Getting it Right in a Regulatory Environment
By Maree Moscati, CEO, Copytalk
Today, as public anxieties reverberate from the economic crisis of 2008, banks must continue to instill and maintain public trust. Yet the banking environment has never been more complex. The challenge is further complicated by the fact that financial firms from the smallest community banks to global institutions rely on a host of providers to perform a multitude of noncore, data-intensive functions.
Dictation and transcription services have been a valuable business tool for many years, even though the environment we live in today is dramatically different from that of even 15 years ago. Risk has changed the landscape, yet with tight budgets and shrinking support staff, these services continue to be important - and they need to be flexible, accessible and fast.
Financial services companies have a wide array of service providers to choose from, but how they choose is as important as whom they choose. With the advent of Big Data and the corresponding wave of complex legislation - HIPPA, GLBA, Sarbanes-Oxley, Dodd-Frank, etc. - sanctions for noncompliance can be onerous. Some providers are sophisticated when it comes to security, some less so. While a company has a lot to gain by choosing the best service available, no financial institution can afford to consider a provider that cannot clearly demonstrate its understanding and use of data security protocols.
When selecting a transcription service provider, banks and financial institutions should ask whether they:
• Maintain active intrusion detection systems
• Use a segmented network with multiple firewalls
• Destroy media that contains confidential data
• Run antivirus software with signature files and automatically update them daily
• Monitor their systems for unusual activity
• Make appropriate use of encryption to protect sensitive data in transit and at rest
In addition, here are some other security considerations:
• Employee background checks - Are thorough employee background checks conducted, including Social Security number verification and address history, as a requirement for employment? Can transcriptionists access data about the client, or is client data kept separately? Is the dictated information associated with the client's identity, or does the service ensure a barrier between dictated material and the data's owner?
• Remote facilities - Are the equipment and facilities under the provider's direct control?
• Is the transcript being processed in the US or overseas? (Only facilities located in the US are required to conform to US laws.) Does the company use home-based transcriptionists?
• Downstream vendors - Is the workforce processing the work under sole control of the transcription company (or is the vendor hiring "downstream" vendors)?
• Shared environments - Are the equipment and facilities shared across multiple purposes or companies? Shared environments include a home-based transcriptionist using a personal laptop or a dictation company sharing server space with other companies.
Since dictation and transcription services were traditionally handled by support personnel, they are still often viewed as simple, low-level functions. Employees, from multinational CEOs to branch receptionists, are becoming increasingly comfortable "hiring" their own personal technologies - tablets, smart phones, cloud applications - to do their support work. Why not?
There are, of course, many reasons, yet policies to limit these risky practices are falling on deaf ears: according to a 2012 CIO poll, 93% of today's employees admit to violating company policies designed to prevent information leakage. A key source of risk here is bleed -- once a bank manager begins using his iPhone for innocuous to-do lists, might he then, in a pinch, use it for some quick notes on an important client briefing?
Siri and Android's speech-to-text functions are considered safe, native applications, with data being processed only on the phone. The trouble - in addition to risk of loss of the device itself - is the trustworthiness of the application coupled with complex data use agreements so often dismissed with a touch of the "I accept" button. Rather than holding the content on the device, many speech-to-text applications transmit the data from the device and retain that data for an unspecified amount of time. Out of the organization's hands and untraceable, the data may be transferred, copied and even sold, creating serious reputational and compliance risks.
Voice-to-text software can be an attractive option, but may not be very efficient. These types of software are highly interpretive, and cannot be relied upon for accuracy. Because of these limitations, the time saved through instant voice transcription is more than offset as the transcriber reads through, corrects and re-reads the transcript. Worse, licenses for voice-to-text software often require consent to expansive privacy policies - policies that can be prohibitive for a financial institution.
With personal technologies risky and voice-to-text solutions still lagging, financial services companies must identify better alternatives which must satisfy these criteria:
• "Always on" - available 24X7
• Accessible from anywhere
• Easy to use - as easy or better than one's personal technology
• Able to understand and interpret industry jargon
If a service fails to meet the bar for ease of use, busy workers juggling multiple projects, deadlines and travel schedules will simply revert to their own equipment (I'll just store it in my iPhone for now), leaving the information without backup, encryption or other safety measures, creating risks of compliance issues, hefty fines, reputational damage and other problems.
The Right Provider
Finding a service provider need not be complicated. A few questions can narrow the field considerably. Does the provider have a solid understanding of the risk and regulatory environment in which financial institutions operate? How has the organization's leadership established a culture of security within the organization? Are employees screened carefully? Are standard protocols for safeguarding data being followed?
Participation in a consortium of security professionals, such as the Shared Assessments Program (www.SharedAssessments.org) is another good indicator that the company is committed to risk management and engaged in the larger risk management community.
Finally, while we all enjoy hearing words of assurance in the face of risk, the fact is that risk will exist. All service providers whose work involves touching sensitive data - from dictation to financial modeling to payment processing - should know this. Yes, their job is to support financial institution clients in adhering to rules and preventing compromises. The era of Big Data is only beginning, and risk changes all the time. The right provider acts as a partner, supporting institutions as they navigate this new and highly complex world.
Maree Moscati is CEO of Copytalk (www.copytalk.com) which provides secure, compliant mobile dictation and transcription services to financial services organizations. Before joining the firm in 2012, she had a long career in financial services in both executive and client relationship roles.