The myth of risk-based surveillance in voice and video

Regulators and banks themselves are keen on the idea of ‘risk-based’ surveillance – the idea that surveillance should be applied most rigorously to those businesses, channels and individuals that are ‘the most risky’, and that it should be reduced or even stopped for ‘lower risk’ populations.   

But what does anyone mean by risk here? Most market abuse and misconduct regulation is ultimately concerned with client harm or market damage. Most bank risk management thinking is around material financial risks to the firm, including the financial consequences of a failure to comply with regulations. A lot of misconduct risk thinking focuses on the reputational risks of compliance failures or egregious examples of misconduct. And of course, compliance teams also need to think about technical compliance risk.   

So, when banks and regulators talk about ‘risk-based’ surveillance which of these are they talking about?   

At 1LoD’s Voice and Video Surveillance Deep Dive it became clear that the answer is narrow regulatory compliance risk, and then cost, not on the other risk types: in the absence of clear and specific regulatory requirements, banks feel they have little reason to invest in surveilling these channels. 

Take their view on surveillance across multiple languages. Banks only surveil a subset of the languages in which they do business. They give a number of reasons for this: the technology is not yet available to transcribe all but a handful of languages accurately, meaning that captured audio would need to be reviewed on a sample basis by human staff; the cost of surveilling across all languages would therefore be prohibitive; and the risks in those lesser-used language channels would not justify the investment. 

If costs were truly prohibitive, then if regulators mandated surveillance in currently unsurveilled languages, the implication is that banks would consider pulling out of some businesses because of the impact on profitability. But is that likely? No. banks would hire the staff needed to do manual surveillance if they had to. What banks really mean by ‘prohibitive’ is that if it’s not necessary, if there is no compliance risk, then why spend the money? 

So, in reality, current ‘risk-based’ surveillance is nothing of the sort. If a particular type of surveillance is mandated, it will be implemented. If it isn’t then while a risk-based approach would be allowed, in practice banks just take a cost-based approach.   

If this sounds cynical, just look at the state of video surveillance right now. Almost no-one is even capturing video let alone surveilling it. In fact, where banks have bought the technology to record everything from a Teams or Zoom or Webex meeting, they are requesting that video capture be turned off and only the audio (and sometimes the chat and other e-comms elements) be captured. Why? Because no regulators specify video capture and video storage is expensive.  

The problem with this approach is not just that it leaves plenty of potential risk undiscovered in the system, it’s that bad actors will migrate to unsurveilled channels and clients will move to the easiest technologies for them to do business. So, it will become necessary to increase voice and video surveillance in future. 

The onus is on the regulators to move towards more prescription. Right now, regulators are attempting to have their cake and eat it with a ‘principles-based’ approach in the written regs, and an opportunistic and much more prescriptive approach in individual enforcements. That is not a recipe for effective ‘risk-based’ surveillance. But with the issues in banking right now, no regulators are going to impose huge new surveillance costs on the industry and few banks are going to spend significantly to get ahead of the regulations. The cost-based – not risk-based – approach to voice and video surveillance will prevail for some time.