Mobile Recording regulations - CIOs must be prepared

1 2 Page 2
Page 2 of 2


How to do it

Call recording can be hosted or conducted on your own site. Hosted calls are routed through and stored on a hosted server. Call recordings are accessed by logging in to a secure portal.

The advantage of the hosted option is the flexibility if offers. You need to get a workable system in place now for the deadline and then adapt and improve upon it later.

Hosting frees you from the pain of purchasing, installing, maintaining and upgrading additional hardware. It'll liberate more of your budget too.

Onsite or Offsite?

Some vendors say that to remain compliant under the FSA regulations, the data should be stored on the premises of the company that owns it, with a back up set of data offsite.

Not necessarily, according to the FSA. "We haven't actually specified whether or not it has to be done centrally or hosted," says Jocelyn Macafferty, FSA's Investments Policy Department, "[you are covered] provided your firm can retrieve a record on request."

Methods of Recording

The only way to ensure all calls are recorded, both in and outbound, is to re-route all calls. Ensuring that every call is diverted into a recording system is very hard to achieve, says Vodafone.

There are three different options for methods of mobile call recording. Some methods are very fallible, some expensive and some convoluted.

With the first type of call recording system, your users need you to call a number, input the number you want to call and a system then calls you back when the call is established. These systems can be painful (for users) and expensive for the company.

Some alternatives work by installing client software on the user's mobile phone. This is the system adopted by Vodafone Global Enterprise. These systems are restricted to a specific phone manufacturer. Vodafone offers services for Blackberry and Symbian users today. Its Android and Windows phone versions are to come later.

Security bypass

Another weakness of this method is that the application can be potentially manipulated by the user. It is also susceptible to compatibility issues if the phone software is upgraded or another app added that introduces a conflict.

The third method of initiating mobile recording needs no software to install on the handset. A user makes a call as normal and the recording is set to always-on within the network so it cannot be manipulated - this is normal for compliance.

Call recording specialist Anvil uses this system. It says no software is needed on the mobile phone and it promises to be more open, since almost all mobile phone makes and models can be used.

However, the users' phones need to support 3G and to be unlocked, as the service is delivered using a replacement USIM card with a choice of either a geographic phone number or a traditional mobile number.

One of the security bonuses of this system, where all calls are recorded from within the network, is that individual users cannot switch off recording or interfere with the process. Arguably, this provides tighter control and avoids users manipulating how and when calls are recorded. The time and date of every call is determined by the network, not the user device, so a degree of uniformity is imposed, making subsequent management easier.



If compliance compels you to have your data hosted on site, an appliance can be installed on your premises.

The Vodafonemodus operandi is to employ inline systems. These sit between the caller and the recipient. They interrupt the communication and then duplicate it, sending one copy to the receiver and another copy to the call recording system.

According to Vodafone, the extra time added on for the incremental call to be generated is two seconds. Using the same principle for inbound calls is harder. Software has to be installed on every handset, that diverts all incoming calls back to the VMR (Vodafone mobile recording) server (on which the call will be recorded). The VMR server then has to call your handset back again. (The handset's software has a way of making the handset available for a call, but only from the VMR server. For everyone else it is effectively engaged!)

While waiting for the link to be initiated, the user is played a recording that apologises for the delay and warns them that all calls are being recorded.

BT's Mobile Device Recording Quick Start will help financial institutions assess the capabilities of their current mobile processes and infrastructure. It will also identify how to improve current capabilities to deliver a service that is aligned to the new regulations.

Don't Underestimate

Achieving compliance against this new regulation is going to be extremely complex, claims Larry Tabb, founder and CEO, Tabb Group. "The current voice architecture, trading turret infrastructure, mobile device type, security policies and employee's role will all have a bearing on the type and design of the solution."

At the moment there are no mature solutions available that provide a completely compliant solution out of the box, he advises. So bear in mind, there are no easy answers!

Get it working – get user acceptance

Justin Kimber, BT Global Services portfolio marketing manager for its global banking and financial markets division, says CIO's main priority should be to find a workable system to beat the deadline. You can worry about the cost per user later - first you need to find a system that works for you.

"The user experience is the most crucial aspect of voice recording," says Kimber, "many clients of big banks aren't going to be impressed by having a period of silence on their call."

The big banks are all experimenting now with various trial systems, he says. The complication to look out for is where users rely on their smart phone for Internet access. "If this is locked down, it could affect the user experience," says Kimber.

Security

Nothing is ever 100 per cent secure but tamper proof mechanisms can highlight potential anomalies. These will help you compare the original and retrieved copies and examine if they are identical or if one has been changed in some way.

The acid test for the recording is do they stand up in court as evidence. The flaws in some systems could be used by a defence counsel to disallow recordings as forensic evidence.

Learn from the Norwegian Pioneers

The good news is that the UK is not pioneering these systems alone. We can learn from the Norwegians, who are ahead of us and had a deadline of May 1st. There will now be a good supply of knowledgeable Scandinavians on the market with invaluable project experience.

The priority is to get a working system in place for November 14th. After that you will have time to re-engineer the system. As Kimber says, "Get compliant. Then get elegant."

Revolting Users

Finally, be prepared for a revolt. Many investment firms banned the use of mobile phones on the trading floor. Once your users discover that mobiles are covered by FSA regulations, you might find that traders start demanding to be allowed to use their mobiles.

MORE INFORMATION

http://www.fsa.gov.uk/pubs/cp/cp10_07.pdf

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 secrets of successful remote IT teams