Mobile Recording regulations – CIOs must be prepared

New Financial Services Authority (FSA) regulations that come into force this year mean CIOs will need to monitor staff mobile calls. Compliance must be achieved by November, CIOs need to act now, experts say. UK based financial services have until 14 November 2011 to comply with the FSA ruling PS08/1 on mobile call recording.

From November, all mobile communications made on a financial institutions’ fixed or mobile devices will need to be recorded and archived for at least six months. The deadline is now looming large, says Matt Chalk, finance industry manager for Vodafone Global enterprises:

“Factor in the hardware deployment, internal testing, user acceptance and other complications,” says Chalk. If you haven’t started your project by May you are going to be running a pretty tight schedule.” When the FSA originally absolved its financial services constituents from the responsibility of recording all mobile calls in March 2008, it was because they accepted that there were no technically viable systems to make this happen.

Things are very different in a post credit-crisis 2011.  As mobile technology is involved in practically every link of financial services business processes, each conversation or text message now has for too much relevance to be ignored.

Who is affected?

The FSA rules that ‘only relevant conversations’ are subject to the need for recording compliance.

The rules will cover a wide range of users including front office sales people, traders, back office advisers, settlement, private banking areas and corporate finance.

Naturally, there will always be people in these groups who will want to bypass the system. They may try to conduct certain calls in private, using their personal mobiles. The FSA ruling is that all reasonable steps must be taken. If a work device is provided, all conversations must be recorded. If city workers carry personal devices, they should be banned from work use, say the FSA guidelines.

When

The November 14th deadline seems a lifetime away. Companies will have to start the process now to be in control of the situation, Chalk of Vodafone says. CIOs need to have evaluated all the relevant players and ironed out all the terms and conditions with them over your contracts. “The real deadline for starting would have been April 30th,” he says.

How

Any institution affected by this new legislation is already likely to be recording all its fixed line calls using technology from one of the big three providers – Nice, Varient and Cybertech – to store all calls. The software for managing these stored digital files is the same, so there will be no added learning curve for storing mobile calls. Except that there may be a higher volume of work to do.

How is mobile different from fixed line recording?

The crucial difference between fixed line and mobile call recording is the method of capture. On fixed line calls, there is one obvious point at which to record all calls, the PBX point of entry to your organisation. With mobile calls, however, there are many points of entry.

The method of capture used determines the success of the recording. This being a new discipline, there is no clear picture of which is the best way to capture the call and record it.

Ease of use not cost is the deciding factor

The crucial factors to consider are firstly the security of the operation – can calls be lost or hacked? Secondly the ease of use. Some methods of recording that have been tried involve several seconds’ delay while the recording mechanism is set up. This can confuse customers initially, when they don’t know what’s happening to their call.

A customer-facing financial service that chooses a clunky call recording system could be doing itself a massive dis-service and could lose customers, says Justin Kimber, propositions developer at BT Global Services. It’s vital to create as efficient a set up as possible, if only for the sake of branding.

Call recording can be hosted or conducted on your own site. Hosted calls are routed through and stored on a hosted server. Call recordings are accessed by logging in to a secure portal.

The advantage of the hosted option is the flexibility if offers. You need to get a workable system in place now for the deadline and then adapt and improve upon it later.

Hosting frees you from the pain of purchasing, installing, maintaining and upgrading additional hardware. It’ll liberate more of your budget too.

Onsite or Offsite?

Some vendors say that to remain compliant under the FSA regulations, the data should be stored on the premises of the company that owns it, with a back up set of data offsite.

Not necessarily, according to the FSA. “We haven’t actually specified whether or not it has to be done centrally or hosted,” says Jocelyn Macafferty, FSA’s Investments Policy Department, “[you are covered] provided your firm can retrieve a record on request.”

Methods of Recording

The only way to ensure all calls are recorded, both in and outbound, is to re-route all calls. Ensuring that every call is diverted into a recording system is very hard to achieve, says Vodafone.

There are three different options for methods of mobile call recording. Some methods are very fallible, some expensive and some convoluted.

With the first type of call recording system, your users need you to call a number, input the number you want to call and a system then calls you back when the call is established. These systems can be painful (for users) and expensive for the company.

Some alternatives work by installing client software on the user’s mobile phone. This is the system adopted by Vodafone Global Enterprise. These systems are restricted to a specific phone manufacturer. Vodafone offers services for Blackberry and Symbian users today. Its Android and Windows phone versions are to come later.

Security bypass

Another weakness of this method is that the application can be potentially manipulated by the user. It is also susceptible to compatibility issues if the phone software is upgraded or another app added that introduces a conflict.

The third method of initiating mobile recording needs no software to install on the handset. A user makes a call as normal and the recording is set to always-on within the network so it cannot be manipulated – this is normal for compliance.

Call recording specialist Anvil uses this system. It says no software is needed on the mobile phone and it promises to be more open, since almost all mobile phone makes and models can be used.

However, the users’ phones need to support 3G and to be unlocked, as the service is delivered using a replacement USIM card with a choice of either a geographic phone number or a traditional mobile number.

One of the security bonuses of this system, where all calls are recorded from within the network, is that individual users cannot switch off recording or interfere with the process. Arguably, this provides tighter control and avoids users manipulating how and when calls are recorded. The time and date of every call is determined by the network, not the user device, so a degree of uniformity is imposed, making subsequent management easier.

If compliance compels you to have your data hosted on site, an appliance can be installed on your premises.

The Vodafonemodus operandi is to employ inline systems. These sit between the caller and the recipient. They interrupt the communication and then duplicate it, sending one copy to the receiver and another copy to the call recording system.

According to Vodafone, the extra time added on for the incremental call to be generated is two seconds. Using the same principle for inbound calls is harder. Software has to be installed on every handset, that diverts all incoming calls back to the VMR (Vodafone mobile recording) server (on which the call will be recorded). The VMR server then has to call your handset back again. (The handset’s software has a way of making the handset available for a call, but only from the VMR server. For everyone else it is effectively engaged!)

While waiting for the link to be initiated, the user is played a recording that apologises for the delay and warns them that all calls are being recorded.

BT’s Mobile Device Recording Quick Start will help financial institutions assess the capabilities of their current mobile processes and infrastructure. It will also identify how to improve current capabilities to deliver a service that is aligned to the new regulations.

Don’t Underestimate

Achieving compliance against this new regulation is going to be extremely complex, claims Larry Tabb, founder and CEO, Tabb Group. “The current voice architecture, trading turret infrastructure, mobile device type, security policies and employee’s role will all have a bearing on the type and design of the solution.”

At the moment there are no mature solutions available that provide a completely compliant solution out of the box, he advises. So bear in mind, there are no easy answers!

Get it working – get user acceptance

Justin Kimber, BT Global Services portfolio marketing manager for its global banking and financial markets division, says CIO’s main priority should be to find a workable system to beat the deadline. You can worry about the cost per user later – first you need to find a system that works for you.

“The user experience is the most crucial aspect of voice recording,” says Kimber, “many clients of big banks aren’t going to be impressed by having a period of silence on their call.”

The big banks are all experimenting now with various trial systems, he says. The complication to look out for is where users rely on their smart phone for Internet access. “If this is locked down, it could affect the user experience,” says Kimber.

Security

Nothing is ever 100 per cent secure but tamper proof mechanisms can highlight potential anomalies. These will help you compare the original and retrieved copies and examine if they are identical or if one has been changed in some way.

The acid test for the recording is do they stand up in court as evidence. The flaws in some systems could be used by a defence counsel to disallow recordings as forensic evidence.

Learn from the Norwegian Pioneers

The good news is that the UK is not pioneering these systems alone. We can learn from the Norwegians, who are ahead of us and had a deadline of May 1st. There will now be a good supply of knowledgeable Scandinavians on the market with invaluable project experience.

The priority is to get a working system in place for November 14th. After that you will have time to re-engineer the system. As Kimber says, “Get compliant. Then get elegant.”

Revolting Users

Finally, be prepared for a revolt. Many investment firms banned the use of mobile phones on the trading floor. Once your users discover that mobiles are covered by FSA regulations, you might find that traders start demanding to be allowed to use their mobiles.

MORE INFORMATION

http://www.fsa.gov.uk/pubs/cp/cp10_07.pdf