'Trust But Verify’ Key to Contracts Post-Bloomberg Spying Scandal

Recent reports that Bloomberg monitored client communications and usage data signal yet another flashpoint in the ongoing debate between vendors and financial institutions over what is suitable in terms of access to—and surveillance of—information.

As more of those services become cloud-based, expectations around demonstrable verification and auditing practices have heightened, but discussing where data usage for product development ends, and more nefarious activity begins, is not such a bad thing. In fact Brian Nadzan, chief development officer at buy-side combined execution and order management systems provider TradingScreen, says clarity is the best way to avoid these kinds of events to begin with.

"We have to prove to clients that we have good safeguards in place, particularly around change management and data access—e.g., ensuring changes go through the right environment as they are given to production," he says. "Similarly, the recent problems in the industry certainly haven't surprised us in terms of being capable of demonstrating how we handle internal data access entitlements. Our clients haven't been asking any more often, necessarily, because clients are always asking that of us as a cloud-based solution. We constantly have to prove the data is in front of the eyes that are supposed to have it."

As Nadzan says, the industry has long ago solved for role-based tools and entitlements by intermediating development and production with applications that permission some and not others. The difference lies in creating a robust verification layer behind that, which can essentially mirror back what's going on in which application, who is doing it, and allow end-users to adjust and monitor entitlement policies directly as necessary.

"Obviously, for intra-day trading positions, it's important because clients don't want to feel they don't have control of the data, so we give them access to policies through a kind of self-service portal, to maintain pieces of information and who has access to it, whether infrastructure support teams or otherwise, so they can fully understand the chain of access," he says.

‘Three Buckets'
The catchword, once again, among the industry is “distrust,” but the smarter focus is for each individual firm to really hone in on its own requirements, and make sure they are spelled out contractually. That, Nadzan suggests, should augur more documentation requirements in the future, perhaps a bit more flexibility on things like periodic visits to vendors' physical sites, and new competition in the chat space, such as a new service in the works from Markit —but not necessarily more blanket rules.

"If you're getting a collection of services from a major provider, pulling out of chat communications and fleeing to a separate vendor doesn't necessarily solve the problem, and the Financial Industry Regulatory Authority (Finra) or the Securities and Exchange Commission (SEC) won't and shouldn't dictate what the correct policies are for each buy-side firm or broker-dealer," he says. "Perhaps you could see a best-practices document, and then apply what you feel is practical, but it's down to specific obligation to your own clients, and whether managing private wealth money, hedge funds, or pension funds, those will each be quite different."

On the vendor side, the best advice, somewhat counterintuitively, may be to take advantage of greater requirements, regulatory or client-driven, as service offerings grow out. "It's a combination of internal policies and training, active understanding of the existing regulation around data access, and reacting to changes in terms of what clients need, always coming back to the idea of ‘trust but verify.’ You can't ignore any of those three buckets and still be successful,” the CDO says. "For example, TradingScreen is building out new electronic exchange venues, which require much higher regulatory compliance around data usage than being an EMS or OMS provider, alone. Those standards are now applied across our entire organization, not just a single business line."