JP Reis consultants have helped to implement a compliance capture and archiving solution for an investment bank. The solution covers voice channels Trader Voice, Enterprise Voice and MS Teams. The program is global and circa 10,000 users are already being recorded on Teams.
The Compliance Technology Program
Our client was facing end-of-life risk from the Windows 2008 OS and legacy voice recording systems. The bank also needed to meet new regulatory recording requirements for channels such as MS Teams. Our consultancy team needed to manage the selection of a vendor, design and implement the solution, perform rigorous testing, ensure all data capture, transfer and archiving was validated and compliant, and make sure that future compliance workstreams were facilitated.
This strategic architecture project was global in scope and headed up by our Principal Consultant in Sydney. Our team had two further Subject Matter Experts and two Project Managers. Lockdown conditions were in effect for a significant proportion of the project timeframe so the JP Reis contribution was largely delivered from remote locations.
The first phase was to understand the requirements and select a product for the capture aspect of the solution. Our team performed internal discovery work to ensure the requirements of all key stakeholders including the Business, IT, Compliance, Security and Legal were factored in. Then they performed an evaluation of recording vendors. A thorough market overview preceded a full RFP process that started with four suppliers who were subsequently downselected to two. We ran detailed proof of concept [PoC] testing for voice, chat, video conferencing and screenshare with the two remaining vendors after which the client selected NICE NTR-X.
NICE NTR-X Solution
NICE Systems has expanded its capture capabilities, in response to regulatory requirements, to include video, chat and screenshare. The new generation NICE NTR-X platform can provide compliance capture and assurance for Trader and Enterprise Voice, Microsoft Teams and Zoom capture, call recordings from mobile phone, WhatsApp and WeChat, and trader voice transcription.
Its selection here was as a versatile capture engine that could handle the immediate voice capture requirements of the project and be ready to implement for other streams. The decoupling of capture and archiving is in line with the emerging best practice paradigm that JP Reis has been advising for years.
In this case, rather than selecting one of the new cloud-hosted compliance archives that can pull in 100 streams, the bank had created its own archive solution that will perform all lifecycle management, playback, validation and analysis. It is hosted in the Google Cloud Platform [GCP]. This decision presents its own challenges and creates ongoing internal workstreams that would not exist to the same extent had a third-party compliance archiving solution been selected.
Main Compliance Project
When implementing digitized products, including “as a Service” [AAS] solutions, extensive work is still required before they can become fully operational, effective and in the case of regulated industries, compliant. Realistic timeframes, normally involving specialist consultancies, need to be agreed so that high level architecture and engineering work can be carried out along with cycles of testing and calibration. Governance and Compliance requirements are sometimes misunderstood by internal stakeholders and vendor products are often less developed than expected. Our client has had previous regulatory issues and has become more proactive with compliance as a result, but the work was still challenging.
Our team set up production, User Acceptance Testing and Development environments. They designed the architecture for the hybrid capture solution. This included the development of an automated request and workflow provisioning solution to ensure integrity of the configuration for regulated users. IPC Unigy and Avaya calls are now captured using an on-premises NICE NTR-X system and recordings from both go to the client’s proprietary storage archive in GCP. The files are ingested and validated before an automated request goes to NICE requesting record deletion.
NICE also captures MS Teams recordings on an AAS basis although the client experience is more like a managed service. As with Avaya and Unigy, recordings are stored in the GCP archive and following ingestion and validation, the request is then made for NICE to delete the corresponding records. Detailed testing has been performed throughout the program on every aspect of the new solution with use cases covering many different fixed and mobile client profiles.
Our findings from the RFP and PoC processes included some required product developments for NICE NTR-X. This is not unusual; we often work with vendors and clients on product development and the improvements and additions we make benefit all stakeholders and future clients.
We worked with the vendor to develop the product from a security and workflow perspective. This included the integration with MS Azure Active Directory using OpenID Connect so the bank can authorize credentials on the SaaS solution. We also managed the setting up of a proxy for internet access. We developed the existing security incident event monitor [SIEM] to provide audit access and we added envelope encryption meaning that files can only be opened by the key holding client. We also added encryption at rest, pre-announcements, beep tones and recording on demand, all of which were considered essential by the client.
Summary of Tasks Completed
Projects like these are more labor intensive than some stakeholders expect. Our consulting team has many years of experience implementing compliance systems and we built on our strong and rapidly growing understanding of MS Teams and its place in the compliance capture model. The list below does not capture the level of effort, architecture design, engineering and governance, but provides a useful summary of completed tasks. The next step will be to roll out the program to include chat, screenshare and video.
- Helped to govern the process leading to the selection of NICE NTR-X;
- Set up NTR-X for MS Teams to operate as a SaaS solution;
- Set up NTR-X for Avaya and IPC to operate as an on-premises solution;
- Enabled NTR-X to archive internally and over Internet to the bank’s in-house compliance archive in GCM;
- Azure Active Directory integration for NICE NTR-X;
- Provided audit access for SIEM;
- Added end to end envelope encrption;
- Implemented best practice security and governance processes.