IM: Meeting Regulatory, Tech and Security Concerns

By Maria Trombly | Securities Industry News | June 30, 2003

Last Tuesday, Securities Industry News brought together a group of instant messaging experts with about 200 members of the financial community for a Web seminar on IM on Wall Street. The panel, moderated by Securities Industry News Group Editor Donna Miskin, included Celent Communications Analyst Michael Haney; Bridge Trading VP Jim Lenz, Stephen Nelson, a securities lawyer at the Nelson Law Firm Llc; and Securities Industry News Technology Correspondent Maria Trombly.

Although there was a question and answer period at the conclusion of the seminar, there wasn't enough time to answer all of the questions posed by the audience members. Some of these questions and answers were excerpted below by Maria Trombly. Web seminar attendees received the entire list by e-mail late last week. A complete archive of the Web seminar will be available at www.securitiesindustry.com.

Audience Member: Any idea how far off IM standardization is likely to be months, years?

Mike Haney: Although standardization is often essential for true mass adoption of a particular technology, it doesn't always occur. If we look to the enterprise application integration (EAI) industry as an example, it took years for all major vendors to begin participating in standards bodies and promoting open standards like XML Web services. This only occurred after customers fought back against the rising costs of integration and after EAI vendors had made millions to bridge proprietary communication protocols like COM and Corba. The instant messaging industry is much less mature, and solution providers seem to be rallying around two major standards: SIP and Simple. There also exist other standards like XMPP and open-source solutions like Jabber. We are years away from standards, and it will only occur through strong customer demand, effective promotion by standards bodies or regulatory intervention.

Maria Trombly: The Internet Engineering Task Force has already approved a standard called Simple. It's supported by Microsoft, IBM and Reuters, and I think that will help make it the industry standard for enterprise IM-not immediately, but within a couple of years at most. For consumer IM, it's a different issue, since the problem there isn't so much standards as business-the consumer platforms want to keep their IM communities intact and closed off to make money off them.

Audience Member: Are there any products that we can use that are compatible with all IM systems?

Haney: If compatibility is the main driving requirement of your organization, you could look at the Linux-based, open-source GAIM solution that works with most major public networks, even obscure ones like Gadu Gadu, a Polish-based IM provider. However, what you probably need as a financial institution is a vendor that has true partnerships in place with the leading public, private and enterprise IM network providers. Although I'm not promoting any one solution, look toward Akonix, FaceTime, IMLogic and their competition (you will find at least 20 vendors in the space) that have robust, enterprise-class solutions that not only tackle the issue of interoperability, but also archiving, filtering and other requirements that will be required by audit, compliance and IT.

Audience Member: Are there measurable cost savings or increased ability to generate revenue? Because there would seem to be a significant investment to meet the regulatory requirements and those costs will need to be justified.

Jim Lenz: Increased revenue can be indirectly measured by the visibility IM permits. Regulatory requirements must be in place, since our clients have requested we use IM.

Trombly: You can also look at decreased telephone costs and improved customer service for return-on-investment. The majority of businesses report that e-mail and telephone use goes down when employees start using IM. And about 40 percent report that travel and fax use also go down.

Audience Member: Do we really have the manpower in the industry, from a regulatory perspective, to actually review compliance?

Stephen Nelson: The regulators have been critically short of manpower-which certainly limits their ability to monitor compliance. Nonetheless, reviewing procedures for capturing, reviewing and storing electronic messages have appeared on the various regulatory "hot lists" recently, and firms can expect regulatory audits to focus on this area.

Audience Member: Has anyone seen customer resistance to using an IM system that is not their own brand?

Haney: If I understand the question correctly, an example could be a bank using IM as a customer service channel, but the IM solution provider's brand is more prominently displayed than the bank's own brand. This would depend on how the solution has been deployed: (1) Bank is a "buddy" in the "buddy list" of a customer's IM client software, and therefore serves as a destination much like the bank's Web page is a destination, even though the browser features the software maker's logo rather than the bank's logo; (2) Bank has integrated IM into their Web site or on a downloadable thick client, where they could therefore control the look and feel more, and have it comply with their brand image; (3) Bank private labels a software provider's IM client, much like Netscape and IE often let their browsers take on the look of the enterprise. All of these scenarios are not commonplace yet, so branding has not yet proven to be an important issue.

Lenz: No, I'm sure this is due to the proliferation of third-party providers.

Trombly: As I understand the question, the problem is when my company uses a particular IM provider and my customer doesn't want to use it. I believe this is one of the drivers continuing to inspire employees to use public IM systems-systems that their customers have easy access to. Sell-side firms should take pains to ensure that the enterprise IM systems they choose are compatible with those picked by their customers, or opt for a gateway approach that allows multiple IM vendors.

Audience Member: How are IM systems reviewed to satisfy the regulatory requirements?

Nelson: It is not possible to provide a one-size-fits-all formulation but, in general, it is my experience that a veteran securities principal confronted with a long list of messages will readily pick out the messages that require a closer look. In part, that's because conversations between two people may be suspect-why is a salesperson sending messages to a person that is not his account? Why is a trader sending messages to a competitor? We all know that some employees just bear closer watching. Firms that can afford it also purchase software that highlights troublesome words or phrases and flags those messages for closer review. With respect to tracking, some firms maintain a written log that a supervisor signs indicating review of messages received and sent during a particular time period. The supervisor opens a file, takes a look at the messages and signs the log. Firms with more sophisticated technology may be able to compile a similar record electronically. This is something that should be discussed with counsel who can work with you to design a program of review and documentation suited to the circumstances of your business.

Audience Member: I would like to know whom you would recommend I use for e-mail and IM archiving?

Haney: This would depend on the examination of many factors, including current and projected number of users, projected amount of IM traffic, type of public, private and enterprise IM networks you wish to support, what regulations your firm is subject to, your audit practices and procedures, how long your storage requirements would be, how frequent you anticipate retrieving IM messages from the archives, what other features and functionality you'd like to see in your IM solution provider, and so on. You could chose from among about 30 IM solution providers that have built-in archival technology, or you could chose to go with storage and archiving specialists that would work in conjunction with the IM solution provider.

Audience Member: If your staff does not use IM for any business correspondences, are you still required to backup all IM conversations?

Haney: This would depend on the nature of your business, the regulatory bodies that supervise your firm and your own internal audit guidelines. If you are not monitoring your IM activity, you can not be certain that your employees are not using IM for business purposes. There are many firms that were surprised to find IM usage in their organization, and even more surprised to find that it was being used to share company and market information that could be classified as sensitive or confidential. There are software tools out there that use rules and keyword analysis to determine what kind of information is being transmitted over IM and, if necessary, can block that traffic.

Audience Member: Do security concerns revolve only around the ability for IM systems to pass attachments?

Haney: No. Security concerns include a broad range of issues, including, but not limited to: (a) the sensitivity and confidentiality of the information being sent; (b) if the identities of the two parties in discussion have been authenticated; (c) if the information is being intercepted by an unauthorized third party and should be encrypted; (d) if the users are authorized to access the private or enterprise IM network; and (e) the type of integrated collaboration functionality (e.g., file transfer, whiteboarding, etc.) that users have access to but may not be monitored or controlled.

Nelson: No. The recent cases involving Merrill Lynch and others criticized firms for failing to create records immune from tampering by salespersons. The records must be stored in a nonerasable, nonrewritable format in a secure environment where access is denied to persons without specific supervisory or record-management responsibilities. Other security concerns involve possible unauthorized or illegal