Trading floor: overcoming the dangers of personal mobile devices
Personal mobile devices have grown to be a nuisance and a huge security risk on trading floors and other restricted areas. In the financial sector, personal mobile device surveillance is often overlooked in favour of soft policies to achieve regulatory compliance and data security.
However, these aren’t enough to prevent material, non-public information breaches and market abuse with personal mobile devices. In 2021, stealing and leaking sensitive information is so easy and can be done in seconds, in addition to regular voice and video calls also via various messaging apps, such as WhatsApp, Signal or Telegram.
Unfortunately, a key problem is that there is a lack of awareness of the dangers of using personal mobile devices on the trading floor. Eamon Javers’ article for CNBC, “You won’t believe what gets an email flagged at Goldman: CNBC has the list”, illustrates this point:
“Goldman Sachs’ compliance department conducts surveillance of employees’ email. It’s an automated process: software monitors the emails for certain phrases that are flagged for specific scrutiny. Human employees at Goldman then review the flagged emails and decide whether they represent a problem.”
Here, the focus is solely on email and yet, bad actors will use whatever weakness they find to cause a material, non-public information (MNPI) breach, to engage in insider trading for personal gain. Without effective and continuous monitoring, personal devices can be and are a gateway to market abuse. After all, a work mobile device can be identical to a personal mobile device, there is no difference except one is monitored and the other is unmonitored and open to abuse. So, on the trading floor, for example, there is no longer an excuse to only create a soft trust-based policy about using personal devices in sensitive and secure areas.
Demonstrable oversight is essential to maintain regulatory compliance, which demands preventative action be taken now. This can only be achieved through technology. The policies that have been in place for at least ten years don’t work; there is a continuation of market abuse.
The trouble is, companies can have the most secure building in the world, but if the doors are unlocked, information is going to get out. So, what’s stopping the industry from taking serious action, beyond a piece of paper, also known as a soft policy, to enforce a meaningful control over unapproved communications?
Indeed, very few global financial firms are proactive around this risk and acknowledge that mobile devices are a serious security risk; or that a technology breach should be tackled with technology, since the soft trust-based policies that have often been put in place to address the arrival of personal mobile device regulations a decade ago are simply a tick-box exercise.
Banks need to be aware of the true extent of the problem. Raili Maripuu, CEO of Mobilewatch, explains: “The banks are aware, but they need to do more about it than they have done in the past. They now need to go beyond the soft policies they have in place. They have ticked the box by introducing policies against using personal devices in regulated spaces, but they don’t enforce it.”
Maripuu recently spoke at 1LoD’s Deep Dive Event Series about the first line risk and control, debating conduct surveillance. In response to the debate’s question, “can the industry agree on common approach to remediating the conduct risks presented by unapproved comms?”, she argued that the industry can, and perhaps should, collaborate to agree a common conduct risk remediation approach. The challenge is to create cultural change in organisations.
The question is: can the current soft policy approach vis-à-vis personal communication devices be changed and brought to the same level in combination with other controls for conduct risks? “Just look at COVID. Within days, a previously unthinkable scenario of trading from home became a very real and acceptable business model,” she comments.
So, with the new working from home norm, the UK’s Financial Conduct Authority (FCA) has set out what it expects from banks and the financial markets. The regulator says coronavirus is “causing unprecedented levels of uncertainty in financial markets”. To keep everyone safe, it says is working with “the Government, the Bank of England, the Payment Systems Regulator and firms to make sure customers are protected and markets continue to function well”.
This includes providing resources and guidance for the firms it regulates, including those involved in market trading and reporting – to ensure that a high level of regulatory compliance is maintained. The challenge to prevent market abuse and non-compliance to the regulations is particularly increased when traders operate from home. With this increased risk of market abuse, there is a need for companies to quickly mitigate it.
The FCA’s position is extremely clear. In its revised update, on 12 January 2021, Coronavirus (COVID-19) – Information for Firms, it reaffirms: “Given the extensive duration of these arrangements [new working practices due to pandemic], we now expect you to record all relevant communications (including voice calls) when working outside the office. You should continue to take all steps to prevent market abuse risks. This could include enhanced monitoring or retrospective reviews. We will continue to monitor for market abuse and, if necessary, take action.”
Shockingly, despite the FCA’s guidelines, Mobilewatch often hears that banks and financial organisations wither suggesting that personal device surveillance is not a priority; or that there is not enough guidance from regulators; or there is a belief that allowing personal mobile devices into regulated areas is part of a healthy organisational culture.
There is also a view that personal communications don’t pose a residual risk, despite mobile communications technologies dramatically changing over the last 11 years. Smartphones, for example, are computers in our pockets. They are powerful devices with much more functionality than the mobile phones of the 1990s.
This indicates the guidance from the FCA is outdated. Maripuu adds: “Mobile devices pose a huge security risk, which, by far exceeds all the risks from e-comms, work phones, chatrooms and emails combined. Yet, all of the above are recognised serious conduct risks, covered with a wall of controls that are scrutinised daily by hundreds of analysts. On par, a tick-in-the-box soft policy isn’t enough to address a gaping hole in the banks’ control systems.
“With soft policies as basically the only control over personal devices, it is so easy and even tempting for the traders to breach the policies, as with mobile devices it can be done very quickly. Knowing that this vulnerability is currently unsupervised, the human psychology almost decriminalises this action.”
Proactivity is a current hot topic that the financial firms talk about in connection to their dealing floor culture. Unfortunately, this is lacking when it comes to personal mobile devices, which are met with a reactive response. Yet, Maripuu explains that the Senior Managers and Certification Regime (SM&CR) is all about establishing greater individual accountability and demonstrating personal responsibility.
The Deep Dive event was about filling the surveillance chasm in the first line with the ultimate objective of running a clean ship. This requires greater acceptance and recognition of the dangers personal mobile devices pose in secure, restricted areas. The regulators are no longer obliged to accept only soft policies, which banks introduced as “sticking plasters”, to quasi-meet its compliance obligations.
There is now an immediate requirement for proper enforcement tools and the first line of defence, and which demonstrates full compliance. To prevent market abuse and to maintain regulatory compliance, a more proactive approach has to be taken. This involves prioritising personal mobile device surveillance technologies to monitor personal mobile devices and stop illicit activities in their tracks. After all, prevention is a much better prospect than a cure.