Blog article
See all stories »

Eavesdropping in a post-COVID-19 world.

The advent of the telephone nearly 150 years ago, followed by the rapid creation of local, national and then international telephone networks, put an end to the use of the telegraph in trading of financial products fairly swiftly. But it was not long before traders grew frustrated with exchange- based telephone services – due to unanswered calls and busy lines, never mind having to remember and dial numbers – and the telcos were able to create a new market in “private wires” – originally a twisted pair from the traders desk connected directly to their counterpart via a patch panel at the local telephone exchange.

Pretty soon these private wire networks were carrying a large proportion of national and international trading in foreign exchange, commodities and securities. But there was always the issue of disputes – in price, size and direction of trades – so in order to manage these situations all the major firms started recording all of the calls on these private wire networks, so that when there was a dispute the relevant recording could be traced, listened to and the dispute could be resolved.

As international markets opened up and evolved in the 1980s, and the process of electronification began, new regulations – and regulators to police them – were needed to bring some order to growing and increasingly open markets. It was not long before the regulators realised that by accessing the recordings of private wires (which under the new regulations they were entitled to do) they could investigate all different sorts of market abuse.

The situation evolved further with the advent of the mobile ‘phone which was first welcomed for trading purposes and then banned from the trading floor to try and prevent unfettered market abuse. The arrival of hybrid internet and mobile non-voice communications (e-mail, SMS, MMS, iMessage, social media) coupled with the trading firms desire to reduce the management overhead of providing mobile ‘phones for employees by implementing BYOD policies, meant that this whole area of mobile communications could no longer be ignored.

Regulations governing mobile device recording have evolved globally, with differing timelines and substantial nuances but the generic features of these differing regulations can be characterised as follows:

-          Mobile devices supplied by the employer must only permit mobile communications associated with any type and aspect of a transaction, if that communication is recorded

-          Irrespective of whether a mobile device is supplied by the employer, if the employee has access to a self-provided mobile device, then mobile communications on that device associated with any type or aspect or a transaction must be recorded or prohibited

-          The employer is responsible for the storage of the recorded mobile communications, and providing access to those in support of a routine audit or pro-active investigation

-          The employer is also responsible for ensuring that all such mobile device recordings are acquired, stored, accessed and archived in compliance with any applicable privacy regulations (e.g. GDPR)

-          The absence of a mobile device communication that is known or suspected to have occurred will be treated as a serious breach of regulation, even if it was not implicated in any other breach

Employers are faced with three choices.

1)      Provide mobile devices to applicable staff and then lock-down, manage and police those devices at the same time as prohibiting those employees from using and personal mobile device for business purposes.

2)      Provide mobile devices to applicable staff and then lock-down, manage and police those devices at the same time as permitting those employees to use personal mobile devices for business purposes, and also implement some form of lock-down, management and policing for those personal mobile devices.

3)      Decline to provide mobile devices to applicable staff, and (presumably under the auspices of a BYOD policy) allow applicable staff to use personal mobile devices for business purposes, with suitable restrictions and mobile recording capabilities in place to ensure that they fully comply with the relevant regulations.

It is no great surprise that many employers are selecting the third option as the most cost-effective, easy to manage and pragmatic solution.

From the regulators’ point of view (again bearing in mind the differing timelines and variations between the different regulators objectives and overriding principles) some common themes have begun to emerge:

-          The responsibility for implementation belongs with the employer – the regulated firm – and while the regulators reserve the right to routine audit or pro-active investigation, the onus on demonstrating that the regulations have been complied with lies with the regulated firm

-          The regulations take full-effect on day one, but many regulators have indicated a “light touch” approach in the following months as long as it is clear that the regulated firms in question are making reasonable endeavours to ensure that the regulations are being complied with. However, after that period of grace, that will be replaced with a “firm touch”

-          In common with the application and implementation of other burdensome regulations, the regulators approach to mobile device recording is unequivocal – cost, overhead or degree of difficulty are not valid arguments for failing to comply. As one regulator said “If regulated firms feel that they cannot afford to implement recording capabilities that comply with our requirements, then it is likely that they cannot afford to be in this business”.

The Coronavirus crisis may have deflected some attention from regulations like those governing the use and recording of mobile communications, but the massive increase in the use of mobile messaging during the crisis is, in itself, likely to heighten the regulators desire to see that messaging correctly recorded. Given the way that changes to working arrangements will be with us in the long term, regulatory focus on this space is probably not going to diminish.

4373

Comments: (0)