Mobile Compliance Audits: Demonstrable Regulatory Enforcement

Banks understand security and controls. They more than understand the need to protect market sensitive information and prevent market abuse. In fact, financial firms spend millions each year to secure emails, conversations and access to MNPI. Moreover, banks regularly review their risk profiles to make sure that the security net around their sensitive infrastructure is as tight and as updated as possible.

One big security concern, however, keeps slipping through the net, even regardless of regulatory reporting. This regulatory fugitive is personal mobile devices, which currently leave firms vulnerable and exposed to a long list of security risks and threats, facilitating market abuse with undetectable burner phones as a prime example.

What is puzzling here is the fact that the financial sector recognised the problem of personal mobile devices over 10 years ago. Yet for some reason, neither the banks nor the regulators seem to have an interest in enforcing actual controls beyond the desktop-policy-exercise, so that the regulation de facto becomes meaningful.

In the UK and the EU, the regulators say that a firm must take all reasonable steps to prevent an employee or contractor from making, sending, or receiving relevant telephone conversations and electronic communications on privately-owned equipment which the firm is unable to record or copy (FCA’s SYSC 10.A.1.7 in the UK).

It’s fully understandable that 10 years ago, an internal desktop policy exercise with relevant signage (‘No Mobile Phones’) was considered reasonable and an acceptable control measure for managing personal mobile devices in regulated trading floors. This was primarily due to the fact that the firms had no access to alternative control measures, such as an automated technology provided by Mobilewatch, that monitors the use of mobile devices.

In 2021, where technologies that monitor the use of mobile devices indoors and position their users are now available, a desktop policy exercise alone can no longer be considered reasonable. Whilst the indoor positioning technologies currently available in the market are not yet ‘turn-key’ solutions, the Mobilewatch technology comes closest to enforcing the basic yet auditable policy requirements for the use of mobile devices in the firms’ regulated areas.

On one hand, the Covid-era banking world seems to be very aware that the problem [of personal devices] exists and the firms seem excited about addressing this tech problem with the technology. So, this should be a problem-solved-situation, where the regulation is enforced as originally intended. On the other hand, we are dealing with ‘this is not a priority’ and ‘the regulators are not really asking for this’ scenarios.

The culprit seems to be the FCA’s Consultation Paper from 2010 that said mobile phones and mobile communications were excluded from their Taping Rules because the technology to capture these communications was insufficiently developed. The simple wake-up call here should be that this was 11 years ago, and this outdated statement simply no longer stands, as the technology to manage mobile devices and to deliver compliance in restricted areas is now here.

The best and most effective starting point to actually see what’s happening on your trading floors is to audit the mobile device usage in that space. Mobile Compliance Audits are a unique and effective way to rapidly establish the extent of unauthorised mobile and IoT device usage in restricted areas. These audits are designed for financial organisations to get a snapshot of their firm’s compliance with the FCA’s SYSC (10.A.1.7) and demonstrate this with auditable evidence. It’s the perfect next step to demonstrate to the regulators, consumers, and the markets, that the firm is moving away from the antiquated desktop-led policies to address a complex technical problem.

Mobile devices are here to stay, and the technology to monitor their use is advancing every day. What the financial world needs to wake up to, is the unchanged risk that the simplest way to circumvent all existing controls is to use a burner phone, apologies – a personal mobile phone.