Creating a golden source that provides consistent identification and tagging against banks’ personnel, and that can then be used across all relevant datasets, will enable more effective integrated surveillance practices – that meet regulation.
As banks work to build genuinely integrated surveillance, and regulations such as the UK’s Senior Managers and Certification Regime (SM&CR) put increasing emphasis on individual accountability, compliance functions need to find better ways to identify employees and all actions associated with them across numerous surveillance systems and disparate datasets.
Ask any top-tier bank who controls the organisation’s so-called ‘golden source’ of core company data – including historical reporting lines and personnel information – and around four hands will shoot up, says SOTERIA founder and CTO Rob Houghton. Rarely will all four of these versions match each other exactly. The various order management and voice-recording systems that banks rely on also often assign tags or names to bank employees in formats that other systems do not recognise.
This makes the task of integrating different surveillance systems, so that individuals can be accurately risk-profiled with a degree of efficiency, almost impossible. Demonstrating to regulators that obligations such as those set out in SM&CR are being met similarly becomes far more difficult.
A common framework
A key first step, therefore, for any bank looking to integrate its surveillance, is to create a single golden source – either with in-house tech teams or in partnership with external solution providers – that exists in a highly secure, immutable form and that tags employees and their functions in a consistent way. This can then become a common framework that wraps around all applications responsible for capturing or interrogating data, while ensuring the bank has a 360-degree view of all surveillance risk indicators associated with each employee, Houghton argues.
If, as an example, a market abuse system flags a potential problem connected with an individual at the bank – who in the created golden source has their own unique entity number or other marker – all other surveillance systems can then immediately be interrogated for data relating to that individual for further investigation; anomalies may include who the individual has been speaking to and how frequently, what mediums they have communicating through, and indeed whether those parties have had any direct connection with recent trades.
Using a golden source in this way also gives banks more flexibility in terms of growing, shrinking or otherwise changing the pool of vendors it works with. “If you have a framework or common source that every surveillance application draws from, it doesn’t matter whether you constantly chop and change your voice-recording systems, pick up a new zoom capture or start capturing WeChat,” Houghton notes.
Audit trail for regulators
Creating and using a golden source has multiple other benefits for a business, not least in terms of producing an audit trail for regulators.
SM&CR, for example, requires banks and a growing pool of financial market participants to retain more detailed records, for a longer period of time, and in a compliant fashion. Banks, therefore, need instant visibility into the historical organisational structure of the business, as well as the ability to connect any actions at a specific point in time with the employee or entity responsible for them.
For this to work, however, every solution that the bank relies upon must time-stamp actions in exactly the same way. “Whatever architecture you come up with, you still need to be able to press a button and understand who had what role, with what risk, at any point in time, and know that any activity was accurately recorded, complete with a time-stamped audit trail,” Houghton says.
“Imagine you’re a compliance officer based in London, investigating someone in Dublin who you’ve never met and who worked at the bank five years ago,” he notes. “How do you demonstrate under SM&CR that appropriate controls and functions were followed? Where’s all the accurate supporting documentation around that?”
One of SOTERIA’s capabilities is to offer software to banks that effectively acts as a golden source. This enables the normalisation of all data sets connected with various systems in the organisation so that compliance can show regulators who was in a specific position within the bank at a certain point, along with a timeline of their every activity and communication.
“What we do is give you a framework – an immutable ledger that allows you to go back to any point in time and shows you any risk that was associated with an individual and which processes were followed, so you can demonstrate this to regulators,” Houghton says.
Protecting the future
“The golden source is the key to everything,” Houghton concludes. “Once you’ve built that, everything is so much easier. Because at that point, you’re not just planning for today – you’re future-proofing your business for years to come. You’re mitigating your risk, reducing your costs and also protecting your senior managers.”