Why isn’t personal mobile comms on trading floors a residual risk?
The world of corporate mobile communications is resolutely moving towards the BYOD culture embracing the future single-device policies that empower hybrid working. Gone will be the days of the compulsory two phones, clearly separating the work and personal communications. Instead, you will be using the work container on your personal device for all your business communications, and the rest of the device stays for personal use.
This change is driven by three factors, convenience, cost, and hybrid working. For mobile communications in regulated areas such as trading floors this means a complete revision of controls and surveillance measures. Now, instead of a separate work device for regulated personnel, trading is also possible on a personal device – through a controlled work container.
This however doesn’t mean that the risk of traders using their personal devices for sharing market sensitive information has been reduced or that the banks have now better controls over bad actors in personal comms space. From the compliance and security perspective, we must be crystal clear that a controlled work container on a personal mobile does not cover the risk of business comms happening in unmonitored environment.
On the contrary, the single-device BYOD policies combined with the lack of detailed back-end understanding of how mobile devices operate, threaten to create an illusion of a control and a false sense of security over communications through personal devices. BYOD doesn’t solve the problem of unapproved personal devices on trading floors but adds another layer of complexity making the problem less obvious on surface. This is already starting to happen as some banks re-regard the personal device surveillance as a residual risk.
We must be clear that any communications on a personal device in a regulated area should not be regarded as a residual risk. There are simply two types of risks associated with personal devices, and both should be addressed equally:
- Communications on a personal device inside a controlled work container
This is usually a well-controlled environment where banks have lots of different security measures in place. However, no right-minded bad actor will use this to perform insider trading or any other form of market abuse.
- Communications on a personal device outside a work container, in unmonitored personal space.
Now this is the Wild West that banks prefer not to talk about and park it as a residual risk. Yet this unmonitored environment poses the greatest compliance and security risk for all regulated trading environments. Why? Because people know there are no controls, and bad actors can get away with almost anything under the pretext of privacy and data protection.
Knowing what mobile devices are capable for, I would argue that any communications that takes place outside the work container on a personal device is a far greater risk than all other controls on trading floors combined. Personal mobiles continue to be a widely open security gap that the current regulated risk community has chosen not to address. The situation today is exactly like having the most advanced security systems in your building but leaving the doors unlocked.
Mobile devices are quick, always online and can be hacked into, not to mention the threat of connected devices that nobody monitors. Cameras and microphones on our phones enable fast and undetectable recording and transmission of MNPI (material non-public information) within seconds. All this should raise hundreds of alarms but instead it has created a false sense of security and illusion of control.
It’s obvious that the world is changing and whilst we may always not agree with the new technology or new ways of working, the risk and surveillance community should keep their risk taxonomy on par with those changes as also stressed in the latest FCA Market Watch 69. For now, a very few forward-thinking banks seem to understand the full set of risks associated with personal mobiles on regulated trading floors.
Further information on a new market-changing technology solution is available only at Mobilewatch. Book your demo now.
Published: 24 May 2022
Author: Raili Maripuu