Surveillance in the Cloud? Who pays?

Despite the high-profile acceptance of Cloud by any number of financial institutions, when it comes to the surveillance use case, things become a little more challenging.

One bank that has moved from an on-prem to a Cloud solution in its e-comm and voice surveillance capabilities points out that while alert quality has gone up, the move “presents a whole myriad of different data security issues, given the content of what it is you're capturing, storing, and ingesting. Add in the governance processes of different kinds and it is painful to put it mildly. And while it may be scalable, it’s not as flexible as people thought.”

But the real challenges are around money. Who would have thought?

“On the trade side, we've migrated to an open cloud environment. So, it should give us greater access, easier access, scalable access, to all the myriad different sources of data that come into a trade surveillance system. But the challenge is that's coming to light is the associated cost of pulling the data out to use it and how that works,” says one surveillance head.

The issue is the difference between the kinds of software license that people are used to, where fees were transparent and rarely tied to data usage unless it was exceptional, and Cloud licenses which charge primarily on the basis of data usage.

This causes a number of problems. One is predictability of costs. It’s not straightforward to estimate the data usage of a surveillance system and that unpredictability is both a problem in itself but also a bigger problem when combined with the next issue.

In the past, many organisations took these kinds of costs centrally and then allocated those out to businesses on a pre-agreed basis. Now though, because Cloud charging is so granular, it’s possible to charge surveillance costs directly to businesses with an accurate allocation based on a user basis and a volume basis.

So, not only is the business now getting a cost charged to it that previously it may have thought it was not paying for – and may not fully have been paying for. It is also now getting variable charge it may not have budgeted for.

“Yeah – it’s difficult,” as one surveillance chief puts it! But I guess ultimately it plays to the risk ownership. Piece: if the business accepts the risk ownership and accepts the need for better surveillance, then they have to eat it. But yeah, there's a fight in that.”

This clash is all the more problematic as the move to Cloud is not easily replaceable. Or as this surveillance professional says, “You’re slightly damned once you’ve done it, because it’s too late. It’s done. You can’t go back.”

As with other economic arguments around the cost of surveillance and compliance, this one prompts broader discussion. Once the true costs of surveillance are made clear to each business, then the pushback is to challenge the rationale for who is in-scope and surveilled – with a view to reducing that number.

Now the FCA has made it very clear that they do not want to see reductions in surveillance or compliance spending for this kind of reason, but they have also acknowledge the unsustainability of some kinds of surveillance.

Another surveillance leader explains, “how can you possibly manage an insider list on a deal that's made up of 500 people when the actual deal team is only 100? It's just not sustainable. More generally, around a third of our people in-scope of surveillance are not actually client facing, they're one step removed in operations or settlement, in middle office-type functions. But because of the nature of the work they're doing, the exposure they’ve had to MMPI, then they've been deemed in-scope. But if these departments are starting to be directly charged what is not an insignificant amount of money to have those colleagues in-scope, they may want to revisit the rationale for them being scoped in the first place.

I'm not saying the economics should be the driver for them being taken out of scope, but in the cold light of day, if you've got an individual that might once a month potentially see a file come over their desk that's got MMPI in it, does that warrant them being on a list that requires every channel they use to be monitored?”

As technology lets the business see exactly what they are paying for, expect this battle to get tougher.