Brokerage Instant Messages Must Be Saved

← Back to Stories (view on slashdot.org)

Brokerage Instant Messages Must Be Saved

Posted by simoniker on Wednesday June 18, 2003 @11:09PM from the casual-bathroom-conversations-also dept.

DrEnter writes "According to an AP story on Yahoo!, the National Association of Securities Dealers (NASD) has told its members that they must keep a copy of all instant messages sent or received by employees for at least three years. This is similar to their requirements on keeping e-mail, although technically not nearly as easy. The NASD is a self-regulatory organization, and U.S. federal law requires almost all of the 5,300 U.S.-based securities firms and brokerages to be a member of it. There's a news release from the NASD concerning the requirement - it looks like the daunting technical issues have already resulted in some firms banning the use of IM completely."

27 of 265 comments (clear)

daunting technical issues? by Surak · 2003-06-18 23:11 · Score: 4, Insightful

What daunting technical issues? Nearly every instant messaging client has the ability to always log conversations. Simply standardize the clients that can be used, make sure that conversations are logged, and lock down the configs so that brokers can't change them. I see no daunting technical issues here.

--
My journal has hot /. gossip.
1. Re:daunting technical issues? by Max+Romantschuk · 2003-06-18 23:15 · Score: 4, Interesting
  
  What daunting technical issues? Nearly every instant messaging client has the ability to always log conversations.
  
  Would you trust your IM to log messages? What if the logging fails? Will your boss listen to you, or would you rather not take the risk at all?
  
  --
  .: Max Romantschuk :: http://max.romantschuk.fi/
2. Re:daunting technical issues? by Surak · 2003-06-18 23:19 · Score: 3, Interesting
  
  That's what IT staff are for. That's why you use standardized builds of client PCs. The IT staff does the integration work to ensure that things like logging occur. The standardized configs make sure that everything works and that users can't change it.
  
  --
  My journal has hot /. gossip.
3. Re:daunting technical issues? by funkman · 2003-06-18 23:24 · Score: 3, Informative
  
  No its not. If they use AIM, then they can use the AOL gateway. The AOL gateway product can do also do their own authentication and force AIM clients (based on AIM handle) to use the gateway. The gateway can do all the needed logging. A strict IT policy to be followed by employees makes this task trivial.
4. Re:daunting technical issues? by muffen · 2003-06-18 23:27 · Score: 4, Insightful
  
  As you said, they have the ability to log it on a client level. Imagine a company with 500 000 machines. Are you going to collect logs from each and every one every single day?? Even if you saved the logs on a network drive, do you want 500 000 different files per day?
  
  The difficulty is logging the traffic on a server level. The reasons are many. I think this article describes them fairly well.
  
  Basically, IM traffic tries to hide itself, generally as HTTP traffic. Yahoo for example prepends a HTTP header to all packets, thereby being disguised as a HTTP GET request. AOL/ICQ/MSN has the ability to use HTTP Proxy servers, and AOL provides www.proxy.aol.com for free (port 80, no pass). MSN will auto-configure itself to use a proxy server if direct access is blocked.
  
  Here's the result of logging IM traffic on a client level.
5. Re:daunting technical issues? by arkanes · 2003-06-18 23:40 · Score: 4, Insightful
  
  Missing the point - in this case, all the logging is done on client machines, outside the direct control of the support staff. That'd be a disaster if, say, someones hard drive failed and the log was lost, and then they were sued. Email is easy because you just mirror it on a server. You'd need some sort of complicated transparent proxy to log normal IMs, and that wouldn't work with encrypted conversations.
  In other words - yes, it can be done. No, it's not trivial.
6. Re:daunting technical issues? by shaitand · 2003-06-18 23:46 · Score: 3, Interesting
  
  umm ok, last I checked it takes less than 5mins to write a shell script that uploads these logs in the background to an ftp. Pop it in a cron job and bam, all set.
7. Re:daunting technical issues? by bmongar · 2003-06-19 00:04 · Score: 4, Insightful
  
  Nearly every instant messaging client has the ability to always log conversations
  Client side logging is not sufficient. An employee can turn that off or delete the logs. The logging would have to be done server side. That would require a corporate IM solution which would log. I work for a company effected by this law. They don't allow any external or web based e-mail access for the same reason, they can't log it unless you go through their server.
  
  --
  As x approaches total apathy I couldn't care less.
8. Re:daunting technical issues? by blibbleblobble · 2003-06-19 00:15 · Score: 4, Funny
  
  "Imagine a company with 500 000 machines..."
  
  If you have 500,000 machines running Windows, this will be the least of your problems.
9. Re:daunting technical issues? by bleh-of-the-huns · 2003-06-19 00:16 · Score: 3, Informative
  
  Its much eaiser to implement a corperate version of an IM server, that most IM networks now provide, then firewall off the other IM servers, forcing the clients to use the corperate version, or proxy all IM client request to std IM servers to the corperate one, provides central logging point, and peace of mind for the security personel.
  
  On the other hand.. IM is not secure by any means, anyone stupid enough to use it in a financial industry for anything other then talking to friends and bullshitting around, should be shot.
  
  --
  I came, I conquered, I coredumped
But why??? by jkrise · 2003-06-18 23:12 · Score: 3, Funny

Can't they simply use Echelon instead??

--
If you keep throwing chairs, one day you'll break windows....
What's the value? by monkey_tennis · 2003-06-18 23:14 · Score: 5, Insightful

I struggle to see the value in this. If a broker wants to have an 'off the record' conversation they could still use their mobile phone or some other mechanism. Doesn't there come a point where you have to acknowledge that not all communication that takes place at a place of work is 'owned' (in a responsibility-for sense) by the employer?
1. Re:What's the value? by darkov · 2003-06-18 23:39 · Score: 4, Informative
  
  You're looking at it from the wrong side. The biggest issue is brokers is having clients ring up or whatever give instructions and then take issue later (when the trades goes bad, presumably) or the client saying the the broker told them X and it caused them a loss.
  
  --
  Reliable, Great Value Hosting: $7.95/mo 2.4G/120G
2. Re:What's the value? by sagneta · 2003-06-19 00:38 · Score: 4, Insightful
  
  It's not the employer that is making this requirement. The SEC has regulated such communication since its inception in 1934 in accordance with the Securities ACT of 1933 and the Securties and Exchange ACT of 1934. This is the law. Period.
  
  Insider trading and information dissemination is strictly regulated to prevent classic insider stock manipulation gambits. To get some idea of how that worked you can read "Reminiscence of a Stock Operator " first publised in 1924.
  
  Sam Waksel who was found guilty of violation of several securities laws and could have been hung up on obstruction of justice to boot is now spending 7 years in prison. He could have gotton 40.
  
  The laws have become stricter more recently. Just before the bubble burst Congress enacted more legislation that prevented companies from providing non-public information to traders, analysists and the like. They mean it. Siebel executives during a dinner recently that off the cuff mentioned some data to an analysist are now having to explain themselves to the SEC. SEC is in a bad mood these days.
  
  The point that is lost outside the industry is that the witch hunt is on. This happens after every debacle. It is not a technical issue. The IM infrastructure *must* meet SEC and NASD ( 1938 ACT ) rules and regulations otherwise the companies face prosecution and the individuals lose Series 7.
  
  I am actually astonished NASD waited this long. Brokerage firms are all ready rushing to comply in 2003 because it has been assumed this would happen.
  
  FYI
3. Re:What's the value? by sql*kitten · 2003-06-19 01:20 · Score: 4, Informative
  
  I struggle to see the value in this.
  
  No offense, but you struggle because you're a slashbot and don't know what you're talking about. All communication in and out of a dealing room is recorded. This is so a customer can call up and do a trade on the phone, and then can't "DK" - deny later making the trade. Also, it means that traders can't pass on information they shouldn't to outside.
  
  Traders want everything to be recorded. Those tapes can keep you out of jail.
  
  they could still use their mobile phone or some other mechanism.
  
  Mobile phones are blocked inside dealing rooms. And even if they weren't, even being seen using one would get you in trouble. Sure you can pop down to Starbucks and make a call from there - in the 10 minutes it took you to walk down there, the market's moved, any information you might be sneaking out is probably obsolete.
  
  Doesn't there come a point where you have to acknowledge that not all communication that takes place at a place of work is 'owned' (in a responsibility-for sense) by the employer?
  
  Like I say, you don't know what you're talking about. Sure a dealer can make a personal phone call, if he gets time, the bank don't care, they just think he's schmoozing a customer. The only time the tapes are listened to is if something comes to court. This protects everyone involved, the customer, the dealer and the bank.
That should be easy by Daath · 2003-06-18 23:15 · Score: 3, Interesting

Just build a custom Jabber server that saves everything serverside!

Call it Corporate Jabber or something... Users should, however, be warned of the logging!

Recently, here in Denmark, an employee of a company was dragged in court, because she was sending private mails from work (through an online dating site). The court ruled that it was ok, and that the company should stay out of the employees private life - even if she had some [private life] at work. Go Denmark ;)

Anyway, there are lots of things to think about when logging...

--
Any technology distinguishable from magic, is insufficiently advanced.
Boom Town by Deton8 · 2003-06-18 23:18 · Score: 3, Funny

These new data retention laws are a boon to those of us in the data storage industry. If this keeps up I'm going to name my new yacht after the dude at the SEC (although "Cunt" is probably already taken).
Have they looked at facetime? by alistair · 2003-06-18 23:19 · Score: 3, Informative

From the facetime.com website;

"Since 1999, FaceTime has been delivering instant messaging (IM) solutions for the security, management and control of IM in the enterprise.

Our integrated enterprise IM management suite of products address the challenges of:

* Network and Information Security
* Regulatory and Corporate Compliance
* Call Center Customer Service

IM Auditor has been chosen by 32 of the largest 100 financial institutions and 7 of the 8 largest U.S. banks including Bank of America and Wachovia Securities to satisfy regulatory compliance requirements."

The one thing that wouldn't be addressed is encrypted clients suched as the recently discussed Nullsoft "Waste" IM client. However, with businesses increasingly becoming addicted to IM clients and Blackberry devices, this would be a far more palatable solution than banning IM completely.
This is understandable by Millbuddah · 2003-06-18 23:19 · Score: 4, Insightful

Considering the recent media frenzy over Martha Stewart's case regarding insider trading, this really shouldn't come as much of a surprise. They're only trying to cover their own ass by having records for evidence if any insider trading information is being passed along with these instant messaging programs.
Re:This is ridiculous... by Anonymous Coward · 2003-06-18 23:25 · Score: 4, Informative

Actually at my firm, we do log all calls made from our traders' phones for a 3 year period, it's more a protection against illegally/incorrect executed market orders, and liability mitigation and it is not an SEC requirement.

If you think this is bad, we need to have full data backups for files, fax, and e-mail transmissions for a 7 year retention. That eats up a lot of tape...
Yes they are... by alistair · 2003-06-18 23:29 · Score: 5, Informative

Most banks already log phone calls, what is being added is the requirements to archive email and IM messaging.

Do a quick search for "Basel 2" or "Basel ii" for more details on this. One very interesting quote I found is;

"The Institute of International Finance has projected a total investment of US$2.25 trillion over 5 years for the 30,000 banks that will be affected, on top of systemsâ(TM) budgets, implementation costs and training. With such a huge increase in costs, this may precipitate another round of banking consolidation, especially in Asia. Basel 2 will certainly reward banks with sophisticated management and systems â" they should be able to generate higher returns on equity, and have less capital required by the market and regulators."
Re:record everything by signifying+nothing · 2003-06-18 23:43 · Score: 5, Informative

Don't get overexcited - this is only for communications with clients, not for purely internal conversations.
The Slashdot summary says otherwise, but the press released linked to is pretty clear.
Makes sense to me by jamie(really) · 2003-06-18 23:47 · Score: 5, Insightful

Brokerage firms make deals minute to minute, and conversations with a broker are legally binding. There isnt time to fax a contract back and forth. If you phone anyone at a brokerage firm, you will be recorded. Something to remember before you phone your mate and tell them about your weekend in ibiza. I totally understand why banks would view instant messages as the 21st century equivalent of a phone converstaion. Get over it!
Re:This is ridiculous... by tgma · 2003-06-19 00:03 · Score: 3, Informative

It may not be an SEC requirement, but isn't it an NASD requirement? I've been working at brokerages for the last ten years, and it would have been unthinkable for us not to have our conversations recorded.

It wasn't just the traders and the salesmen, but the analysts as well. Maybe it wasn't a regulatory requirement, but it's definitely part of doing business in securities, because so much is done over the phone. It was actually surprising how little we used those recordings after they were made, but maybe we were just fortunate. Mostly it was to check trades, but the threat was always there that if you gave out inside information, you could be nailed.

Interestingly we were allowed to use mobiles on the trading floor, but I can imagine that people are much more cautious in the US. Post-Spitzer, they are all running very scared. Most US investment bankers that I talk to now, virtually have to append a disclaimer to everything that they say. Must make for some interesting pillow talk.
Where I work... by willis · 2003-06-19 00:04 · Score: 4, Informative

I work at one of the larger investment banks...
rules:
All emails are kept (Archived, not by us)
No external email accounts (it's a big offense if you use hotmail, etc, from work)
Internal instant messaging (logged, of course)
No external instant messaging (you crazy? Hell no -- you can't just install random software from the web on a trader's desktop
All phone calls are recorded (not sure how)
Cell phones are banned on the trading floors (I see them sometimes (and carry mine), but I think it's not cool).
There might be cameras, but I don't know.
All of this promotes accountability & transparency... and is good for clients and the market in general...
It's not like they look/read everything, but it has to be on file in case of a lawsuit, etc.
re: the guy talking about remote desktop, etc...
That might work at some firms, but I'd imagine most of the bigger firms are really, really locked down.

--

there is no thing
what else could you want?
1. Re:Where I work... by Eevee · 2003-06-19 00:51 · Score: 3, Insightful
  
  Timeline:
  
  0700 - Get coffee, gossip with coworkers.
  
  0800 - Install PuTTY on company computer.
  
  0815 - ssh to home.
  
  0817 - Get escorted out of the building by two rather large and unfriendly gentlemen.
  
  0900 - Apply for unemployment insurance.
Most firms have done this for a long time. by michael7 · 2003-06-19 00:47 · Score: 4, Insightful

I work at one of the large investment banks and instant messaging has become a large part of how traders do business. They communicate with people from other firms, quote prices, and even make trades. All of this is much more efficient and effective than email or even the phone. The recording of these communications is mostly there to settle disputes. If I quote a price to you over IM and you accept the trade is done, and if later you come back and dispute the price, there needs to be some way to settle it. This is the main reason phone calls and emails are all recorded and saved. It is a good deal for the banks, along for the SEC when investigations come up.