.jpg)
The New York State Department of Financial Services (NYDFS) reached an agreement today with Société Générale on record-keeping requirements and other protections to help ensure the bank’s responsible use of the new Symphony Communication Services, LLC (“Symphony”) chat and messaging platform. NYDFS had recently expressed concerns that certain Symphony features, such as its promise of “Guaranteed Data Deletion,” could hinder regulatory investigations on Wall Street.
Anthony J. Albanese, Acting Superintendent of Financial Services, also issued guidance today to all NYDFS-regulated institutions stating that firms that decide to use Symphony must put in place the same protections. Société Générale is the fifth bank to sign onto NYDFS’s model record-keeping requirements for the use of Symphony. The Department reached the same agreement last month with Goldman Sachs, Deutsche Bank, Credit Suisse, and Bank of New York Mellon.
Acting Superintendent Albanese said: “We are pleased that Société Générale signed onto our model agreement for the use of this new chat service. Additionally, we have issued guidance to ensure that all of our institutions that choose to use Symphony will follow these necessary rules. Given that our Department does not regulate all of the financial institutions that intend to use the Symphony messaging platform, we believe it is important that other regulators and law enforcement officials work to put in place similar protections.”
Previously, in a July 2015 letter to Symphony, Acting Superintendent Albanese raised concerns that the use of Symphony – which marketed its services as delivering “Guaranteed Data Deletion” – could hinder regulators’ and prosecutors’ ability to investigate misconduct at banks, such as the recent rate-rigging (i.e., LIBOR) and foreign exchange manipulation scandals conducted in part over instant messaging services.
Under today’s agreement, to help address those concerns:
- Symphony will retain for seven years a copy of all e-communications sent through its platforms to or from Société Générale;
- Société Générale will store duplicate copies of the decryption keys for their messages with independent custodians (i.e., custodians not controlled by the banks).
To view a copy of today’s agreement with Société Générale, please visit, link.
A copy of the guidance Acting Superintendent Albanese issued to NYDFS-regulated institutions on the use of Symphony can be found below and at the following link.
****
TO: All NYDFS-regulated Institutions
FROM: Anthony J. Albanese, Acting Superintendent of Financial Services
RE: Requirements on Use of Symphony Communication Services
DATE: October 13, 2015
______________________________________________________________________________
The New York State Department of Financial Services (“DFS”) has entered into agreements (the “Agreements”) with five DFS-regulated financial institutions (the “Banks”)1 regarding their use of a third-party e-communications platform engineered by Symphony Communication Services LLC (“Symphony”). The Symphony platform, which launched on September 15, 2015, utilizes end-to-end encryption to send encrypted messages that only the sender and recipient institutions can decrypt by using a private decryption key. Though the message is transmitted through the Symphony platform, Symphony does not have the ability to decrypt the message. In addition to end-to-end encryption, Symphony’s promotional materials highlighted “guaranteed data-deletion” as a central feature of the platform.
Symphony’s promotional materials and other publicly available information prompted DFS to seek additional information regarding the Banks’ intended use of the platform. DFS requires its regulated financial institutions to maintain records in a reliable, safe and secure manner. Accordingly, DFS reviewed the Symphony platform to determine whether it could be deployed in a manner consistent with those principles. In order to ensure appropriate regulatory compliance, DFS entered into the Agreements.
In the Agreements between DFS and the Banks, the Banks have agreed as follows: (i) prior to using or expanding the use of the Symphony platform, the Bank will require that Symphony maintain copies of all Bank communications sent through the Symphony platform for at least 7 years; (ii) the Bank will store a copy of decryption keys for encrypted messages transmitted through the Symphony platform with an independent custodian or custodians, i.e. one not controlled by the Bank; and (iii) the Bank will inform DFS of the location of the stored decryption keys.2
It is the view of DFS that the use of the Symphony platform must include these safeguards to ensure safe and sound operations. Accordingly, any DFS-regulated institution that is considering using the Symphony platform should ensure that the entity’s anticipated use conforms to the standards included in the Agreements and should contact Jeremy Schildcrout at DFS at (212) 709-3572 (orJeremy.Schildcrout@dfs.ny.gov) to execute a similar agreement.
FOOTNOTES:
[1] The five institutions are Goldman Sachs, Deutsche Bank, Credit Suisse, The Bank of New York Mellon, and Société Générale.
2 Example Agreements can be found at http://www.dfs.ny.gov/banking/agree_symphony_09142015.htm
