IM Front Shifts Beyond the Office

By Maria Trombly | Securities Industry News | March 15, 2004

March 15, 2004 - Two years ago, traders at BNY Brokerage, a unit of the BNY Securities Group, started asking for instant messaging on their desktops. It was a request difficult to ignore, since it was the customers themselves who were ultimately behind it.

"We are an institutional agency broker-dealer, so we deal with many institutions, buy-side clients," said Robert Virgilio, SVP and head of compliance for BNY Brokerage. "The sales traders here had received some client requests to give them more up-to-date information on what we call color' of the market."

Instant messaging, or IM, addressed that need, Virgilio said. BNY went with a combination of AOL IM, the most popular consumer-focused IM service on the market, and FaceTime Communications, which provides a compliant gateway to the public IM service. "The clients are very satisfied, the business people are very satisfied," said Virgilio.
When it comes to the desktop, compliance is complete, Virgilio said. All instant messages travel through a central server, where they are monitored and archived. Outside of the desktop, IM use is forbidden. "You cannot utilize IM anywhere other than within the firm," said Virgilio.

That means that a sales trader who registers a certain AOL IM account name--or "buddy name"--with BNY's FaceTime system is obligated not to use that same account at home, in an Internet cafe, on a personal digital assistance or on a cell phone. "Obviously, there's no way to stop somebody from going home and logging into AOL from a home computer or PDA that we don't know about," Virgilio said. "But we have not faced that problem yet."

According to Virgilio, no BNY employees have expressed a need for IM on their handheld devices, and he doesn't see any urgent business need for it in the future. As a result, he said, he would like to see a way to shut down any access to IM that occurs outside the company's control and compliance reach.

Unfortunately, FaceTime doesn't yet offer that as an option. However, it wouldn't be hard to set up a passive detection system, said FaceTime CTO Jonathan Christensen. That would send warnings to users and alerts to supervisors if unauthorized access to IM systems is detected. "This would be an interesting feature, and one that's on our to-do list," he said.

But there is a more immediate solution. If BNY were an enterprise AOL customer, or a customer of Microsoft's MSN Connect enterprise IM product, then all IM messages could be automatically routed back to company servers for compliance and archiving.

Handheld Checklist

Handwringing on Handhelds
That would be a good option, according to Adam Cohen, a partner at New York-based Weil, Gotshal & Manges LLP, because there are so many problems with the use of handheld devices in particular.

Cohen said that issues related to IM usage are similar to those with e-mail, except more aggravated-and even more aggravated when it comes to portable devices. "The prime issue is the carelessness that people engage in when they use these modes of communication," he said. "They tend to view them as being like oral communications, with a temporal or ephemeral nature, when, in fact, any form of electronic communication can be permanent."

For example, a broker who sends an ill-conceived instant message from his cell phone might be unpleasantly surprised to find out that the recipient logged and archived the message for use in a future lawsuit.

Whatever policy firms choose, they need to be sure that the policy is enforceable, said Peter Mojica, VP of product marketing and business development at based AXS-One, which provides enterprise compliance software for e-mail and IM archiving.

A firm's policy could state that employees are only allowed to use their business e-mails and business IM accounts for work-related messages. One way to enforce that is to monitor incoming messages, Mojica said. For example, if an e-mail from one employee to another contains a personal e-mail address as a return address, or an e-mail from a client to an employee contains the employee's personal e-mail address within the body of the message, it signals that the employee has been using a personal e-mail account for business purposes, said Mojica. E-mails containing addresses known to be used for personal use-such as the AOL, Hotmail or Yahoo! domains-should be automatically funneled into a queue for review by a compliance officer, he said. Since employees could never be sure that a message sent from a personal account wouldn't be routed back to compliance, this should be a strong deterrent to using personal e-mail accounts.

Another tack a company can take is to take advantage of the fact that Blackberries and other portable devices can be easily configured by the IT department to funnel all e-mails and IMs back through corporate servers. "When I was at Credit Suisse First Boston, we couldn't go out and buy our own Blackberries," said Heather Davisson, SVP of business development at FivePoints Compliance.

PIN Holes
But one problem with Blackberries, she added, is the "PIN-to-PIN" instant messaging capability that comes built into the devices. There's no way to store or monitor those messages, she said. That feature must be turned off before issuing the device to employees. "That's what all the big banks do," she said.

Mike Liker, CTO at Minneapolis-based Craig Hallum Capital Group LLC, follows that philosophy. He does issue Blackberries to some users, but they're configured so that e-mails are automatically routed back to Liker's servers and IM is not allowed. "We don't have anybody using IM on it yet, but it's something we're looking at," he said.

He'll also be looking at IM on cell phones soon, when time allows. "A couple of people have asked if it's possible," he said. Craig Hallum is an institutional brokerage that uses a compliance solution from Akonix Systems.

Meanwhile, IM compliance vendors are racing to provide assurance that employees aren't slyly sending messages on unapproved machines. IMlogic has recently signed deals with AOL and Microsoft to ensure that all enterprise IM messages are routed back to a firm's servers. Jon Sakoda, IMlogic's VP of products, said some 90 percent of securities firms still use the free, ad-supported consumer IM versions of their products, but if they want to ensure that IMs are routed appropriately, they should switch to enterprise IM (enterprise IM is a fairly recent development for these two big consumer IM vendors).

The way that enterprise IM works is that a user gets his corporate e-mail address as his "buddy name" instead of one of the usual--and non-company-specific--buddy names like "RedDog345". When messages from a particular corporate domain enter the enterprise IM network, they can be automatically routed to a firm's servers, said Sakoda.

IMlogic currently has the integration with Microsoft and AOL that allows it to catch those messages, he said. Around 25 to 30 percent of Sakoda's securities industry clients currently use enterprise IM, but usually in conjunction with consumer IM, he said.

Lockdown
When it comes to employees using consumer IM remotely, individual devices can be "locked down" to point back to a firm's servers, he said. What if an employee uses a device that hasn't been locked down? It will soon be possible to automatically detect if employees are abusing their IM privileges. Soon, whenever users log into their IM accounts, they will become "present" to the network.

Vendors like IMlogic can monitor the public networks to check whether employees are present without being logged into their company networks. "We should ship that in the next version of our IM manager," said Sakoda. "A couple of weeks ago, when we signed agreements with AOL and MSN, that's exactly the type of implementation we wanted to be doing." (See IM story for how to do it manually for now).

So what is the next compliance front? How about short message service messages so popular with teenagers? After all, those users are the ones who first popularized instant messaging.

"That's a place where we want to keep paying really close attention," said Davisson. "We are constantly scanning this space, but I don't believe there's a scalable solution that's been adopted by Wall Street or any firm that I know of. But I believe it will happen and we will see something soon."