23 October 2017

44975

Retired Member

3,171Posts 11,357,841Views 3,409Comments

Why all banks will follow Deutsche Bank and ban insecure messaging apps

06 February 2017  |  6018 views  |  3

WhatsApp is a data security and compliance nightmare for banks. I get why so many people use it in business. It’s immediate, conveys a sense of urgency and you see when someone’s read your message (so they feel obliged to respond). None of that is true of email.

But it’s a real headache. People think it’s secure – and in some ways I can see why they do. WhatsApp introduced encryption that uses Signal Protocol from Open Whisper Systems, which means it can’t be read in transit, or by WhatsApp. But that doesn’t mean it can’t be read by, say, the National Security Agency (NSA).

That’s probably fine for consumers using it to chat with their friends – what it was designed for originally. But if you’re a bank, you need to know where your data sits, who has access to your encryption keys, and if the NSA decided they wanted to examine you, could they get access to your data via WhatsApp’s servers?

Deutsche Bank is a German bank, and if its people used WhatsApp – an American company – there would understandably be a bit of tension over where its data resides.

From a compliance point of view, things get even worse. If your data doesn’t sit on your servers, or even in your legal jurisdiction, you can’t show an audit trail of who said what to whom if you’re accused of mis-selling (as Deutsche Bank was last year, resulting in a fine of $14bn).

There’s no compliance trail if you’re accused of harassment, or fraud. And you can’t show where your message has been downloaded or forwarded to, who it’s been shared with, or what’s happened to it at all. It’s completely out of corporate control, and unregulated.

I’m not surprised that Deutsche Bank is doing everything it can to reduce risk. I would be, too.

But the problem is this. Email isn’t fit for purpose any more. Messaging apps are growing because they’re useful for urgent or instant communication and they show when they’ve been viewed and read. They’re not going away.

But until banks start to implement secure messaging where data sits within their control, they’ll all be following Deutsche Bank’s lead. 

 

TagsSecurityRisk & regulation

Comments: (6)

Nicola Cowburn
Nicola Cowburn - Qumram - London | 07 February, 2017, 21:03

Interesting view, but you CAN keep an audit trail of who said what to whom on WhatsApp, despite end-to-end encryption, using the “unique” (Gartner’s words, not mine) compliant social media recording solution from Qumram (see report "Take These Four Steps to Securely Use WhatsApp, WeChat and Other Instant Communication Apps"). Type into Google "compliant WhatsApp recording" and watch the Finovate 7-minute demo. As you rightly state, John, messaging apps aren’t going away. Customers drive engagement channels, not banks, and social is becoming their channel of choice. Bank staff banned from using it will continue to do so, underground, and customers will go elsewhere if you don’t sanction it, so why not just allow it to happen but make sure it’s compliant? Qumram records and replays all digital interactions, across all channels (web, mobile, social), providing an indisputable audit trail – it meets MIFID-II, SEC17a-4, DOL, GDPR, FINRA, FINMA, FFSA, Fidleg regulations and more, for compliant digital record-keeping. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 07 February, 2017, 21:22

Nicola I would love to see how you can monitor whatsapp messages on iOS and Android. I cannot see anything on the store? The 7 minute demo you refer to is a browser which yes it's possible to hook and monitor but it's so limited. If you have magically created a way to spy on interprocess communcations without the device being jail broken or rooted then please send me a link as I cannot find anything on the appstore? 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Nicola Cowburn
Nicola Cowburn - Qumram - London | 07 February, 2017, 22:05

Happy to provide more information, John. You are correct, the bank employee must be working via a browser, but that is the only limitation. They are still able to use the full functionality of WhatsApp (or LinkedIn, WeChat or whatever), and the customer does not have to use a browser, they use the device of their choice. And the bank is secure in the knowledge that every interaction is 100% securely recorded, stored for many years for compliance purposes, and can be replayed in movie-like form. So a Regulator can view exactly what the customer saw, every mouse movement, keystroke etc. Bank employees would rather have the limitation of using social via a browser, than turning their back on the billions of customers using social every day. We ensure compliance for large global banks like UBS, investment firms like Russell Investments and many wealth managers based predominantly in the US, UK and Switzerland. Some of our clients also use this tech to monitor employee behaviour for fraud detection, and the big data collected for compliance purposes is used for customer experience analytics. It’s not an app, so not on the store.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 07 February, 2017, 23:34

The solution you offer doesn't monitor any messages or transfers sent via Whatsapp/Facebook Messanger/WeChat or any other mobile messneger on a mobile or tablet device... Y/N?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Nicola Cowburn
Nicola Cowburn - Qumram - London | 08 February, 2017, 10:12

It does indeed. Please don't hesitate to contact us via info@qumram.com should you be interested in more information.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 08 February, 2017, 11:25

Nicola,

As you have already commented:

"You are correct, the bank employee must be working via a browser, but that is the only limitation."

As I have asked if you have a solution for mobile that can monitor instant messenger communcations without the device being jailbroken or rooted please provide all of us a link for more information.

Thank you,

John.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3119 posts3,409 comments
What Retired reads

Who's commenting on Retired's posts

Ketharaman Swaminathan
Dharmesh Mistry
Nicola Cowburn
Michael Wright
Charmaine Oak
Francis Chlarie
Raymond Lee
Deepthi Rajan
Melvin Haskins
João Bohner
Bob Lyddon