Slashdot Mirror
Brokerage Instant Messages Must Be Saved
DrEnter writes "According to an AP story on Yahoo!, the National Association of Securities Dealers (NASD) has told its members that they must keep a copy of all instant messages sent or received by employees for at least three years. This is similar to their requirements on keeping e-mail, although technically not nearly as easy. The NASD is a self-regulatory organization, and U.S. federal law requires almost all of the 5,300 U.S.-based securities firms and brokerages to be a member of it. There's a news release from the NASD concerning the requirement - it looks like the daunting technical issues have already resulted in some firms banning the use of IM completely."
From the facetime.com website;
"Since 1999, FaceTime has been delivering instant messaging (IM) solutions for the security, management and control of IM in the enterprise.
Our integrated enterprise IM management suite of products address the challenges of:
* Network and Information Security
* Regulatory and Corporate Compliance
* Call Center Customer Service
IM Auditor has been chosen by 32 of the largest 100 financial institutions and 7 of the 8 largest U.S. banks including Bank of America and Wachovia Securities to satisfy regulatory compliance requirements."
The one thing that wouldn't be addressed is encrypted clients suched as the recently discussed Nullsoft "Waste" IM client. However, with businesses increasingly becoming addicted to IM clients and Blackberry devices, this would be a far more palatable solution than banning IM completely.
http://about.reuters.com/productinfo/messaging/
Its actually pretty nifty, corporate IM already exists and I am sure if Reuters does not have built in logging they will add it quickly and dominate another part of IT for the financial community.
No its not. If they use AIM, then they can use the AOL gateway. The AOL gateway product can do also do their own authentication and force AIM clients (based on AIM handle) to use the gateway. The gateway can do all the needed logging. A strict IT policy to be followed by employees makes this task trivial.
Actually at my firm, we do log all calls made from our traders' phones for a 3 year period, it's more a protection against illegally/incorrect executed market orders, and liability mitigation and it is not an SEC requirement.
If you think this is bad, we need to have full data backups for files, fax, and e-mail transmissions for a 7 year retention. That eats up a lot of tape...
and for any firms wanting to use linux, BSD, or OSX on the desktop, GAIM builds above .60 all have excellent logging and even have a good division-by-conversation format. Though your best bet for logging it all would be a custom jabber server that would save everything serverside (with warnings at conversation starts, of course)
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Most banks already log phone calls, what is being added is the requirements to archive email and IM messaging.
Do a quick search for "Basel 2" or "Basel ii" for more details on this. One very interesting quote I found is;
"The Institute of International Finance has projected a total investment of US$2.25 trillion over 5 years for the 30,000 banks that will be affected, on top of systemsâ(TM) budgets, implementation costs and training. With such a huge increase in costs, this may precipitate another round of banking consolidation, especially in Asia. Basel 2 will certainly reward banks with sophisticated management and systems â" they should be able to generate higher returns on equity, and have less capital required by the market and regulators."
IMLogic does this, and is quite good at meeting these requirements (one of their coders is a friend of mine).
As for the daunting bit, hyperbole anyone?III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
You're looking at it from the wrong side. The biggest issue is brokers is having clients ring up or whatever give instructions and then take issue later (when the trades goes bad, presumably) or the client saying the the broker told them X and it caused them a loss.
Reliable, Great Value Hosting: $7.95/mo 2.4G/120G
The Slashdot summary says otherwise, but the press released linked to is pretty clear.
Mobile phones and other methods of personal communication are banned in trading areas.
It may not be an SEC requirement, but isn't it an NASD requirement? I've been working at brokerages for the last ten years, and it would have been unthinkable for us not to have our conversations recorded.
It wasn't just the traders and the salesmen, but the analysts as well. Maybe it wasn't a regulatory requirement, but it's definitely part of doing business in securities, because so much is done over the phone. It was actually surprising how little we used those recordings after they were made, but maybe we were just fortunate. Mostly it was to check trades, but the threat was always there that if you gave out inside information, you could be nailed.
Interestingly we were allowed to use mobiles on the trading floor, but I can imagine that people are much more cautious in the US. Post-Spitzer, they are all running very scared. Most US investment bankers that I talk to now, virtually have to append a disclaimer to everything that they say. Must make for some interesting pillow talk.
rules:
All emails are kept (Archived, not by us)
No external email accounts (it's a big offense if you use hotmail, etc, from work)
Internal instant messaging (logged, of course)
No external instant messaging (you crazy? Hell no -- you can't just install random software from the web on a trader's desktop
All phone calls are recorded (not sure how)
Cell phones are banned on the trading floors (I see them sometimes (and carry mine), but I think it's not cool).
There might be cameras, but I don't know.
All of this promotes accountability & transparency... and is good for clients and the market in general...
It's not like they look/read everything, but it has to be on file in case of a lawsuit, etc.
re: the guy talking about remote desktop, etc...
That might work at some firms, but I'd imagine most of the bigger firms are really, really locked down.
there is no thing
what else could you want?
Its much eaiser to implement a corperate version of an IM server, that most IM networks now provide, then firewall off the other IM servers, forcing the clients to use the corperate version, or proxy all IM client request to std IM servers to the corperate one, provides central logging point, and peace of mind for the security personel.
On the other hand.. IM is not secure by any means, anyone stupid enough to use it in a financial industry for anything other then talking to friends and bullshitting around, should be shot.
I came, I conquered, I coredumped
It's easy enough to log encrypted traffic. Decrypting it afterwards can become more of a problem, but not unsolvable.
:-)
Clients can be modified to securely send a copy of their session keys to a central repository, for example.
Or the proxy can do the authentication for the clients, pretending to be the other end, and establish its own encrypted session with the clients.
Or, for dual-key systems, instead of the normal M*N pseudoprime, there's an M=(X*Y) where Y is a fixed value known to the company -- in effect a "master key" to allow decryption. This is already used for logging encrypted email from employees in many places.
Another thing is whether it won't be easier to just ban instant messaging altogether. More and more companies do so, both out of productivity concerns and for multiple security reasons (not only can it open up for bringing harmful content into the environment, but also be used to quickly send confidential information to those who shouldn't get it).
Time to revive "talk"
Regards,
--
*Art
having previously worked in a financial services company, i can tell you that most of them will already disallow installation of non-certified apps on the desktop. and of course, entire departments within IT exist to certify apps on the approved firm builds. indeed, at my previous employer, users are not admins on their own PCs and hence cannot install anything.
i cannot imagine the CTO saying, "well, IM is an important communications medium for the employee staff with one another so let's put together a team to address the scripting issues. we need to include the resulting gigs of data in our backup processes as well."
no, i think the liability issues will simply result in IM going away permanently within financial services firms.
heck, when i was working there, i wasn't even able to post comments to slashdot. but then again, we were obliged to run netscape as our browser and e-mail client: outlook was verboten.
[insert obligatory outlook joke here.]
ed
I would be wary of what you say, because all blanket statements are false.
But, on the third hand, the number of people that use insecure methods of IM is disgustingly large, whereby entire industries could be made sniffing AIM coming out of market makers.
This comment is guaranteed*
*not guaranteed
Isn't this where Jabber can help?
The company can set up their own server, meaning that all messages stay inside the company network.
IIRC it also encrypts the messages betweeen clients.
Organisation-wide IM client with authentication from internal LDAP/Domino Directory
- no need to let AOL/MS listen in on your conversations, or open up your firewalls for that matter
- every conversation is encrypted by default
- server can be set up to log everything
There ARE other options than MSN Messenger/AIM, you know...
last I checked it takes less than 5mins to write a shell script that uploads these logs in the background to an ftp.
I bet you're a perl coder. Re-read the post you just replied to. See where it says "all the logging is done on client machines, outside the direct control of the support staff."
Just because you have a theoretical shell script uploading stuff, you're still not in compliance with the mandate that says that all IMs be saved - in the example given, if the HD goes down before the shell script runs, then you still lose part of the log.
Email is easy because you just mirror it on a server. You'd need some sort of complicated transparent proxy to log normal IMs, and that wouldn't work with encrypted conversations.
Brokers aren't going to be using just some random IM client they downloaded from the web, they'll be using something like this which looks and feels like a regular IM client (MSN in this case) but is designed for the need of the finance business, with logging to a server, encryption, directory services etc.
I struggle to see the value in this.
No offense, but you struggle because you're a slashbot and don't know what you're talking about. All communication in and out of a dealing room is recorded. This is so a customer can call up and do a trade on the phone, and then can't "DK" - deny later making the trade. Also, it means that traders can't pass on information they shouldn't to outside.
Traders want everything to be recorded. Those tapes can keep you out of jail.
they could still use their mobile phone or some other mechanism.
Mobile phones are blocked inside dealing rooms. And even if they weren't, even being seen using one would get you in trouble. Sure you can pop down to Starbucks and make a call from there - in the 10 minutes it took you to walk down there, the market's moved, any information you might be sneaking out is probably obsolete.
Doesn't there come a point where you have to acknowledge that not all communication that takes place at a place of work is 'owned' (in a responsibility-for sense) by the employer?
Like I say, you don't know what you're talking about. Sure a dealer can make a personal phone call, if he gets time, the bank don't care, they just think he's schmoozing a customer. The only time the tapes are listened to is if something comes to court. This protects everyone involved, the customer, the dealer and the bank.
The "big three" personal IM clients (AOL, MSN, Yahoo) are great for talking to Aunt Martha, but if you need reliability, accountability, security, logging, programmability, presence, etc... use tools suitable for the work environment like IBM SameTime IBM already has like 80% of the big corporate IM market - and this is more bad news for the AOL/MSNs of the world. (SMBs and those with Jabber, etc, please don't feel slighted - those are great tools also I hear)
This should be good news for Lotus/IBM as companies abandon the toys (AOL/MSN/Yahoo) and go for the tools.
(Sorry, obligatory SCO/IBM suit reference not included
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
Isn't this exactly what AIM Enterprise was created for? Why have I not seen anyone mention it?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Sql*kitten says: "Mobile phones are blocked inside dealing rooms."
Well, some! I worked in a certain big dealing room in London, where they even installed mobile antenna repeaters to improve reception. Use of personal webmail accounts was rampant. It was understood - if you're making a deal, use a taped line!
I agree with the first poster - someone has to acknowledge that not all communication is owned.
But there are deeper reasons for this.
To encourage logged IM is nice - it allows dealers to use IM for work, and improve their efficiency. However, once one dealer wants to make deals over IM, either all other dealers must follow, or risk entering into contracts on unlogged channels.
So the NASD is really saying: IM is a good idea - but if we want to use it for our work, we've all got to start logging!