CAN THE FINANCIAL SERVICES SECTOR MAKE BYOD STRATEGIES WORK?
By Paul Liesching
The banking crisis of 2008 brought with it the challenge of reduced revenues and increased costs for many businesses in the financial services sector. Now, in a recovering – but still challenging – marketplace, senior management is seeking ways to differentiate its business from competitors. Harnessing the latest mobile technology to reduce costs and improve their image is just one way banks have been making their mark.
Enterprise mobility seems appealing for a variety of reasons including reduced cost, flexibility, workforce management and competitive edge, but it must be handled in line with regulation. New international regulations such as the Dodd-Frank Act in the US, have presented new and complex compliance challenges for enterprises managing mobility.
How does mobility change things?
Imagine this everyday work environment: a trading floor assistant advising his or her client and ultimately securing a transaction. How does a company ensure this trade is conducted within relevant guidelines?
Firstly, a set of guidelines for that market are provided by the local regulator and translated into a set of compliance policies that the trader must adhere to.
Secondly, controls are put in place to ensure this policy is followed. In the case of the simple example above, the control would simply ensure the advice and subsequent transaction is recorded for possible investigation later. Any IT control which captures business communications must also be secure. It must protect against data leakage, but grant access to regulatory and compliance departments in order to monitor and retrieve relevant records.
Historically, this mixture of policy-making and IT controls had led to compliance systems being tightly controlled by corporate IT departments. This worked well when the workforce was more static and desk-based, with landlines on the trading floor being directly recorded. However, with the proliferation of mobile technology, that is no longer the case.
As banks harness the benefits of enterprise mobility, meeting compliance regulation becomes a significant challenge. Consider the previous example in a mobile setting – how would an organisation ensure policies are adhered to? There isn’t even one international advice body.
For the last 10 years, most businesses with any mobility have left IT departments in control of devices, access, plans, licences and beyond. When BlackBerry dominated the business mobile market this was achievable, although costly, but now the device and network choice is huge.
Alongside these market changes, regulations have also evolved. Regulations which once called for the taping of phone calls and archiving of emails now cover all forms of electronic communications. Corporate IT, which historically focused on email retention, now faces new challenges.
New legislation has forced regulated corporations to act in one of the following two ways:
- Start capturing all electronic communications, including phone calls and messaging from mobile devices and establish compliance policies that enforce the use of corporate owned and controlled mobile devices.
- Ban the use of mobile devices for business entirely, forbidding staff from conducting business on any device which sits outside current corporate recording capabilities.
The second approach is obviously less than ideal and sends a very negative impression to customers, counterparties and the workforce. A business that doesn’t support mobile communication is unlikely to succeed in an increasingly connected world.
With abuse reports on the rise, approaches that ban staff using multiple or mobile devices are unlikely to remain a viable strategy.
Additionally, banning mobile usage for business fails to meet the expectations of customers and employees in the wider market. Firms that refuse to embrace regulatory responsibilities directly find themselves at odds with market trends and will struggle to attract new talent or customers as a result. These people will inevitably migrate to competitors who are easier to do business with.
Instead, it’s through the proliferation of user-friendly devices that businesses can best tackle current regulation. Bring-your-own-device (BYOD) strategies offer an opportunity to meet employee expectations while enabling better business and meeting evolving regulations.
Approaches and solutions
From a compliance perspective, there are two types of people in any financial institution – those in scope (in a regulated role) and those not in scope (unregulated). However, it’s not as simple as defining a policy which provides company-owned devices for the 10 per cent of employees in regulated roles, and enabling everyone else to bring their own devices. This is because financial services firms are obligated to protect customer data. They retain the right to examine employee devices when an incident occurs, but it’s often difficult to establish with 100 per cent certainty which employees have access to customer data.
Asinstitutions look at making enterprise more mobile, they increasingly want to split employees using mobile technology into two groups:
- Corporate owned or liable
- Personally owned or liable
With regards to personally owned mobile devices, Steve Maytum of High Directions, a consultancy specialising in mobility, explains: “The move to personal ownership is fine in principle, but employees often raise objections to being moved into this group.”
Steve works with many banks in these areas, and frequently hears objections from users such as: “I am customer-facing and I’m not allowed to publish my personal mobile number on my business card” and “I’m always traveling overseas, so I will have to pick up large carrier bills”. For reasons such as these, some employees flatly refuse to use personal devices for work.
Companies may believe that they can move all employees to a BYOD strategy by simply implementing a Mobile Device Management (MDM) platform. However, Gartner predicts “By 2016, 20% of enterprise BYOD programs will fail due to deployment of mobile device management measures that are too restrictive”.
Some organisations use more sophisticated approaches to data security, with data stored in a ‘container’. This involves securing the data using an encrypted app on a device, rather than securing the device itself. This allows some of the compliance problems on protecting data to be overcome, but leaves others, such as large carrier bills or which mobile number to put on business cards, unanswered.
In the end, the market will continue to see a combination of corporate and personally-owned devices being used. But with mobile recording solutions quickly becoming cost-effective and favoured by many banks, the trend towards institutions providing a greater number of employees (including those who are unregulated) with devices, will rapidly gather momentum. The evolution of device technology and lower cost carrier offerings is also developing to meet this need.
Paul Liesching is the Director of Enterprise Partners and Solutions at Truphone, the global mobile network without country borders