Warning: Regulation Ahead!

M2M network security data

James Foley, VP of Customer Experience at Resilient, says the telecoms industry is transitioning from a service provider to infrastructure provider and is coming under greater scrutiny as a result. He explains his views to Editor Ian Hunter.

James Foley, VP of Customer Experience Resilient

James Foley, VP of Customer Experience Resilient

 

Comms Business Magazine (CBM): So how did the telecoms industry get so complicated?
James Foley (JF): The telecom industry has undergone countless transformations over the past 30 years. Pay phones, collect calling services, pre-paid calling cards are now quaint throwbacks from the past. Now it’s all about VoIP and over-the-top services, like WhatsApp and Google Hangouts. Voice is being monetised as yet another data packet companies tag onto their high-speed channels, as opposed to a channel in its own right.

The rate of change makes the task of overseeing a company’s telecommunications requirements quite complicated – particularly if the company in question is a financial services firm. Why is this? Because on 3rd January 2018 MiFID II (The Markets in Financial Instruments Directive) will officially land, to significant fanfare. MiFID II is a regulatory beast and will demand a considerable overhaul of the financial services industry. Anyone who provides services linked to financial instruments will need to take note. In readiness, most Independent Financial Advisers (IFA) owners are in the throes of conducting a root and branch review of how they run their businesses.

CBM: In this instance what are the imperatives?
JF: Amid the mass of detail is a command to capture, record and store all communications that intend to lead to a transaction. It’s a relatively small detail in an otherwise very extensive regulatory framework but the ramifications are significant. It can be implied, from just one page of the 150-page document, that MiFID II is instructing companies to record all conversations related to a deal, including exchanges over a personal mobile phone and from face to face meetings. When you consider the mass of data that companies will need to store and protect, it’s clear that using a cloud service will be the only option.

Now most companies have caught the cloud bug. Gartner recently predicted that by 2020, a corporate ‘no-cloud’ policy will be as rare as what a ‘no-internet’ policy is today. But the financial services industry has been the most conservative adopters to date. When it comes to MiFID II this will need to change. Gartner has already debunked the cloud security myth, explaining that the cloud itself is secure; the real challenge is using cloud services in a secure manner.

CBM: So can we expect more regulation that needs compliance?
JF: Yes. GDPR (General Data Protection Regulation) – another European piece of legislation with teeth. Just as MiFID II beds in, GDPR will be coming into force (25th March 2018).

GDPR takes a far more unforgiving stance on companies that fail to protect individual’s data – compared to its antecedent, the 1998 Data Protection Act. Under GDPR, breached organisations can expect fines of up to 4% of annual global turnover or €20 million – whichever is greater.  For many businesses, this could spell insolvency and even closure.

When you combine GDPR and MiFID II – it’s clear that all recordings will need to be considered within the context of preventing intrusions into privacy – which on the face of it, seems like a bit of a paradox.

On the one hand, financial services companies now need to hold more data about customer transactions than ever before – this will increase the likelihood of inadvertently mislaying it or leaking data. On the other hand, they need to be extra vigilant about protecting their customers’ data. With GDPR, they’d probably rather curtail the amount of data they collect, rather than amass more.

The overlap between GDPR and MiFID II muddies the waters somewhat. MiFID II stipulates the recording should be stored for five years, GDPR is vaguer and simply states that personal data shouldn’t be kept for any longer than needed. It’s not clear whether five years would be deemed too long for a simple telephone conversation that didn’t lead to a transaction (but might have done). While we might assume the right hand knows what the left hand is doing, I’m also mindful that assumptions often lead us down the wrong path.

Fortunately, we have the right technology at our fingertips to counter this uncertainty. By striving for absolute security businesses can mitigate the risk. For instance, by using a cloud-based voice recording solution that encrypts data in transit, as well as rest, and then organises, indexes and stores the data in an impenetrable online vault, nothing is left to chance. Businesses can access an infrastructure which far exceeds their own, in terms of sophistication and resilience.