99 comments

[ 2.8 ms ] story [ 112 ms ] thread
Title from article: "JPMorgan hit with $200 million in fines for letting employees use WhatsApp to evade regulators' reach"
(comment deleted)
Without the regulation part, the titles makes it seem like an easily dismissible bureaucratic issue.
That's exactly what this is. Bear in-mind that the SEC wrote this title. It was never litigated in court. The fact is that some JPM employees used WhatsApp, and the SEC hasn't the slightest clue what they were talking about. WhatsApp is the most-used communication medium in the world, and JPM employees, as people, sometimes need to use it. JPM probably had a rule in-place that said "never use WhatsApp for business communication," and the SEC has decided that rule isn't enough, and they want to de facto ban all broker dealer employees from using the most important messaging system in the world.
I'm talking about the title of the article -- the one written by CNBC.
I’d be pretty embarrassed if I was JPMorgan and I hadn’t profited at least ten times that much from illicit private messaging.
What type of illegal activities were they doing that generated $2B in profits over 2 years?
Insider trading, market manipulation, every trick possible?
I certainly don’t know. Maybe they didn’t, in which case it’s embarrassing.
If you were profiting from from private messaging, it would either be at the expense of your employer or your client. Even if the second case, JP Morgan is taking on reputational risk, so at the very least they wouldn't encourage it.
JP Morgan is _notorious_ for profiting at the expense of their clients, even to the extent of calling clients names in internal communications when they're selling them "solid investments" that they know are junk. They've been charged with 5 felonies in the last 7 years or so, always with deferred prosecution agreements and multi-year probation, but enforcement is still rather weak, considering the net profit they've been able to achieve from those actions. And I don't think it's unreasonable to assume that is only the tip of the iceberg.

It's a large organization, sure, but at this point one has to ask just how much they "wouldn't encourage it" or how much do they actually institutionally discourage it.

Ten times 200m would be 2bn. JPMs revenue is 36bn. So you have to make over 5% of the companies whole revenue just from your WhatsApp account.

And that's just revenue. If the profit margin on your deals was 20% (pretty whopping for banking services) you'd need to bring in 10bn in revenue. That would mean doing maybe $1tn worth of deals.

Does this mean that WhatsApp is secure or that this particular agency didn’t care enough to break the encryption?
unknown. seems like they were being punished because their employees used whatsapp for business communication, not that it was discovered the employees used whatsapp and did something illegal
If WhatsApp encryption can be broken, there is no way the agencies capable of doing so would share it with the lowly SEC. That would be a top level state secret.
On top of that I assume that the NSA (mostly) still has a PRISM-like programme in place, it would be foolish to assume otherwise. More exactly I do think that they (NSA and some other agencies) still have direct access to the servers of Google, MS, Facebook and Apple.

But I 100% agree with you, such lowly use-cases like the SEC chasing some bankers don't register on NSA's (and similar agencies') radar, it's only money, after all, I think they're more interested in dealings involving power itself.

The SEC is pretty much a nobody when it comes to 3-letter agencies. See how Elon Musk challenges them publicly and all he got in return was a slap on the wrist.

On a related note, the major issue with the SEC as highlighted by every knowledgeable commenter is that they have a revolving door shared with the same banks and organizations they are supposed to monitor. People leave SEC and join Goldman Sachs or JPM and then when new administrators come in they rejoin the SEC. It’s corruption at an unprecedented level.

> See how Elon Musk challenges them publicly and all he got in return was a slap on the wrist.

Publicly challenging them is not illegal or even bad so that seems reasonable.

He got much more than a slap on the wrist, he go removed from his chairman incestuous position from Tesla. It's the first red flag of bad governance when the CEO is also the chairman (others are to have the board full of family members and overly paid sycophants, I let you google who s on Tesla board).

This will eventually be the starting point of a very slow reform at Tesla, so not a bad deal.

No, they were fined because bankers must only communicate via channels that are monitored. By using whatsapp, they bypass all the internal and external audit/compliance teams.
No doubt widespread and certainly not a good idea for oversight, however, the insinuation that all usage was due to employees wanting to avoid oversight isn't correct. Particularly during the pandemic, employees were forced into communicating using messaging software and many prefer to communicate using software with a good user experience.

The messaging software used within banks (e.g. Symphony) is really awful and it is particularly bad when you're no longer able to speak to clients in person.

They should improve the messaging software they use, on top of getting everybody to do the training for the 100th time, etc.

Old slick Jamie Diamond knew exactly why his guys were using Whatsapp.

"Federal law requires financial firms to keep meticulous records of electronic messages between brokers and clients so regulators can make sure those firms aren’t skirting anti-fraud or antitrust laws."

I'm shocked they were doing this since 2018.

Diamond probally wishes he had this tech when he was an apprentance.

One of the big things I was told repeatedly while working for a financial institution is that the appearance of impropriety is, in many cases, just as bad as actual impropriety, and this is why. Oh, you avoided oversight because you wanted to have a better connection with your client? Well, too bad: everyone is now assuming the worst because assuming anything less is how people get away with the worst.

And, frankly, it's hard to assume positive intent. These are bankers, they should know this. If they knew it and did it anyway, then yeah, I'm glad they got hit by the fine and I don't really have any sympathy for the blight of bad chat software.

Does this mean that we're training bank employees that "If something looks bad, you might as well do the actual bad thing because the punishment is the same"?

Could this have the effect of actually increasing incidents of bad behavior?

No, it has the opposite effect on me, a bank employee, to immediately report everything weird because even if I do nothing wrong, want banks to behave legally, and have never personally traded a stock in my life, the appearance of impropriety is just as bad as actual dishonesty.

Never did it make me think I could just as well front run clients with a secret account since forgetting to disclose an old account I never used was bad too. I declared late that old account and apologized instead, for instance.

I think these rules are, like all rules, also mostly to draw responsibilities in case of trouble: they do nothing to prevent a criminal to crime, but once the crime is done, he cant claim he did everything by the book if the book was so clear.

I agree that you can't discern the difference between the appearance of impropriety and literal impropriety and shouldn't try to.

My point is that the existence of fines and non-stop training courses drilling in the correct messaging software to use to all employees doesn't end this behaviour. Do we increase the punishments or require more training courses to be taken? Will that have any effect?

I'm suggesting that if we really care about reducing impropriety we should also improve the software in use.

The fines are what will make the software improve. Someone was slacking on that for years but now they have to pay enough that they could have lavishly staffed an entire company if they could use something like Teams.
You're assuming they didn't make more than $200 MM by evading regulations. I'm willing to bet they made significantly more than this and will continue to operate profitably as that is their business. This fine is barely 1% of their quarterly profits.
I was responding specifically to this thread, which is not assuming malice but was arguing that bad software incentivized using WhatsApp. In that case, licensing or building anything would be cheaper.

If this was done for malice, I agree that the fine would have minimal effect.

Fair point. My mistake.
No worries — I certainly wouldn’t rule out malice from them but in this case general IT mishaps seems entirely plausible.
No I think it's never that simple. I would agree they shot themselves in the foot and it s fair game to assume as much, but in reality it was a sentiment of systemic impunity laced with laziness, most likely.

This also means that since financial crime most arises out of opportunity rather than genetic predisposition, this would eventually have let to it if it had not already. The fact the SEC discovered it during investigations doesn't sound very good in that regard.

And a lot of non finance people always dismiss fines because they sound small vs the whole group profit, but damn 200 mil it s a team entire year of profit and it would fuck me to hear the bank had to give it back because assholes couldnt get bothered to transcribe whatsapp into emails at the very least.

I hear these arguments over and over again. 'The fines are significant and surely it won't happen again!' And yet, the same things keep happening over and over and over again.

Please point me towards some examples where these types of fines actually changed how companies do business, because as far as I can tell they keep getting fined for the same things over and over again and they keep making record profits!

I can dig up examples where banks are fined hundreds of millions when they made billions. Why should I believe this is any different?

Personally, I don’t think it matters what amount the fine is. Fundamentally, short of putting all your employees in a Faraday cage, it is not possible to prevent this activity.

I think it can be reduced, and good software can help, but stamping it out is impossible.

Please note that this comment only refers to this rule in general, not to the specific JPM instance.

This is incorrect. When you work in a heavily regulated industry such as Finance, everyone knows the basic requirements of official record keeping and process. The industry has a long history of being hit with "slap on the wrist" type fines for things exactly like this ie, using unofficial tools and software to communicate.
I've worked in finance for a long time, I don't buy this line. People are getting told all the time that they need to use certain tools, they know what the rules are. You can't just set up your own line to clients just because it's convenient.

It's not like everyone is doing illegal stuff just because they can set up WhatsApp either, it's just it's been drilled in so many times, there's no excuse.

Your experience is anecdotal, and I have anecdotal experience directly to the contrary.

Laws don't stop people who don't know, don't understand, don't care, or some combination.

Sorry but what is anecdotal about this? It's well documented that there are rules that people are told.
Please tell me the rules, since you're so knowledgeable and the rules are so obvious. I worked in finance. I read our company's rules. I attended compliance meetings every year. And I could not tell you for the life of me if a co-worker WhatsApped me to ask if I was coming to a bar on a Saturday, if we were violating any rules.

The line between personal and business isn't black and white, and broker dealers are required to neatly separate them into "things you can talk about here and nowhere else" and "things you can only talk about elsewhere and never here." Oh, and to boot, WhatsApp is encrypted, so you never know what people are talking about anyway. So, even if they are talking about personal stuff as friends, the fact that they could have been talking about business can make it a fineable offense, even though they wouldn't have been allowed to talk about it in work channels.

So, please tell me exactly why this is such an easy thing to follow.

My personal view is that the SEC just wants to ban all finance employees from ever being allowed to use encrypted messaging (9mm people in the US), which would then put pressure on Facebook to decrypt its messenger (the government's actual goal). And they know that going after places like JPM will get all the finance-hating public riled up, and ignore the fact that this is just one more example of the government trying to get more power to spy on people. Just my take.

This is simple - don’t text clients (Zoe anyone if you want to do it right) about either a security, company information, or client information.

If your friend texts you about AAPL, then you email him back or call him. The rule is pretty clear.

You're the third person to reply to this with a third, different answer. It sounds super 'simple' as you put it. You should call the lawyers I consult with on this topic and let them know they're wasting all their time trying to figure it out.
I get it. Our lawyers have been clear to us on this topic, but I understand lawyers don’t all have the same advice. This advice has worked for us and we all have to sign a document every year that we don’t text clients.

That being said, the rule is way behind the technology. Most people use texting in place of talking, which has different requirements (sometimes very different requirements).

My guess is your lawyers have been very clear about communicating to you what they believe is the best course of action, but nothing in securities law is ever clear. The laws are intentionally vague and leave a ton of enforcement discretion, and every single new fine forces the lawyers to readjust their interpretations.

Refraining from texting clients is not sufficient. You also cannot send an undocumented message to your coworker talking about how you’re going to approach a meeting with a client. But you can talk about how you think the client’s toupee is funny, unless the SEC is mad at you, then they will interpret this as a business communication and fine you. And I think it’s terrible that HN is on the side of making these terrible, vague, ‘regularly capture’ laws simply because the SEC put out a memo detailing allegations that were unlitigated in court and because big banks bad.

You’re correct on both counts.

For the first one, the lawyers summarize it as this: “another only should you not cross the line, you should stay as far away from it possible to give the most clarity to your actions for the regulators”.

> My personal view is that the SEC just wants to ban all finance employees from ever being allowed to use encrypted messaging (9mm people in the US), which would then put pressure on Facebook to decrypt its messenger (the government's actual goal).

I’m afraid your completely off base on the purpose of these regulations and the interests of the SEC. Don’t feel bad or take this personally, such misunderstanding are common outside the industry, until I worked for an investment bank I didn’t know any of this either.

The purpose of the regulations is auditability and accountability. Financial institutions must record all communications pertaining to trading so that it can be scrutinised by the SEC and provided to courts in case of a dispute.

The SEC is absolutely fine with these communications being encrypted, as long as they are logged by the employer.

The SEC has no problem whatever with people in finance using Facebook for private communication that’s nothing to do with trading, where then it’s encrypted or not, because that’s entirely beyond their remit. However persons covered by the regulations may be required to provide copies of their private communications, in order to show that they were not using those channels to discuss regulated activity. They have to sign contracts affirming that they will do this if requested to.

Don't feel bad. I've been in the industry. I've been fined for failing to log communications properly. I've been in conversations with Katten about this very topic, and you are not correct.

My fine happened to be that we logged every single piece of email communication, but we used a vendor who wasn't Finra approved to do the logging. The idea that the SEC cares about logging communications is most certainly the pitch that they give for why they're doing what they're doing. But it's not reality.

These fines exist for exactly two purposes: (1) so the government can put out PR that they're totally doing their job and regulating the banks, when we all know they are just a revolving door to the banks. And (2) to create 'regulatory capture' for the banks, who will gladly fork over a few hundred million per year so long as it makes it too difficult for their competitors to navigate the regulatory landscape. As we were told, there's mostly nothing you can do to avoid the fines. They invent a new reason to fine you ever year. View it as a tax, and hope they don't raise the taxes next year.

> The SEC is absolutely fine with these communications being encrypted, as long as they are logged by the employer.

From a factual standpoint, this is just wrong. Unless you mean they log the decrypted messages. The SEC has rules about the format you must log in, and encrypted is not one of them.

> Laws don't stop people who don't know, don't understand, don't care, or some combination.

So what? That doesn't take away from the credibility of the insinuation.

The rules in finance are clear. On top of that, every year you have to certify and confirm that you followed them. Willingly certifying to the contrary on a legally binding document has serious consequences. Sometimes to the tune of $200M…
It's the responsibility of the multi-billion dollar financial institution to ensure that their employees know the rules via regular trainings. This isn't mysterious.
> Laws don't stop people who don't know, don't understand, don't care, or some combination.

There is litterally zero opportunity to not know or understand. The only reason to flout the rules is if you are either stupid, hate getting paid your bonus or straight up want to be fired.

Annecdoteally, I have personally been involved with multiple firings of people for breaking these rules. Not a single one is emplyable within the finance industry as a result.

I'd be interested to hear your counter anecdote.
If you're working in finance and don't know or don't care about applicable laws. It's no wonder you employer is racking up fines.
I'm sorry, but this is a top rated 'dumb' post of they day. Would it be fair to assume you dont actually work in finance, and therefor are posting about a topic you know very little about?

If you did work in finance, you would know that you are required to attest that you will not do things like this.

The attestation is very clear, and a legal contract you signed.

Posting "dont know, dont understand, dont care" doesnt work. The attestation was signed, you said you understood it and agreed to adhere to the rules.

Ignorance of the law has never been a valid excuse, the superior courts of almost every country in the world have ruled this way.

your anecdotal experience isn't relevant, the attestation is.

The argument the SEC presented however is that it hindered investigations which means it was extreme. There s no excuse dropping an email with the details of the communications out of channel was impossible, even by hiding the fact it was out of channel: after all you could meet the client on premise and discuss the same things with no record and everyone would agree an email memo should be shared.

Here it feels like it became completely normal to take decision completely out of record, and with no way to trace who said what when, no way to defend themselves out of suspicion, which is why we keep records in banks in the first place.

No, it's correct. There's no reason to use WhatsApp, and all reason not to use WhatsApp, except if you want to avoid oversight.

Working in finance, in general, isn't "good user experience". Compliance manuals (reread yearly!), compliance training (e.g. anti-money laundering even for employees that have no contact with any cash, bank accounts or clients), trading oversight/restrictions, ... But people do it because it is (might be) worth the money.

"All communication must be recorded" is the least of these nuisances. People who avoid it are doing so willingly, for a reason.

Edit: Also, judging by the title, this is next level bad: JPMorgan "letting" means they knew and didn't do anything against it (e.g. fire employees or report them to the authorities). Normally the punishment for these kinds of things is severe, you can easily get "cannot ever work in finance again" by the regulator.

This is all very incorrect, and I am surprised someone so intelligent and literate would ignore the obvious flaws in an argument like this.

(1) all of your evidence comes from the prosecution side of a legal argument. None of their claims were litigated in court. And you should know better than to think lawyers defending their clients make honest accusations.

(2) there are tons of good reasons to use WhatsApp. It’s the most used digital messaging platform in the world. Are all JPM employees supposed to just cut off communication with their European friends? Never talk to anyone from a country worried about spying and thus using encrypted messaging?

It’s shocking to me how quickly smart people on HN can forget about the virtues of encrypted messaging the moment Big Brother sticks a bank with a fine and makes insinuations that they maybe could have maybe been using it to make money in an unsavory manner.

Obviously they can use WhatsApp to discuss personal matters. That's not what this is about, according to the article:

> Even the managers and senior personnel responsible for compliance used their personal devices to communicate sensitive business matters, the SEC said.

You are deeply, profoundly misguided on this. The regulations on communications in finance, and what kinds of communications are covered by these restrictions and which aren’t, are clear and well understood in the industry.
> Are all JPM employees supposed to just cut off communication with their European friends? Never talk to anyone from a country worried about spying and thus using encrypted messaging?

What has "don't use Whatsapp for business communication, ever!" to do with "cut off communication with their friends"?!

Because life and business do not have clear delineations. The rule at my company became never use these communication tools at work: except work for investment bankers is 100 hours a week, except your friends and coworkers become the same people, except business is everywhere, so it's impossible to have a conversation that isn't at least business related when everyone you know wants to talk about the stock market.
FTA : “Federal law requires financial firms to keep meticulous records of electronic messages between brokers and clients so regulators can make sure those firms aren’t skirting anti-fraud or antitrust laws.

If you don’t want to follow this law, then don’t text your clients. It’s that simple.

Also, every client has email, which is compliant. Use that. [0]

I’ve worked in finance for years - this is a simple rule (although hard for firms to police).

"It takes 20 years to build a reputation and five minuted to ruin it. If you think about that you'll do things differently" --Warren Buffett (b. 1930)
An issue here may be that the people involved may think it's better to look clever than to be hide-bound
The beauty of the financial and many others ( see oil, tobacco, cable, health ) industry is that they have a bad reputation but still manage to be politically favored. Once you have achieved the status where your broad reputation doesn’t matter as long you keep political leadership in check you really have won the game.
(comment deleted)
In my last trip to South Asia I was surprised banks using WhatsApp to request identification documents.
What matters is to they keep record of these whatsapp requests, not that they use whatsapp. If they screeshot all the chats one by one print them and airmail them to the SEC in postcard format, this is still ok. Saying "oh snap we dont know why we traded 5M of this just before a market moving event because we lost employee communication" is not ok.
I don't actually like this dual agency enforcement action at the same time, when Gary Gensler at the SEC was also chair of the CFTC several years before.

Its really clear that he is coordinating this and making it more likely to stick by splitting each cattle prod between the agencies.

This would be more convincing if you had specific reasons, unrelated to the enforcement, that JPM shouldn’t be punished for this.
no, I don't, I think Gary Gensler is uniquely dangerous and that the oversight is inadequate. Its not about JP Morgan. Its about him exercising his craftily accumulated power. Would have totally flown under my radar if it was just the SEC for now, or just the CFTC for now. But the simultaneous thing rings the alarms for me.
Normally people say that power is being wielded dangerously when the power is used to do something disagreeable. Simply enforcing the law correctly doesn’t seem dangerous to me.
More perceptive people separately consider the means and goals. Just because power is currently being used in a way that you agree with does not imply that the power is not dangerous. See "nothing to hide, nothing to fear" and "think of the children" as distractions to keep people complacent while excessive power is accumulated. After that, the excuses become unnecessary and the power can be used for any goal, aligned or unaligned with the people.
You still haven’t given an example of how coordinating the two agencies can lead to a bad outcome. If all that can be done is enforce the law, then there is no issue. You keep implying something extra-legal can be done through the coordination, but aren’t providing any specifics.
oh, context is important then. those agencies are bullies. many times they operate under broad and ambiguous fraud/compliance statutes that don't specifically codify the infraction they disagree with. this puts all market participants in a constant guessing game with them, some more than others. so its Christmas and they want a kickback before the end of the year, whatsapp bro? send the money to our Miami field office, kthxbai.
that's a feature and not a bug because a regulatory agency without leeway and too strict formal requirements in reality has no ability to deal with actors who know how to maneuver around them and is toothless.

That market participants don't know how far an agency can go is equivalent to Israel's nuclear policy, little bit of ambiguity and uncertainty has a deterrent effect. And if anything given how routinely market participants still abuse every little trick they can regulators aren't scary scary enough.

And no offense but you've got "fintech, commodities and digital assets" in your bio, are you by any chance making money off some underregulated crypto scheme and have been at the receiving end of regulatory action?

Hahaha good catch, no, have not been sanctioned by a financial regulator :) like, I would be defensive about that but its a routine question every financial institution asks during onboarding or account creation

I’ve felt similarly about these agencies long before I brushed against their purview

JPMorgan has been fined 191 times for over $35B since 2000.

https://violationtracker.goodjobsfirst.org/parent/jpmorgan-c...

"Oh, $200M? Yeah just stack it over there with the others. 'k thx bye."

a few months ago somebody in NYC asked me if I felt unsafe temporarily living in a certain part of Harlem.

my response was, paraphrased: "no, you want to know where the actually dangerous criminals are? down near wall street/broad street/beaver street".

Pithy, but unpersuasive.
This sounds clever but really isn’t.
I suppose it depends on your opinion about how many of the people responsible for the 2008 financial crisis should have gone to prison, but didn't. Or whether you are old enough to have been an active participant in the economy from about 2000 to 2012.

I also wanted to give them an intentionally nonsensical answer , as the origin of their query and conversation seemed to be trending towards a racist dog whistle that I should be extremely concerned for my personal safety in the center of Harlem based on my appearance.

Clearly the question was about physical safety but you thought injecting your views of Wall Street would be a clever way to call out their subconscious racism?
How is wanting to avoid areas with above average levels of violent crime “subconscious racism”?
Based on your appearance? No, but you should be concerned for personal safety in an area with 200%× the national violent crime average, seems ridiculous not to.
(do not work in finance so excuse the dumb question but) if there is this requirement for all employee communications to be tracked for compliance purposes, how are/were face to face meetings recorded? Or just chatting in the corridor? Is that not allowed?
They're required to keep minutes from face to face meetings for compliance. Of course people still talk informally but they need to know to constraint what they talk about in those circumstances. This likely was triggered because some employees were using whatsapp to evade compliance checks on topics that should have been regulated.
...Admittedly I've been in smaller fintechs where that isn't a problem, but holy hell, why would anyone work somewhere where you couldn't even talk in the hallway? Insane.
Accountants, traders, executives, bankers, etc all have strict rules designed to avoid the appearance of impropriety. However, it seems that members of congress are held to a much lower standard.
I work in finance and, for compliance reasons, we've been trying to stamp out employees using WhatsApp but it is basically impossible.

No matter how much we threaten disciplinary action in our handbook, people still use it, they just hide it more. Obviously we have no way of proving it, but we can see people doing it when the office is open. The financial regulator says we should use technology to reduce WhatsApp use - but given it's happening on personal phones, I'm not sure what we're supposed to do. Obviously nobody would accept company spyware on their personal phone.

Is there some solution to this issue that I'm missing?

Lobby to change the rules because they're ridiculous, or develop a method that makes it impossible for them to get caught?

It just makes no sense to me on the face of it. What do you do if they have a chat in the pub after work, bug the table?

For clarification, a chat in the pub is not “written communication”, and therefore has a different rule.

Yes, it’s dumb, and your point stands.

Why exactly is WhatsApp a problem?

After further reading I'm torn. This feels like regulatory overreach. The only measure I can think of is supplying a company phone and doing everything possible to encourage people to only use their personal phone for non-business work.

This is up to and including being tolerant of personal use of company phones within reason.

Otherwise, you're hosed. There's really no way to comply. Strangely enough, I'm both in favor of, but abhor this type of regulation.

Yes. White collar insider trading needs this type of draconian control to chart info flow...

Yet yeeech! It makes me want to puke. I do not envy you. Godspeed.

> The only measure I can think of is supplying a company phone and doing everything possible to encourage people to only use their personal phone for non-business work.

This also assumes life can be neatly separated into business and non-business.

That's less of an issue. If it has to do with a client. Keep it on the official medium. The more interesting bit is how to balance regulated comms with labor organization.

Now you're looking at 3 phones. Which is why this entire drive to have records of every comm is smelling of overreach; but again, with financial crime, the only way to stamp it out is following this type of draconian paper trail practice.

I don't see a non-paimful solution here except potentially those who work in the financial sector agreeing to be bugged, and even then, if they're just going to get fined anyway...

I don't know. It just doesn't seem that hard to keep client related comms to official channels.

> If it has to do with a client. Keep it on the official medium.

I worked for a BD where we had zero clients. Your rule would have gotten us fined. Trust me, it's not as easy as you think. We've spend tens of thousands on lawyers who have in-turn spend thousands of hours thinking about this topic. You nor I nor the smartest person you know could stamp this out over an HN discussion.

The headline here reads a bit like "person takes mask off to eat a sandwich".

Obviously people use messaging software with their colleagues.

The correct solution is to design systems in which that isn't an issue. If you need to monitor what people are saying at all times then you have far bigger problems.

Either you didn't read the linked article (you generally should, before commenting) or you fail to grasp the issue at hand.

It's a wholly different situation if colleagues were just informally chatting with one and another but they were circumventing regulations that require talk about customers to be documented.

I disagree that there's an issue, saying that I "fail to grasp" it is needlessly insulting.
This problem is rampant in the military, to the point that orders are now often given over WhatsApp in some cases. There's been numerous security leaks as such, and any internal affairs seem to get out in a matter of minutes, with people forwarding it on to other group chats.