Nick Sears, VP, Emea FaceTime Communications explores the compliance issues facing financial services organisations in a Web 2.0 connected world.
The financial services industry was one of the early adopters of real time technologies such as instant messaging (IM) for business. Early electronic communication tools provided the ability to receive and disseminate information quickly, helping to make better informed decisions. In recent years, the ever expanding horizon of Web 2.0 applications including social networking sites and micro-blogging has expedited this process even further and for heavily regulated industries finding the balance between compliance and competitiveness is not always as easy as it seems.
The problem for financial institutions is that inappropriate use of such widely available communication and collaboration tools can mean non-compliance with government and industry regulations, resulting in hefty fines, potential loss of business and fraud. In 2005 NYSER fined Schwab $1 million, partly because of its failure to preserve and maintain instant messaging communications via Bloomberg terminals. More recently, Societe Generale lost nearly €4.9 billion in fraudulent trades by a rogue employee that used instant messaging to manage the transactions.
Regardless of whether the regulations an organisation follows are FSA, SEC or FINRA to name but a few, most require member firms to follow due process on approvals as well as keep and archive adequate records of all electronic communications. However, in practice not many firms are able log content posted to Facebook, let alone try to control the content of the actual message. Thus the obvious procedure has been to simply ban its use.
However, banning the use of Web 2.0 applications in the work place presents two other issues. Firstly over 50% of Web 2.0 applications are evasive. They hop from port to port, use encryption and non-standard protocols, they even tunnel through HTTP. All these tactics allow them to bypass conventional firewalls and URL filters and be installed on machines with virtually no technology knowledge required by the user.
A second problem with banning their use is that the productivity gains are now so strong that businesses not taking the full advantage of Web 2.0 communications are losing out to their competition. The power of networking should not be underestimated and a company that has just spent a small fortune headhunting a top trader needs them to continue to communicate with their contacts in the most effective manner. Stifling the speed of conversation may end in poor results and opportunities missed.
The threat from Web 2.0 applications is not limited to errant employees or compliance issues. Malware is rife too. One of the main reasons behind this is that many users place too much trust in their network. Even though they may not know who their “friends” are in the real world, a feeling of trust builds up over a period of time. This makes users far more likely to click on a link from friend on Twitter, Facebook or Instant Messenger than in an email, where most people today are a little more circumspect, particularly if it’s unexpected.
Another reason malware is so prevalent over Web 2.0 applications is because it uses the same evasive techniques that the legitimate applications do, enabling them to bypass traditional gateway and desktop anti-malware measures with ease. Allowing malware to access a corporate infrastructure is in direct conflict with many industry regulations, not least because it frequently provides a way for data such customers’ personal information that can be used in identity fraud to leak out.
Social networking and micro-blogging sites aren’t just for the younger generation. A recent survey by Osterman Research showed that the average age of a Twitter business focused user was 40, combine this with the fact that more companies everyday are choosing to have a branded presence on Twitter and it’s easy to see that despite many IT managers not considering it to be a legitimate business tool, other people with the business perceive it differently.
For financial organisations, the need to take back control over the myriad of Web 2.0 applications and the content posted to them is immediate. The consequences of not doing so are too great to be ignored. However, it is not as difficult as it first seems, organisations just need to follow the best practise guidelines of control, log and archive that they have been doing so for many years. What they do need to be aware of is that their current security measures are no match for Web 2.0 applications.
For a more detailed review of how Web 2.0 applications affect the financial industry see 'The Impact of New Communication Tools for Financial Services – an Osterman Research White Paper', sponsored by FaceTime Communications:
Download the document now 1.2 mb (PDF File)