By James Wooster, COO, Glue42.
Spending IT budget on compliance solutions is never satisfying. While the impact of fines is easy to measure, the uncertainty of the risk means that other business cases always look more attractive. The scope of MiFID II and CAT compliance has placed additional burdens on financial institutions as both require data capture at the point of interaction. This demands knowledge of the sequence of transactions and an appreciation of the user behaviours that led to a moment of interest. Unfortunately, traditional approaches track the results of user behaviour, not the users’ behaviour itself.
The bad news for IT departments is that the complexity of the desktop environment and the multitude of in-house and third-party applications makes it incredibly difficult to identify anomalous user journeys. Applications are written in different technologies and are often unaware of the existence of others. Worse still, at the backend, the breadcrumb trail of transactions is dispersed across many different silos (e.g. databases, log files, audit files etc) and often with little in the way of a common identity to help match the interactions in one system with those from another. Not surprisingly, compliance requirements often lead to the creation of complex integration programmes which compete with critical machine resources while at the same time never offering any business value until a problem arises.
Enter User Behaviour Analytics (UBA). This is an approach based upon process mining techniques where the front-end applications are instrumented in converting user gestures into specific events that record what a user has done (or not done). For example, opening an application, viewing the content of a report, interacting via a softphone application, looking for specific market data, bringing an application into view are in themselves uninteresting – but thanks to UBA those actions can be viewed in context and can offer an insight into the users’ intentions. Better still, comparing patterns of application usage between users performing similar functions allows baselines to be developed from which missed process steps or errant behaviour can be quickly identified. The key point to remember is that not all users’ interactions have a corresponding bread-crumb at the backend. Scrolling through a dataset, bringing an application into view, copy/pasting data between an enterprise application and an email are things for which a data-centre solution is simply blind to.
In addition to passive monitoring, UBA can also be used to trigger actions. For example, taking a silent screenshot before, during and after a trade is executed or raising an alert if the appropriate data sources are not consulted prior to offering a customer some advice.
Like all compliance regimes, there are clearly data privacy concerns and the big-brother accusation is never far away. While these are issues for the individual firms to manage and communicate, the best UBA platforms offer the ability for this level of tracking to be switched on or off for specific users or departments at the flick of a switch. This allows targeted analysis to occur where there is strong justification or suspicion.
Interestingly, there are many reasons why keeping UBA switched-on outside of a compliance scenario is a good thing. For example, being able to compare the behaviours of a rock-star trader with a new-hire can reveal opportunities for further training. Spotting repeated copy/paste activities between applications may highlight the need for application integration to reduce the handling time and remove the opportunity for errors. Constantly restarting an application is indicative of application failure.
The UBA approach is being adopted by tier-one banks and hedge-funds around the world. Sometimes this is coupled with the adoption of interop platforms, where web-apps and desktop applications of any type are integrated together to simplify the user-journey and improve business outcomes. Indeed, the market leading interop platforms have this capability built-in as the insight gained through UBA can help build business cases for future digital transformation and use of the interop capabilities.
UBA is therefore a way of delivering leading-edge compliance solutions whilst at the same time delivering business benefits, operational advantages to all end-users. IT departments should also keep a watching brief on the use of machine learning techniques to spot new attack vectors and opportunities for assisted guidance to help the end-user and client.
Maybe spending IT budget on compliance just got slightly easier?