The lost art

Compliance Tools

OpRisk & Compliance: Both the US and the UK regulators have frameworks in place for monitoring, storage and retrieval. How will the regulatory environment continue to evolve over the next 18 months, globally?

Alan Stewart, Open-Tec: It is highly likely in the coming period that regulators will tighten up their requirements of companies in how they manage and report their business records. For sure, there is going to be much more focus and audit from the regulators - after the recent challenges in the sector, there is a far greater expectation on regulation and governments to put in place stronger controls to ensure some of the current practices and certainly their consequences are not seen again in such a devastating way.

There is also likely to be specific interest in how organisations are storing and auditing the access and use of business records, as this can be directly linked to potential unwanted trading activities or business practices.

Dvir Hoffman, NICE: This is a very timely question. With the recent turmoil in the financial services markets worldwide, there are signs that the industry is on its way to becoming more regulated than ever.

Already, regulators around the world demand more from financial institutions when monitoring and investigating insider trading and market abuse. They increasingly require identification of relevant phone calls in addition to the existing transactional surveillance requirements. This calls for a solution that monitors not only trading transactions but also related voice conversations. This combination of monitoring will enable compliance officers to improve processes, and achieve broader and more effective cross-channel investigations.

Going forward, regulations themselves are likely to be more stringent than ever before, with the need to increase visibility into financial processes and the day-to-day operations of the back office. One such regulation is the European Union's Markets in Financial Instruments Directive, which was created to protect the investing consumer, requiring businesses in the EU to have procedures in place to report details of all transactions in instruments traded on a regulated market, and to more carefully monitor their traders' and service agents' interactions with customers. In addition, there is the new regulation from the UK's Financial Services Authority (FSA), which calls for brokers to record all phone calls with clients, and submit these phone records along with all the transactional details of particular trades, including the names of all the counterparties and the relevant transcripts.

We also expect the FSA's initial decision not to require voice recording of transactions made over mobile devices, such as mobile phones and Blackberries, to be overturned towards the end of 2009. This will be good news for investment managers, in freeing them from the office and enabling them to close transactions on behalf of their clients while on the road. Accordingly, the requisite technology to monitor these additional devices will also need to be implemented to ensure adherence to the new regulations.

John Enoch, Voxsmart: In light of recent turmoil in the financial markets, Voxsmart sees it as inevitable that the monitoring of employee activity within the financial sector will be increasingly important both to regulators and management boards in controlling risk. Having access to contemporaneous records of what was said or communicated is seen by regulators as an essential tool to deter or investigate market abuse.

The FSA has led the way with the publication of "Policy Statement 08/1" in March this year. From March 2009, certain landline telephone conversations and electronic communications must be recorded and retained by regulated firms for up to six months.

With the FSA estimating 41% of UK firms make "relevant" conversations on mobile phones and the comment from the FSA's consultants in PS08/1 that "it seems unlikely to make regulatory sense to record landlines if you cannot cover mobile phones as well", we expect that recording mobile phones will also be a handbook requirement in the UK from 2010.

Now the UK has set a precedent for recording certain telephone conversations, it is likely other regulatory bodies around the world will follow suit.

Mike Sullivan, Autonomy: The Emergency Economic Stabilisation Act of 2008 (EESA), signals a new era of US regulation, as does the FSA's COBS 11.8, which goes into effect in March 2009, requiring firms doing business in the UK to record, archive and make available audio conversations with clients. The impact will not be limited to the US and UK: the credit crisis is a global wake-up call. Many nations will be under pressure to enact regulations that help shield their markets and consumers from future crisis.

Key factors of the new era will be the required level of visibility and the aggressiveness of enforcement. Sections 111 and 127 of the EESA stipulate increased transparency, oversight and audits in addition to co-operation with the FBI and other law enforcement agencies. As the crisis moves into the courts, another wave of change will begin. Unforgiving courts will demand disclosure of all relevant content - including email and audio. For the board of directors, this means increased risk of penalties and litigation costs.

A more immediate challenge is the synchronisation of risk management policies in companies involved in the financial sector consolidation. Synchronising risk management policies across multiple organisations in the middle of a crisis, in an auditable, defensible manner, will require an information governance infrastructure for all types of communication that is massively scalable, flexible and deployable in short order. Autonomy is already working with industry players to provide a smooth and fully auditable transition. This is facilitated by the Autonomy Digital Safe solution, which can be configured and deployed in a few days to anywhere in the world.

OpRisk & Compliance: What are the risks that financial services can run if they do not have an effective email and telephone monitoring, storage and retrieval framework in place?

Dvir Hoffman, NICE: An effective telephone monitoring framework is necessary, for example, to enable secure and quick access to audio recordings; to save time for traders, compliance and IT personnel - particularly when the search for a particular call is related to a specific trade; and to provide full control over access to the voice-recording archives.

Whether required by law or not, the need for quick and reliable access to the calls relevant to transactions under inquiry - whether relating to disputes, litigations or other - is foremost. The failure to deliver these calls could result in high fines, damage to the firm's reputation and an increase in deal write-offs. Accordingly, an effective telephony monitoring, storage and retrieval solution is essential.

The ideal framework should provide automation of the workflow process, enabling users to access and replay sensitive information regarding business activity and customers' personal information, which is contained in voice archives, while ensuring this sensitive information is protected and access is carefully monitored.

When the framework includes interaction analytics technologies, firms can address the key challenges in regulatory compliance and corporate governance, such as preventing insider-trading breaches, ensuring best execution and detecting irregularities during blackout periods.

Using data mining and reporting capabilities, such a framework enables advanced reporting that provides compliance and trading floor managers with insight into emerging trends, as well as alerts concerning trends and compliance risks. So, the requirement to monitor calls can turn into a strategic advantage if you add analytics into the same infrastructure.

Alan Stewart, Open-Tec: As it has been in the previous years, the risks in costly investigations and fines is ever increasing. The size and frequency of fines given out are going to increase. However, the risks now are more than just direct monetary penalties, as there is likely to be an increased risk to the brand, and also the share price if companies are found to be or seem to be lax with their record keeping and business practices.

Fundamentally, the potential cost effect of not storing relevant business records effectively is immeasurable, as you cannot say for sure how large the fines or how many fines that might be applied to a regulated organisation in the coming months. Add to that the increased personal liabilities of company directors and this whole area becomes something that must be addressed to the best of an organisations' ability.

Mike Sullivan, Autonomy: New regulations follow industry crisis; penalties for failure to comply shift to reflect the prevailing sociopolitical environment, which has clearly changed as of late. Looking forward, companies can expect tougher audits and larger fines. We should also expect a significant increase in litigation associated with subprime mortgages and trading practices.

Companies need to recognise the dependency between their compliance practices and litigation matters, and develop an information risk strategy that includes an information governance architecture (IGA) that unifies and simplifies the execution of policy-based risk management across all systems, content and languages.

Companies failing to implement a unified solution will quickly become bogged down in the problems associated with multiple vendor solutions that isolate content by format, task or group. Each silo increases cost, risk and response time. For a company dealing with a few isolated incidents, silos might be an adequate strategy. For a global company doing business under multiple jurisdictions or with a heavy litigation portfolio, multiple silos are proven to be ineffective and costly in terms of risk and hard dollars.

John Enoch, Voxsmart: Being able to retrieve recordings of relevant telephone conversations and emails gives firms the ammunition to be able to resolve disputes or investigations quickly and efficiently. Without this valuable evidence, firms might be unable to prove the facts of the case and then be forced either to make avoidable out-of-court settlements or get involved with costly legal proceedings or investigations.

In addition to the monetary savings, in terms of legal fees, out-of-court settlements and insurance premiums, it is also important to recognise the intangible benefits of mitigating reputational risk. The good reputation of any financial services firm is vital for success not only with customers but also with investors, business partners, regulators, rating agencies and staff. It makes good commercial sense to insist on high standards of corporate governance and transparency in dealings with stakeholders. Recording all necessary telephone conversations, whether on landlines or mobile phones, should be an important part of any firm's internal controls.

Most firms already record landline conversations to aid transaction verification, and monitor and train staff. Many firms ban the use of mobile phones for business. However staff might ignore this rule and use their mobiles to respond to the needs of clients and colleagues when away from their desks or for personal convenience. In our increasingly mobile-centric culture, it is not desirable or practical to ignore the risks of unrecorded mobile phones.

OpRisk & Compliance: What are the important elements of a strategic framework for telephone and email storage, retrieval and monitoring at a financial services firm?

Mike Sullivan, Autonomy: A strategic framework requires a highly managed approach to minimise costs, risks and penalties. The scale of data and people involved requires the implementation of automated policy enforcement - preferably in real time. Email and audio content should be continuously monitored throughout its lifecycle. When litigation or an investigation requires relevant information to be identified and secured, the legal hold process should be readily executable with direct connectivity to a legal review and production solution. As content meets the end-of-life requirements, a policy-driven disposal process executes an auditable destruction process. The overall system must be massively scalable, compliant with all legal and industry requirements, and provide a cost-effective platform for all content formats, language and sources.

Autonomy provides a solution for managing all content formats including audio, text and email throughout their lifecycle on a unified platform, eliminating discrepancies that arise when different technologies are used to store and retrieve content. Users are provided with a graphically illustrated understanding of the relationships that exist between emails and phone calls, and the concepts contained within. By effectively providing the meaning of content in context, the review and analysis processes are expedited, yielding better results and lower costs than solutions that lack context and are key-word dependent.

John Enoch, Voxsmart: An important step in successfully deploying a mobile phone recording solution is to get buy-in from the executive board. Recording business mobiles is often unpopular among staff. Although on a positive note it should lead to a reduction in personal calls!

It is important to review thoroughly all the options available. Recording mobiles is not trivial. Voxsmart's RecordMobiles application enables companies to keep mobile call recording as simple and secure as possible, by leveraging existing infrastructure investments. Our approach is to offer a plug-in to existing, secure landline recording systems and to focus our mobile recording innovations where it makes most sense: on mobile devices.

The BlackBerry Enterprise Server from Research In Motion is undoubtedly the most secure, trusted platform for mobile device control. This gives Voxsmart's RecordMobiles solution the ability to produce two independent sources of auditable call data, to prevent bypass of recording and generate risk alerts.

To be acceptable, a mobile phone recording solution should be seamless and not introduce any added connection delays or inconvenience to the user. Using Voxsmart's RecordMobiles solution, which can be deployed with existing BlackBerry smartphones, all inbound and outbound calls are recorded automatically. The user makes and receives calls as normal and risk alerts are sent to a designated administrator if a user attempts to bypass recording or if there is a failure to record.

Dvir Hoffman, NICE: In the current environment, and given that telephony technology is quickly evolving, one should look for a solution that both enables compliance with regulations and also streamlines business processes and provides a fast return on investment.

Such a solution would need to be based on key elements such as reliable capture capabilities, high availability, automated solution and scalability.

Furthermore, it should operate in TDM, hybrid, and pure VoIP environments, providing investment protection.

Also critical are health checks, audit trails and reporting capabilities to ensure 24/7 compliance.

Alan Stewart, Open-Tec: The BSI Code of practice for legal admissibility and evidential weight (BSI BIP 0008) is important to any system that stores or communicates information electronically, and where authenticity, integrity and availability of those electronic records are a necessity.

As such, demonstrable compliance with any regulation or legislation is clearly within its remit and the compliant retention of email, SMS and telephone calls are examples of this.

Maximising the evidential weight of electronic data will enable the organisation to have confidence that it is storing and retrieving the data in a way that will meet regulatory requirements. This will ensure that if it ever needs to present this data in court, its integrity will stand up to legal scrutiny.

The following elements must form part of any solution implemented:

Audit: Must be detailed and cannot be turned off (even by administrator). It must show who has accessed what data, who has searched for what data, who has seen/downloaded what data and when data was accessed.

Security: All data must be stored in a secure manner.

Discoverable: Information must be easily searchable via indexing and filtering.

Non-repudiation: You must be able to prove a document has not been changed or tampered with.

Legal hold: There must be the ability to hold documents past the retention period if they are part of an ongoing investigation.

Non-deletion: Information cannot be deleted within the retention period.

Timeline filtering: To aid e-discovery of business records a filter that enables you to look at point in time or between certain times is needed.

Maximised evidential weight: The system should be implemented in accordance with BSI BIP 0008.

OpRisk & Compliance: How can email and telecommunications tools be used to reduce litigation and enforcement proceedings costs at financial services firms? How can these frameworks add value to an organisation?

John Enoch, Voxsmart: Almost all the compliance officers I've met in the City have stories of where the recording of telephone conversations or conversely the lack of records has had a significant impact on dispute resolution. For example, a large European bank told me of how it successfully prevented costly legal action being brought by a former customer, almost six years after the event, by producing recordings of telephone conversations that exonerated it. A US bank had to honour a trade where a junior got a decimal point in the wrong place because authorisation from his manager at the correct price had been made over an unrecorded mobile phone.

Effective recordkeeping can provide essential evidence to fight any disputes or investigations. To quantify the value of implementing telephone recording systems, a firm just has to look back through its records to see how much time and expense could have been saved if records of key conversations had been kept.

An added benefit of implementing recording for mobile phones is to enable staff to continue to do business in disaster recovery situations where recorded landlines are not available. A fund manager in Bermuda is planning to activate Voxsmart's RecordMobiles solution on staff BlackBerry smartphones in anticipation of future hurricanes striking the island, so they could continue to trade securely from home or off the island.

Mike Sullivan, Autonomy: Current monitoring regulations target 10-15% of the total email volume - while this percentage might appear low, it actually represents over 2 million financial sector emails being reviewed each day. The addition of audio monitoring and potentially greater percentages would cripple any team attempting manual review. Automation is the only cost-effective and scalable means to manage additional content types and greater volume.

Autonomy uses an automated and intelligent approach to monitoring all electronic communications within an organisation's operational and archive systems. These advanced conceptual search and classification tools go well beyond keyword-based solutions to identify potentially damaging information based on its context. Monitored information is automatically categorised and tagged, facilitating subsequent search, analysis, legal hold, and electronic discovery.

Leveraging Autonomy Real-time Policy Management for email and audio allows companies to take strategic control of new informational risk, reducing the amount of exposure while improving their ability to expedite compliance and litigation activities.

Alan Stewart, Open-Tec: One of the most significant costs in preparation for litigation is the legal discovery costs. This can be huge if the organisation has not implemented the right tools. It typically requires them to pay teams of consultants to come in and recover data from multiple systems for analysis before the organisation has any idea of where it might stand with respects to the litigation case it is defending against.

The appropriate tool that can store the information and make it easily searchable and retrievable within the correct timelines can improve the standing of an organisation when it is responding to litigation. If the tool also stores the data in a way that maximises its evidential weight, this adds additional value and benefit to the organisation and further reduces the risk of any data presented being challenged in court.

There is also opportunity to add value to an organisation through increased efficiencies if the tool enables the users and others within an organisation to search, access and, if appropriate, retrieve the stored information as part of its ongoing daily activities.

The ultimate compliant repository solution should be a single interface that allows users and compliance officers to search and access data from all electronic sources. This type of solution can provide cost savings, risk reduction and efficiency gains within an organisation.

Dvir Hoffman, NICE: There are a number of critical elements for a successful framework. The telephony aspect should have restricted liability, fraud detection and business intelligence capabilities, centralised storage options, and be deployable in any telephony environment, including VoIP, with inclusive business continuity support.

Cost reduction can be achieved by using tools that enable automatic, fast and secure access to voice interactions relevant to the transaction in question. This also provides faster and more effective dispute and litigation management. The ability to conduct investigations using the aid of combining voice and transaction analytics improves the accuracy and time-to-answer of compliance and risk officers, reducing the risks associated with non-compliance, time and labour-intensive processes.

Lastly, the implementation of an automated compliance workflow can assists organisations in reducing the costs associated with manual approval processes, monitoring and reporting.

John Enoch, Voxsmart

John Enoch is the founder and managing director of Voxsmart. He has worked in the global risk management practice of PricewaterhouseCoopers, assigned to the internal audit department in Singapore, delivering telecoms asset management and risk management advisory projects. Before joining PwC, he spent more than 10 years working for telecommunication carriers in the UK and Asia.

Voxsmart develops and licenses secure, easy to use mobile phone voice applications for the business market.

Dvir Hoffman, NICE

Dvir Hoffman joined NICE in 2003. Having served in several key product management positions, he is currently responsible for defining and managing NICE Enterprise Solutions for the corporate and investment banking industry, as financial services market manager. Before joining NICE, he worked at EMC2 as a product integration manager of innovative storage solutions. Before that he worked at Integrity-Systems, a start-up hi-tech company, serving as an integration engineer responsible for mobile applications solutions. He holds a BSc and an MBA, both from Ben-Gurion University in Israel.

Alan Stewart, Open-Tec

Alan Stewart is business development director at Open-Tec. He has over 20 years' experience in technology and related business and regulatory requirements within several different markets, from within IT and telecommunications in the UK's second-largest police force to providing consulting and IT solutions in the finance and telecommunications sectors. Along the way he has been involved in many different projects related to the effective storage and recovery of business records on a daily operational basis, as well as for specific investigations.

Mike Sullivan, Autonomy

Mike Sullivan is senior vice-president of operations and services at Autonomy and manages all aspects of the worldwide hosting and data processing business.

  • LinkedIn  
  • Save this article
  • Print this page  

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: