Note to Critics: Bank-Backed Message Service Not Backing Down

For a relatively simple software product that has not been released yet, the instant messaging service Symphony — which is backed by fifteen large banks — has generated a remarkable amount of buzz.

A lot of it has been negative, led by policymakers such as Senate Banking Committee member Elizabeth Warren, who says the encrypted service would compromise regulators' ability to root out fraud in big banks like the Libor rate-rigging scandal.

Symphony Communication Services' chief executive, David Gurle, has held several meetings with regulators from various agencies. He insists that in spite of the controversy and regulators' questioning, the service will launch Sept. 15 as planned.

To succeed Gurle will have to focus the discussion on the merits of the system and privacy concerns and away from critics' opinions about its users, one observer said.

"These are shots across the bow at Symphony's investors, whom they perceive as bad actors, not at Symphony itself," said David Weiss, senior analyst at Aite Group. "There's no regulatory oversight of Symphony as a company by any of these folks."

The case of the instant messaging service that banks love and regulators shake their head at raises broad questions about the best ways to secure data, protect data privacy and comply with regulatory mandates, as well as whether governments should be allowed to have "back doors" to industry data — questions that affect all banks and their vendors.

Controversial Software
Symphony started as an in-house messaging project at Goldman Sachs. The bank worked with Gurle, who then was running a secure instant messaging startup called Perzo, and formed a consortium that bought out Perzo and renamed it Symphony Communications LLP.

The software is designed to be used by bankers, traders, analysts and others for quick chats about current trades, deals and market events. It is an alternative to Instant Bloomberg, which has about 320,000 subscribers, and Thomson Reuters' Eikon Messenger, which has more than 240,000 users.

The key difference between Symphony and the incumbents is its ability to not only encrypt every message, but to allow each bank to hold the encryption keys to its own communications archive. Instant Bloomberg does not have such encryption built in and regulators have been able to review bank messages without having to ask the bank for them.

For banks that use Symphony, regulators would not have such "back-door" access to messages. To access records, they would need to subpoena a bank for them, which is the normal procedure.

In July the New York State Department of Financial Services sent a letter to Symphony's management, asking questions about how it encrypts data and stores messages; other regulatory agencies have followed suit. In August, Sen. Warren, D-Mass., sent letters to six bank regulatory agencies about it and was quoted in many publications warning that Symphony could be used to circumvent compliance and regulatory review.

"The communications that Symphony will allow companies to hide from 'government spying' — such as text messages and chat-room transcripts — have proven to be key evidence in previous regulatory and compliance cases that have uncovered criminal action by Wall Street," Warren wrote in a letter to the Consumer Financial Protection Bureau. "If banks are now making this information more difficult for regulators to obtain and interpret, it could prevent regulators from identifying and preventing future illegal behavior."

Gurle sees the issue of providing back doors to governments as part of the national privacy debate.

"You have to take two steps back and look at this from the big picture," he said. "On one side, there's privacy which we do have to protect. That's a right we've earned over the course of our history. On the other hand, there are people who have bad intentions who have a desire for privacy. This requires the government to find different ways of getting information."

If federal regulations were to require Symphony to change its encryption policy and store keys so that it could provide government agencies with access to messages, those rules would logically also apply to other messaging applications that use encryption, including WhatsApp, Facebook and Apple iMessage, Gurle said.

"I'll give you my dream scenario: [policymakers] do understand value in encryption, for their work they do in regulating the financial markets and for the people being regulated," he said. "Encryption is the right technology going forward. I think we've solved the question of encryption and compliance in a way that's satisfactory."

Built-In Safeguards
Encrypted messages cannot be modified, for instance. And the same type of back door that lets a government agency view messages could potentially be accessed by a hacker, Gurle and others said.

Regulators' concerns are overblown, said a banker involved in the project who spoke off the record.

"It's not Symphony's responsibility to make the data available — it's the bank's responsibility," the banker said. "If the regulator needs to see information, they'll need to go to the bank directly."

As for the type of collusion that occurred in the Libor rate-rigging case, Symphony would automatically block such behavior because no more than two banks can access a chat room at any one time, the banker said.

Gurle said he has explained to several regulators that Symphony helps banks comply with regulations. "We've educated them about how our system works, how we protect our customers' privacy, how we protect data manipulation so they can be sure that what's being recorded is compliant with [New York state regulatory] standards," he said. The talks are ongoing.

What Banks Like
The fifteen financial institutions behind Symphony — Goldman Sachs, Bank of America Merrill Lynch, JPMorgan Chase, Citigroup, Morgan Stanley, Wells Fargo, Bank of New York Mellon, BlackRock, Citadel, Credit Suisse, Deutsche Bank, HSBC, Jefferies, Maverick Capital and Nomura — first and foremost like the security features that would protect their proprietary communications.

"Symphony is the safest way to chat in the market today," said the executive who spoke off the record. "That's a result of the encryption technology that's been built into the platform. … You could potentially hack it and get a packet, and it would be meaningless to you."

At the same time, the banker said, the banks will be fully compliant with regulatory requirements.

"We would have the keys and the capability to decode messages so regulators can see what they need to see," the banker said. "We're not hiding the messages, but keeping them from people who shouldn't have access, like hackers."

The software also has certain compliance safeguards: for instance, it does not allow salespeople and research people to talk to each other, per the Chinese wall banks are supposed to observe.

Symphony also provides "smart filters" to help users find useful information. "Say you're a buy-side analyst, and you're receiving lots of inbound information and you spend a lot of time skimming through that looking for things that matter to you and to your portfolio," Gurle said. A smart filter could more quickly sift through messages, Twitter feeds and other sources for relevant information.

Over time, the platform will take on added capabilities, such as email and video, the banker said. It also allows more filtering, to let banks identify any improper behavior more quickly.

For reprint and licensing requests for this article, click here.
Bank technology Law and regulation Data security Compliance systems Compliance Enforcement
MORE FROM AMERICAN BANKER