The spread of instant messaging (IM) in the financial services industry is causing compliance and technology problems for sysadmins who must not only monitor and archive electronic communications but also root out and shut down unauthorised IM services.
Many IT units are having difficulty managing a plethora of IM systems installed without their knowledge that are used for both personal and important business communications. And user objections to IT's efforts to rein them in add another layer of problems.
Thomas Weisel Partners tried to shut down the use of AOL's Instant Messenger, Microsoft's MSN Messenger and Yahoo's Yahoo Messenger in September 2001. However, user pushback forced the company to adopt monitoring software instead.
"It comes down to some of our institutional customers who required IM as the method to communicate with them," said Beth Cannon, former chief technology officer and now chief security officer at the institutional brokerage.
It installed IM Auditor from FaceTime, which runs on an internal server and monitors IM traffic, flagging any banned words or phrases while archiving all messages. More vendors of all sizes, such as Stellar Technologies, which this week released a content-blocking tool, are scrambling to build software to monitor IM for financial firms, which must meet new government regulations requiring electronic conversations be monitored and recorded.
Two years ago, IM monitoring was almost non-existent. Now it's a key IT function of most banks and brokerage houses on Wall Street, according to research firm TowerGroup. "If they've got IM, they're logging. I can't think of a situation when I've gone into a bank and they're not logging," said Jeremy Condie, senior vice president in charge of business strategy at Thomson Financial.
Thomson, a provider of financial information to banks and money management firms, offers IM management services to clients based on a monitoring tool from IMlogic. Most IM monitoring products are gateway devices that sit on the network and monitor all incoming and outgoing messages. Some contain policy engines that search for keywords and alert managers to unacceptable conversations.
Marcelo Sciurano, MIS director at brokerage firm Libra Securities, said his firm chose an IM monitoring and archiving service from Stellar based on cost and maintenance features. Each quarter, Stellar sends CDs to Libra containing all IM traffic data for that period. Libra's security officer then performs keyword and phrase searches of the traffic.
"If we didn't have to deal with it, we'd be happier," Sciurano said. "But the SEC and National Association of Securities Dealers require it."
Many small banks and brokerages and even some large ones have yet to establish policies for internal IM use, despite the difficulties firms face in managing IM, said Sophie Louvel, an analyst at Financial Insights.
Efforts to institute a standard enterprise-class IM product, such as IBM's Lotus Sametime, Microsoft's .Net Messenger and Jabber's Messenger, rarely work because the more popular systems are used to communicate with customers.
"I've spoken to bank and IT managers, where they found across a global firm 10 to 20 IM applications in different guises. They've spent a lot of time whittling that down to a handful," Thomson's Condie said. "Each pocket in a bank puts their arms up and says, 'Our community is using this, otherwise we're out of touch with our client base.' "