WhatsApp: A Reminder that MiFIDII Compliance is About Content not Channel
- Robin Smith , Technical Director International at Actiance
- 26.06.2017 12:15 pm undisclosed , Robin Smith has over twenty years' experience of security and compliance solutions within a wide range of networking and messaging systems.
As the FCA publishes its near final rules on MiFID II and fines a former investment banker for sharing confidential information over WhatsApp, now is a good time to look at why firms need to be able to find content and understand the context of a conversation quickly and easily, irrespective of the applications in use.
The nature of the modern world today is that we use different communications tools depending on their suitability to the message, the audience we’re addressing, and which device happens to be at the end of our fingertips at that moment. But we don’t just stick to one tool, even within the same conversation.
We bring others into a Skype for Business call, we banter with colleagues over IM about another conversation we’re having, we answer our phone to field calls from the boss, reply to emails that have been lingering too long in the inbox, mine Twitter for interesting updates, and check out the latest on Instant Bloomberg.
Sometimes it seems like a miracle the work gets done with all these channels of communication prompting us for attention.
Now imagine you’re a reviewer trying to piece together just thirty minutes in a trader’s life. There are five different types of communications tools to review and you need to be able to correlate what the trader said to whom, who else was “listening”, what their next action was, and then decide how to react. Did they really mean to release that information, or did they think they were talking to their boss and it was a genuine mistake? But also, regardless of their intent, is there a transgression that needs to be acted upon?
Take into consideration that even the somewhat more run-of-the-mill communications channels such as persistent group chat tools like Instant Bloomberg are no easier to review in either their native XML export or once converted to email. The search function isn’t really compatible with the content; the rooms often have hundreds of participants who come and go throughout the time span, which creates join/leave events that can hide message content. In some cases it can take up to half an hour just to review a single transcript.
That’s before you’ve even started on the other four communications tools used during that time span, including the phone conversation. Just searching retrospectively requires multiple user interfaces to be learnt, searches to be conducted and result sets to be merged. Consider also the Supervision requirement of MiFID II and the obligation to proactively highlight dubious content across all channels of communication employed by the regulated users.
How long will it take for the reviewer to realise there were four minutes during that time where no communications tool was used? What was he doing then? Had someone stopped by his desk, or is there another channel being used that you don’t know about?
Personal privacy concerns drive security in consumer communications, so there will continue to be business and technical challenges surrounding control and capture as individuals attempt to bring them into the enterprise. Blocking everything that isn’t email or corporate Unified Communications, isn’t the answer either as this could alienate the potential customer-base, resulting in them using a different supplier or alternatively drive the communications underground, neither of which is desirable. Most eComms networks, whether consumer or commercial have some level of service that provides a way for organisations to capture, control and monitor traffic, so there are truly viable alternatives for compliance aside from blocking.
Despite this, embracing newer electronic communications tools can be daunting for IT and compliance departments, but creating multiple archives for each type of communication is not the answer.
Electronic communications are forever evolving, increasing the number of networks, their complexity, and the volume of communications. Regulations such as MiFID II and GDPR are keeping pace, putting the content and context of conversations into the spotlight, irrespective of the network being used. The cost to organisations is potentially huge. Both in terms of tying up resources by using reviewers to do tasks that could be automated, and delays in discovery that increase regulatory risks.
Regulatory Technology (RegTech) aims to reduce the burden on firms maintaining compliance. For example, one particular segment is looking to artificial intelligence for cognitive or behavioural analytics to determine motivation or how a human reviewer would treat the content being analysed. But without a centralised content store of good quality data that provides an open interface for other developers to leverage, deriving value from these next-gen technologies will be expensive and drawn out as they need be integrated with all the communications tools ahead of any tuning that can take place.
Until firms centralise their communications archive and deliver it to reviewers in a single screen that contextualises the conversation, reviewing electronic communications will continue to be an onerous task.
As for the investment banker sharing confidential client information over WhatsApp, he might have been trying to impress those he was communicating with, but the Financial Conduct Authority (FCA) took a rather different view of the situation. Fully understanding the context and motivation behind his actions they said he “failed to act with due skill, care and diligence”, and his bank balance is somewhat lighter as a result.