority, with strict permission and data versioning controls, and comprehensive event-logging might therefore be more desirable. A broad understanding of network topography issues and communication protocols, as well as knowledge of data sovereignty issues, would then be useful strings to the bow of any tech lawyer engaged to advise, so that important questions can be asked of any vendors, and enforceable agreements drafted, backed by appropriate security guarantees.

An organisation might alternatively consider developing and providing its own app to facilitate compliance with reg 8, rather than relying on a third-party product. As reg 8(2) makes clear though, it is not just text-based communications that must be dealt with, but any telephone conversation or electronic communication, including voice notes sent as messages, as well as video calls and images shared between users. We’re now in the realms of the Privacy and Electronic Communications (EC Directive) Regulations 2003. Depending on the functionality of the organisation’s application, some telecoms advice might also be needed, as well as guidance on potential obligations related to the organisation’s provision of user-to-user services under the UK’s Online Safety Bill.

Of course, none of the above touches on Ofgem’s finding against Morgan Stanley that its policies were insufficient to protect against the sending of messages between traders on their private mobile phones in the first place. Stopping data if it cannot be accessed is no mean feat. While the details in Ofgem’s action against Morgan Stanley are scant, it seems that even a combination of email reminders, self-certification procedures and training specifically focused on the misuse of WhatsApp might not be enough. From Ofgem’s notice, the conducting of internal investigations and taking of internal action appears to be a sizeable part of what is required to tip the balance toward compliance under the 2013 regulations, and, in this respect, other technologies might usefully be employed. While it might prove impossible (if not, potentially, unlawful) for an organisation to monitor an employee’s use of messaging services on their private devices, artificial intelligence (AI) might help an organisation to monitor for issues. AI could potentially detect patterns of trades indicative of behaviour which is prohibited by the 2013 regulations. Such conduct could then be investigated and stopped. A tech lawyer with knowledge of AI and its regulation could then help keep the organisation on track, by ensuring that any necessary algorithmic impact assessment is completed, or that any potential oversight requirements and obligations towards individuals subject to or adversely affected by high-risk AI systems are met, depending on which jurisdictions are engaged and which regulations apply.

There is now an ocean between us and the original (and more obvious) idea of a solution based on blockchain, for which a particular type of tech law expertise (or tech lawyer) might initially have been sought.

A better, broader approach

What quickly becomes apparent from reg 8, as well as from Morgan Stanley’s recent problems, is that there are typically a number of technologies to consider, areas to be advised on and decisions to be made when it comes to matters of tech law. Often there are several legislative and regulatory frameworks in play, and, increasingly, there are cross-jurisdictional issues for the tech lawyer to be aware of and advise on too.

It might seem, in consequence, as though there must be a lot of fast-moving and constantly changing parts for tech lawyers to have to keep up with, thereby making tech law specialisms the inevitable and inescapable starting point for an organisation in need of assistance. But the reality is that the basic building blocks of an organisation’s tech law requirements are actually fairly common, even when it comes to leading-edge products and services: an understanding of data repositories, data processing, basic system and software architecture, network protocols, privacy, contracts, intellectual property, software licensing, et cetera. However conventional these terms might sound, it would be hard to point to a recent digital technology that didn’t bring together most if not all of these elements. Even when the technology set has been chosen, the tech lawyer will still need an understanding of all the aforesaid to ensure the connections and any legal issues that may arise between the different components are not missed.

Tech law done well is not about starting out in a silo with a particular buzzword or specialism in mind. Good tech law comes from advisers with a solid grasp of the basic foundations of law and technology that underpin even the latest tech innovations; lawyers who can, as a result, identify and advise on the best solution for a client’s needs.

Article first published by New Law Journal on 13 October 2023.

Paul Schwartfeger on 30 October 2023