OCC Frowns on Self-Deleting Messaging Systems at Banks

WASHINGTON — A new conundrum is emerging for cybersecurity-conscious banks: Well-protected information can also be an unwelcome obstacle for regulators.

On Wednesday, the Office of the Comptroller of the Currency sent out guidance to remind banks that its examiners need "timely access to bank records," and warned against encryption programs that quickly self-delete messages sent by bank personnel.

The guidance specifically refers to communication platforms that are encrypted or "have touted an ability to 'guarantee' the deletion of transmitted messages ... within a relatively short time frame."

Banks have demonstrated a growing interest in encrypted communication software. In September several large banks teamed up to create Symphony, an encrypted messaging program that initially emerged from Goldman Sachs.

By the following month at least five major banks had agreed to store records of their Symphony communications at the request of the New York State Department of Financial Services, which also issued guidance on banks' use of the program.

But the bulletin from the Comptroller's Office was not prompted by any one program or incident, OCC spokesman Bryan Hubbard said. "There was not a catalyzing event that prompted the guidance," Hubbard said. The bulletin was issued "in light of increased use of instant messaging and other communication tools."

Symphony's technology does not obstruct regulators, because banks are given access to the decryption keys, Symphony spokeswoman Samantha Singh said. "If a regulator wants information about bank, they can go directly to that bank for the decryption key to access that information."

Under these conditions, the guidance should not give banks second thoughts about encryption, said Susan Orr, a cybersecurity consultant in Illinois. "If it's encrypted, they need to give it decrypted to" examiners.

But message deletion is likely to be interpreted differently, Orr said. "By implementing that type of deletion of the information, it would be more [about] hiding it" than protecting the information from wrongdoers.

Still, regulatory access is another thorn in the side of financial institutions as they struggle to modernize and secure their operations.

"While promoting efficiency and, presumably, effective management," the use of new electronic communication tools "perhaps increases the burden that an institution is putting on itself," said Kevin Petrasic, a partner at White & Case. "It's sort of two additional headaches. ... Institutions have the responsibility both to make sure that the information is secure, but also that it is available to the regulators."

And as banks are forced to digitize more and more of their infrastructure, these difficulties are not likely to disappear anytime soon.

"There's a tension between the access supervisors need and the protections that everybody wants against hackers and other type of bad actors," an industry source said. "The technology is always evolving. What works now is probably going to be adjusted as things move forward."

Banks would do well to establish clear policies on acceptable communication tools among its employees, said Petrasic. "They have to be mindful of the fact that they can't just suddenly start using a Snapchat."

For reprint and licensing requests for this article, click here.
Law and regulation Exams
MORE FROM AMERICAN BANKER