• wblogo
  • wblogo
  • wblogo

NYDFS's platform protocol for big banks; the details

Chris Hamblin, Editor, London, 23 June 2016

articleimage

Last year, the New York State Department of Financial Services obliged a group of big banks to sign an agreement regarding the use of a new chat and messaging platform. Such agreements are likely to become more commonplace.

The platform goes by the name of Symphony Communication Services and came into operation in September. The regulator imposed the same requirements on Goldman Sachs, Deutsche Bank, Credit Suisse and Bank of New York Mellon. The NYDFS had recently expressed concerns that certain features of Symphony, such as its promise of 'guaranteed data deletion,' could hinder regulatory investigations on Wall Street.

The Symphony platform uses end-to-end encryption and this is a problem for investigators faced with challenges such as the recent Libor or FX cases. In addition to its current retention of messages as required by law, Société Générale and the others agreed to the following.

Before using or expanding the use of the Symphony platform, the bank will require Symphony to maintain copies of all e-communications sent through the platform to or from Soc Gen for at least 7 years.
For encrypted messages, the bank will store copies of the associated decryption keys with an independent custodian, i.e. one that it does not control, and will give the regulator that custodian's name.
Due to the evolving nature of technology and cyber-security, after a period of no more than five years from the date of the agreement, the bank and the regulator will "discuss in good faith the impact of such developments on this agreement to determine whether any modifications are appropriate."

Why the banks signed remains a mystery; the regulator is silent on the subject. It does, however, imply that they have little choice in the matter; its website proclaims that "any DFS-regulated institution that is considering using the Symphony platform should ensure that the entity’s anticipated use conforms to the standards included in the agreements."

The NYDFS is trying to persuade the Financial and Banking Information Infrastructure Committee to help make the cybersecurity regulations of all the financial regulatory agencies in the United States converge. The aim is for entities that straddle different regulators to follow the same fundamental guidelines when developing cybersecurity policies and practices. The members of the infrastructure committee are all organisations, namely the US Treasury, whose representative chairs it, the American Council of State Savings Supervisors, the Commodity Futures Trading Commission, the Conference of State Bank Supervisors, the Consumer Financial Protection Bureau, the Farm Credit Administration, the Federal Deposit Insurance Corporation, the Federal Housing Finance Agency, the Federal Reserve Bank of Chicago, the Federal Reserve Bank of New York, the Federal Reserve Board, the National Association of Insurance Commissioners, the National Association of State Credit Union Supervisors, the National Credit Union Administration, the North American Securities Administrators Association, the Office of the Comptroller of the Currency, the Securities and Exchange Commission and the Securities Investor Protection Corporation.

The NYDFS, whose new head, Maria Vullo, has just been appointed by the New York State Senate on the recommendation of Governor Andrew Cuomo, regulates more than 1,500 insurance companies and nearly 1,600 banking and other financial institutions. She has admitted that her job is a tough one, not least because some banks are failing to keep far more solemn promises that the cyber-security agreements. On the sidelines of a recent conference hosted by Exiger, the financial crime compliance firm, she admitted to Reuters that some institutions that had already settled allegations of misconduct with the NYDFS were obdurate in wrongdoing and not living up to the terms of their settlements. She said that monitors (of which Exiger is one) had discovered that the banks, which she declined to name, were breaking their agreements intentionally and, in some cases, indulging in improper foreign exchange trading practices. She added: “Some of the discoveries are very troubling. There could very well be enforcement actions.”

Already, as a matter of public record, one monitor has found that HSBC Holdings Plc has not been fulfilling all its anti-money laundering promises in the wake of the $1.9 billion fine it was awarded by several US agencies in 2012. If this is how the NYDFS and other agencies are enforcing their decisions, the less important cyber-security agreements might not count for much after all.

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll