Tuesday, April 11, 2017

how to make encrypted messaging apps comply with market trading rules



Mobile messaging apps within capital markets and a culture of bring your own device are not going away. Not everybody has Bloomberg or some form of proprietary messaging system. Many people communicate with clients very conveniently using WhatsApp, WeChat, and Telegram—and these will have to become compliant with regulations.

For example, MiFID II states that all electronic communication has to be retained. This means that email and phone calls are being retained for many years, and this will also apply to things like WhatsApp.

Regtech startup KyoLAB, a member of the London Startupbootcamp 2016 cohort, is working to make popular messaging apps compliant and save firms from getting fined for misconduct, using techniques like compliance archival, know-your-device and compliance messaging.

Jan-Michael Gorecki, founder and CEO, KyoLAB, who was previously a prop trader, believes these are good and useful ways of communicating that many clients know and trust, so it's better to make these compliant rather than adding to the large pool of apps already out there.

He said: "We think the one that's very important for Europe is WhatsApp but we are also working on WeChat, Telegram, Skype, even like Twitter linked in for mobile.

"I used to be energy trader. I traded on Yahoo for many years, even before it was recorded in order to be compliant. We called each other up on the recorded phone line in order to confirm any trade done. So messaging apps are just a lot more convenient; not everybody is using email all day long. WhatsApp is the new email after SMS; SMS is just not that interesting."

The MiFID II stricture around retaining all electronic messaging is one of the things KyoLAB addresses. How exactly it does this comes down to some secret fintech sauce.

"The bank has our platform and we sit in the middle and take care of the forwarding to each side," said Gorecki. "So we have a way to capture WhatsApp without affecting the banks clients. It's not against the terms and conditions of WhatsApp; we don't hack in any way. Our app is sitting on their phone—we are working in a compliance area so this is a highly B2B only solution. The way we do it is something that's relatively new."

The next part of service uses some AI and analytics to help compliance officers, HR or whoever is looking at the information inside the company to make sense of it in real time in a cost-effective way.

"Our application could work as a standalone if we were to cut the archiving, but our intent is to commercialize connecting the bank or the financial services institution and the client in a nice way, that is legal."

Regarding the bad rap that messaging of various kinds has earned within high finance, Gorecki said these cases are thankfully outliers; the vast majority of people are not trying to rig the markets and just want to do their job. The solution for the bring your own device culture is "basically striking a balance between monitoring what is necessary for compliance and not monitoring what should not be monitored."

Firms cannot monitor everything; at some point they simply have to trust employees. And if people want to cover their tracks and game the system they will always find a way.

"It's really not that difficult to get around the system," said Gorecki. "If you have a second phone you can go outside you can take a picture of the phone.

"There are some phones preventing you from taking screen shots, like Symphony messenger is preventing you to take a screenshot – which you can get around first of all – but also you can just take another phone and take a picture of the screen and you still have the information.

"It's like second hand information but it's still good enough. You have a so-called burner phone and you just go to the bathroom or just go outside. There is always going to be a way around it unless you literally take the technology away from the people.

"We offer our platform for bring your own device and for corporate devices. It can be a corporate Samsung phone; it can be a corporate iPhone. The device is managed so you cannot use certain applications on that phone. Then there is always a policy aspect of the whole equation. So if it states not to disclose company information while at work or otherwise, and employees violate this, then it's literally a criminal offense.

"If anyone says they want better security—I say go for corporate devices because bring your own device is not about security; it's about convenience."

Newsweek is hosting a "Regtech and Identity" event on June 13 and 14 at the Royal Institution in London. Registration is now open.

Source


EmoticonEmoticon