Not so long ago banks and financial services firms were poised to swear off social media and instant messaging. Faced with the Sarbanes-Oxley Act’s record retention demands and the risk of employees using social media communication for illicit behavior, the compliance risks outweighed the benefits.
That line in the sand blew away over time. Traders found that in-house messaging services—and even external offerings from Google, Yahoo, and AOL—offered speed and increased productivity. Executives glued to smartphones and tablets couldn’t be weaned off that addiction.
“Compliance wants it all locked down and controlled, and the other side wants as much information and speed of communication as possible,” says Cromwell Fraser, director of NICE Actimize’s communications surveillance portfolio.
Let’s be honest: The other side won.
That said, the ubiquity of these modern communication tools, and their eventual embrace by financial firms, has validated initial concerns. If you want proof, read the chat logs of individuals caught in the recent rate-rigging scandals for LIBOR and foreign exchange. You’ll find plenty of evidence all over those communications. Security of those instant messages is another concern, regardless of whether your employees are chatting about misconduct or anything else.
The latter concern explains the recent scrutiny of a new chat service aimed at banks. The programs, called Symphony, is funded by a consortium that includes Goldman Sachs, Bank of America, BNY Mellon, BlackRock, Citigroup, Deutsche Bank, JPMorgan, Morgan Stanley, Wells Fargo, and others. Symphony also boasts that its built-in security measures can prevent “government spying.”
That claim caught the attention of Sen. Elizabeth Warren (D-Mass.). In August she laid out her concerns to bank regulators, the Securities and Exchange Commission, and other regulators in writing.
“The communications that Symphony will allow companies to hide from ‘government spying,’ such as text messages and chat room transcripts, have proven to be key evidence in many previous regulatory and compliance cases that have uncovered criminal action by Wall Street,” Warren wrote. She urged the agencies to assess how the technology could affect their enforcement efforts.
Warren even pointed to the LIBOR and forex rate-fixing scandals as evidence of her point. “It was the trail of such messages that permitted regulators both to discover and prosecute these financial crimes, resulting in this case in admissions of wrongdoing and a settlement of $6 billion in fines and penalties,” she added.
Also firing a shot is Anthony Albanese, acting superintendent for New York’s Department of Financial Services. In a letter to banks in July, he demanded that they report back on how they intend to use Symphony products; what personnel will be using them; whether Symphony will be used in conjunction with or to the exclusion of other communications services; how messages will be retained; and whether the encryption technology can be used to prevent review by compliance personnel or regulators.
Albanese also asked how the banks intend to prevent their employees from adapting the service to circumvent compliance controls and regulatory review.
“Compliance wants it all locked down and controlled, and the other side wants as much information and speed of communication as possible.”
Cromwell Fraser, Director, Communications Surveillance Portfolio, NICE Actimize
The regulatory scrutiny comes at an interesting time for vendors providing chat services. In recent weeks many have added new features and services, and competition is fierce. Among the big name players in the space are Bloomberg, Markit, NICE Actimize, Intercontinental Exchange (through its acquisition of a Web-based chat platform), CME Group (an investor in Wickr, a start-up offering military-grade encrypted and self-destructing messages), Thomson Reuters, and Microsoft with its Lync service.
Here Comes the Problem
The challenge for compliance programs isn’t so much the need to archive and retrieve messages for e-discovery or regulatory exams any longer (although those are still headaches). The real problem is how to monitor chats in real time and keep pace with innovative ways employees are communicating. Even something as simple as a winking emoji could be a covert signal.
“Not only is compliance paying more attention to it; the regulators are requesting an evolution of how they approach it,” Fraser says. “Instead of employing a small team of people in the back to just listen or read random chat messages, you want to utilize those people to be far more effective and actually try to monitor for risk on all forms of communication.”
“Compliance teams are informing some of the technology decisions and seeking consolidation of the number of messaging systems to reduce risk and exposure, increase control, and reduce their firm’s total cost of ownership,” says Lesli Fairchild, head of compliance and administration for collaboration services at Thomson Reuters. “While needs may vary … the main themes to emerge have been around heightened controls, automation, alerting, and insight delivered through enhanced reporting capabilities.”
The following is a selection from Sen. Elizabeth Warrens Aug. 10 letter to the Securities and exchange Commission.
When banks fixed interest rates (LIBOR) in direct violation of the law, they used chat rooms and text messages to coordinate their activities, and it was the trail of such messages that permitted regulators both to discover and prosecute these financial crimes, resulting in this case in admissions of wrongdoing and a settlement of $6 billion in fines and penalties. The communications that Symphony will allow companies to hide from ‘government spying—such as text messages and chat room transcripts—have proven to be “key evidence: n previous regulatory and compliance cases that have uncovered criminal action by Wall Street. If banks are now making this information more difficult for regulators to obtain and interpret, it could prevent regulators from identifying and preventing future illegal behavior.
[Warren also asked each regulator she respond to the following information requests by Sep. 6]
Your agency’s existing rules for communications retention and encryption and whether Symphony may make it easier for financial firms to evade these rules.
The impact of symphony’s ‘end to end encryption’ with ‘no back doors’ on your agency’s ability to obtain and interpret relevant compliance-related communications by financial firms.
The impact of Symphony’s approach to permanent data deletion on your agency’s ability to obtain and interpret relevant compliance-related communications by financial firms.
Those demands partly drive the fierce competition among vendors. Last December, Bloomberg launched its “Compliance Center,” a dashboard for compliance officers that provides the ability to block unauthorized employee communications before they are sent. Recently, Thomson Reuters added a feature to its flagship chat service, Eikon Messenger, which allows compliance officers to restrict who specific employees or departments are allowed to communicate with via chat. It also provides keyword controls that can block and flag terminology that might indicate a problem.
“In the wake of the LIBOR and FX fixing scandals, banks no longer allow multidealer communication between traders from more than two firms,” Fairchild said. “Unauthorized multilateral chat rooms are rarely sanctioned by compliance officials unless they are for legitimate business use and pre-approved by them.” A “managed chat room” allows a compliance officer to restrict or allow multilateral communications.
Digging through old chat logs to uncover evidence is one thing; finding misconduct as it happens is quite another, especially when participants speak in code words. This sort of monitoring requires smarter technology, Fraser says.
“The only way you are going to spot something is to notice that the words being used in the sentence are out of context,” he says. Technology is getting better at seeking out odd syntax, random words, and sentence structures that do not make sense.
In Fraser’s view, the solution is to combine technology with human intuition. “I would question any compliance officer who lets technology do all the work,” he says. “You need to be using the technology to try to focus what you want humans to look at. The technology is there to help you break down the noise. You can do a lot with the technology, but you are always going to need a sanity check from a human once the technology has made a decision.”
Denise Valentine, a senior analyst with Aite Group, suggests a risk management approach to chat monitoring. Before relying on technology, segment and prioritize who you are tracking and how deeply you plan to dig into e-mails, texts, or messages. For example, trader profiles can assist with surveillance. A change in that trader’s behavior can escalate matters to a compliance officer for further review.
When adopting surveillance technology, compliance officers also need to ensure that it is configured in a way that is easy for them to use. “This is confidential information,” Valentine says. “You cannot have the IT desk knowing everything.”