Fences in the Cloud: Some Data Requires Exclusivity

The "virtual data room" has been a staple of commercial banks and capital markets firms for much of the past two decades. These locked-down, secured networks allowing third parties to share sensitive client information via electronic documents became the norm for handling syndicate loans, initial public offerings and mergers-and-acquisition discussions.

But perhaps it was all just a warm-up act for the technology of the cloud-based, post-Dodd-Frank world of finance.

In the cloud, which is intended to make everything more widely accessible, banks have an interest in building better fences around nonpublic records that are only meant to be seen on a need-to-know basis. Also needed are auditable trails proving to clients and regulators that private data remains uncompromised as it traverses the cloud.

As a result, more banks are looking to outsource work to so-called communications-as-a-services (or "CaaS") providers, which can better police the distribution of sensitive client information.

"A number of banks I've talked to have people that are emailing [their data] around," says Wade Callison, senior vice president of product marketing for IntraLinks, a CaaS software firm based in New York best known for its virtual data room services for financial, pharmaceutical and other industries.

"What they're realizing is that's not a particularly good way to get sensitive information, because they can't show the chain of custody and who's liable if that gets out once a person hits send."

Recent, novel uses of CaaS services include the distribution of classified stress-test data to Federal Reserve monitors, as well as the submission of closely guarded data that ratings agencies must share with regulators and clients.

New York-based Centerboard Group, a three-year-old boutique merchant bank with $500 million in assets under management, has relied on CaaS tools to monitor real estate and petroleum-sector deals for high-net worth clients as well as the firm's own investments.

Michael Phipps, a Centerboard managing director, says the company could use any mass-market, collaborative software tool like Dropbox or Google Drive, "but I'd rather spend a little more up front because of the value you get ... on the security side and on the ability to easily and readily set up which users should have access to what documents."

Most collaborative software is not yet known "for any type of granular controls" that would allow for tracking not just where users go but what they view, according to Robert Mahowald, with research firm IDC.

This has left an opening for CaaS providers (IntraLinks, Microsoft, and Oracle among them) to turn some of their collaboration technology into higher-purpose document management tools. As Phipps notes, knowing who is accessing what lets firms see how their collaborators (or counterparties) are thinking, based on "what document they are viewing, how often they are viewing it and how often those individuals in the data room are going through it."

In the back offices of major commercial banks, there already sits a widely distributed workforce collaboration platform-Microsoft's SharePoint-that's used to pass around sensitive electronic documents. The Web-based software is fine for limiting the audience internally at an institution, allowing only accountants or risk management teams, for example, to eye a corporate client's private data.

But SharePoint has its limits. It is simply not built to lock down data shared with a third party that may have its own collaboration system built around completely different team structures, Mahowald says. A bank's SharePoint administrator would have a tough time monitoring usage by an outside party.

IntraLinks has observed more companies using CaaS to segregate the audiences for public and nonpublic corporate data-which often is as simple as having end users confirm their own access level since most accountants or legal teams know whether they are allowed to see certain data. The CaaS system will know what to feed them and what to exclude, and provide a trail of who saw what.

While subscription fees or meter-based usage of the software may cost more per user for individual transactions, overall savings can be had by saving on the maintenance of an internal data repository and governance system.

And that's not even considering all the other risks, which Callison notes is expanding alongside the paradox that banks face-the growing demand by clients and regulators to keep a lid on proprietary data while business is increasingly moving into more collaborative, and open, environments.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER