Regulator's New Aim: Keeping a Back Door into the Bank

Anthony Albanese isn't just keeping Benjamin Lawsky's chair warm. He's keeping the tradition of playing hardball with big banks — and their vendors.

On Wednesday Albanese, the acting head of the New York Department of Financial Services, sent a sternly worded letter to David Gurle, the CEO of Symphony, an instant messaging software company owned by a consortium of large banks. The outcome of the regulator's inquiry into the banks' plans for Symphony could have a big impact on the way financial services industry vendors work with regulators in the future.

At issue: whether software providers are obligated to surreptitiously provide regulators with information culled from their systems (such as incriminating instant messages) that the regulators can use to build a legal case against banks. It’s similar to the issues that Edward Snowden brought to light on the national stage — the way behind the scenes, the government pushes companies like Google and Yahoo to provide data it could use to pursue investigations. Demanding a "back door" to Wall Street traders' communications may not spark as much public outrage as the dragnet surveillance of ordinary Internet users, however.

Albanese took over as acting superintendent last month after the departure of Lawsky, who made a name for himself over the last several years as one of the country's most aggressive financial regulators.

Bank of New York Mellon, Credit Suisse, Deutsche Bank, and Goldman Sachs are among the 14 banks that own Symphony and plan to use its software. Albanese noted that "a number of the banks that our Department regulates — including those under investigation for rate-rigging schemes — have invested in [Symphony’s] technology and are likely to begin using it in the near future." He was referring to a high-profile case in which instant messages between big-bank traders were used to prove they were working together to manipulate the London Interbank Offered Rate.

The regulator specifically asked for information about Symphony’s document retention capabilities, as well as its data deletion, end-to-end-encryption, and open source features.

The encryption part of this is significant. Symphony’s software is designed to encrypt all messages and to have only the bank clients, not Symphony, hold all the keys. This means that if a regulator asked Symphony to provide it with messages for an investigation, it technically would be unable to. This restores data sovereignty to the banks, and Markit has built a system with the same capability. But it would also force regulators to rely on asking the banks themselves to provide specific records or messages, making their job more difficult. And if many vendors followed this example, the job could become exponentially harder. (Like Google and the telecom companies, many bank software vendors today quietly share records with the government.)

Securities and Exchange Commission rules require banks to retain instant messages and other communications related to trades in "write-once, read-many" storage, and they all do.

"This information was always there, they could always view it, but typically it’s only when you’re getting audited or subpoenaed that you do," said David Weiss, senior analyst at Aite Group.

Weiss sees the New York regulator's letter as a bold move.

"Albanese is an interim regulator. He’s got guts to recognize the potential impact of this and to want to get information from somebody whom he does not regulate and I don’t think he has any prospect of regulating," Weiss said. "It also shows a recognition that [software like Symphony's] could potentially make future investigations more difficult by being solely reliant on institutions for information, so they have to go to them exclusively, through their front door."

Gurle would not give an interview, but sent this statement: "Symphony is built on a foundation of security, compliance and privacy features that were built to enable our financial services and enterprise customers to meet their regulatory requirements. We look forward to explaining the various aspects of our communications platform to The New York Department of Financial Services."

Interestingly, while the incumbent provider of instant messaging to the big Wall Street banks, Bloomberg, also refused requests for interviews, the company had its public relations firm send out an email to the financial press making sure they knew about the New York department's letter to Symphony.

For reprint and licensing requests for this article, click here.
Bank technology Data security Law and regulation
MORE FROM AMERICAN BANKER