Following recent enforcement action by the UK Prudential Regulation Authority (“PRA”) against Wyelands Bank, which was partly based on its failure to retain business-related messages exchanged by senior executives and directors, regulated firms may want to review how they handle employees’ use of personal devices for work purposes. The PRA strongly criticised Wyelands’ lack of record-keeping policies and procedures to manage the use of WhatsApp communications, which the PRA found had prevented the bank’s Board and Risk function from effectively scrutinising transactions, as well as hindering the PRA’s supervision and investigation activities.

The importance of this issue is reinforced by reports late last year that the Supervision division of the UK Financial Conduct Authority (“FCA”) had sent information requests to a number of firms regarding the use of private ‘off-channel’ messaging apps. In January 2021, the FCA had already highlighted the challenges and risk of misconduct arising from the increasing use of unmonitored or encrypted communication tools, emphasising that communications must be recorded and auditable.  U.S. authorities also imposed penalties totalling almost $2 billion against firms last year on the same topic (see our recent updates here and here).

What are the UK requirements?

UK rules applying to regulated entities do not prevent the use of personal devices or messaging apps to conduct business. However, in brief, firms are obliged to:

  • Take all reasonable steps to prevent employees from sending or receiving electronic communications on privately-owned equipment that the firm cannot copy;
  • Retain a copy of electronic communications relating to a specified, but very broad, range of business activities for five years (or up to seven years where requested by the FCA); and
  • Implement systems and controls to ensure compliance with the monitoring and record-keeping requirements outlined above (the same rules also apply to telephone conversations).

What action should firms take?

Different approaches may be required depending on existing practices and the communication tools being used. It is possible for off-channel communications to continue, but there needs to be some way either to record these automatically (with monitoring software) or else ensure that they are captured and filed soon afterwards (which may be a manual process). Firms should consider:

  • Regularly reviewing and tailoring their policies and procedures, especially to adapt to new communication apps and changing work practices;
  • Clearly communicating any changes (or reinforcing existing procedures) to all staff, including a note from senior management;
  • Asking staff to provide a specific periodic attestation that they are adhering to the procedures;
  • Monitoring and testing compliance with the procedures, e.g. by sample testing whether all key communications with the customer or counterparty relating to a particular investment or trade can be identified in the firm’s systems and records;
  • Reviewing the appropriateness of using tools that can be downloaded onto employees’ mobile devices to retain business data; and
  • Establishing the duration and scope of historical non-compliance, so that they know where there are likely to be gaps in record-keeping.

Similar considerations may also arise for firms when dealing with the use of novel communication platforms on business devices.

What data privacy issues could this raise?

In developing and implementing policies to address the use of personal devices for business purposes, firms in the UK will need to consider carefully additional complications posed by the UK General Data Protection Regulation (“GDPR”). GDPR obligations are not avoided merely because a policy is directed at business information on a personal device.

Establishing a lawful basis for monitoring and accessing employees’ personal devices can be particularly challenging, especially where such access is broad in scope or undertaken on an ongoing basis. There are difficult questions regarding if and when consent will be a lawful basis for such processing, and if not, the circumstances in which firms may be able to rely on other grounds (such as being necessary for compliance with legal obligations, or legitimate interest). In all cases, firms will want to ensure they are communicating with employees in a direct and transparent manner about how their personal data is handled and to process such data with great care, given the risk of incidentally or inadvertently collecting non-business-related personal data.


To subscribe to the Data Blog, please click here.

The cover art used in this blog post was generated by DALL-E.


Karolos Seeger is a partner in the firm’s White Collar & Regulatory Defense Group and International Dispute Resolution Group, based in the London office. He is also a member of the firm’s Management Committee. His practice focuses on white collar crime and internal investigations, in particular regarding compliance with corrupt practices legislation, conducting compliance assessments and creating and implementing appropriate compliance programmes and procedures. Mr. Seeger also advises clients on a wide range of specific sanctions issues and has experience in complex litigation and international arbitration matters.


Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at


Andrew Lee is a litigation associate based in the London office. He is a member of the firm’s White Collar and Regulatory Defense Group. Mr. Lee’s practice focuses on regulatory, criminal and internal investigations for financial institutions and corporates.


Aisling Cowell is an associate in the Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group. She can be reached at


Tristan Lockwood is an associate in the firm’s Data Strategy & Security practice. He can be reached at