Cloud Confessions: Q&A with CTO on Communications Compliance

Kyle Ansari is CTO of Kerv’s Compliance practice, he’s responsible for the engineering and development of new products in this fast-moving area of business technology.

Our CMO Helen Lancaster caught up with Kyle to find out more about his journey to becoming a CTO. Helen also finds out what he has learned from working for both Financial Service organisations and service providers in the compliance market.

Helen: Hi Kyle, can you tell us a bit about your background and how you became a CTO?

Hi Helen, my background is actually in the theatre, which I know is an unusual training ground for a CTO! But today’s theatres employ more technology in sound engineering and lighting than you may think!

My background is actually in the theatre, which I know is an unusual training ground for a CTO!

My role was basic, but I was interested in how things actually worked. I started reading the engineer’s notes to see how they solved common problems.

Over time I became a senior engineer and went to work on-site for one of our large banking clients, Deutsche Bank.  I was offered a position designing their back-end voice recorders globally. This skill was in high demand for banks at the time and I subsequently ended up doing similar work for two other major financial institutions.

My big break came when I was approached by a new company.  They needed an architect to design a new voice recording solution and a robust transformation plan. Over time I did similar work for other major clients, which resulted in me becoming a director of the company and ultimately the CTO.

Helen: Interesting. So, what have you learned from implementing these compliance solutions?

I think the first thing I learned is how critical compliance is to financial services clients. The stakes are high, non-compliance can result in major fines, reputational damage and ultimately revenue loss.

Secondly, financial service organisations take compliance very seriously, but it is hard for them to have the experience and the technical staff to cover every eventuality. There are always processes and controls in place to handle non-compliance events. Without the expertise on hand, they sometimes don’t get followed. It’s a fast paced, high-pressure environment and needs 24×7 attention to get systems back online in the case of an incident. For a financial services organisation a gap in call recording is not only unacceptable, it immediately makes them non-compliant.

Financial service organisations take compliance very seriously, but it is hard for them to have the experience and the technical staff to cover every eventuality.

There is also now a new challenge for financial institutions. Their data is no longer 100% contained in-house. This means that somebody else is managing the infrastructure, which creates the security problem of who is authorised to access call recordings and data. This becomes even more acute when it is hosted in cloud infrastructure from a service provider.

The answer to this problem is to work with a specialist provider, like Kerv. We have rigorous, audited and tested data environments that mean only our clients can access their data, we can’t even access it ourselves. To ensure that only authorised personnel can gain access to sensitive data we conduct, penetration testing, extensive security audits and provide documented evidence of our security controls.

Helen: You mentioned that there are security challenges when financial service organisations host their data in cloud infrastructure. How can these be dealt with?

Ironically, the key benefit of cloud infrastructure, is also the organisations main concern. Which is the clinical separation of the data that is stored for compliance purposes.

At Kerv, we provide a level of audit across our customer’s data that they simply could not achieve in-house.

On one hand they fear a loss of control, but on the other, the benefit far exceeds the risk. This is because their call recordings are stored and archived in a totally separate environment, managed by a team of dedicated professionals. At Kerv, we provide a level of audit across their data that they simply could not achieve in-house. They don’t have to control their data, we do it for them.

Helen: Is moving to cloud a simple one-time decision or a journey?

It is definitely a journey. It makes a lot of sense to make the transition, but the execution is necessarily a lengthy process, that requires planning and a great deal of due diligence.

I have talked about the importance of security, for some clients it can take 6 months to complete a cloud migration for this reason. This may feel like a long time, but it is critical for them to demonstrate the safety and security of putting their important data in the cloud.

For some clients it can take 6 months to complete a cloud migration.

At Kerv, even when our customers have gone live their journey isn’t over. We are constantly looking for ways to streamline their processes or upgrade security controls to improve their ability to audit.

We recently had a client who needed to be able to transcribe their call records. Because we had their data in the cloud, we were able to easily deliver their transcriptions in a searchable and secure manner.

Helen: What do you think clients look for from a compliance service provider?

I think there are two key things that a service provider can bring to the table, that it is hard for financial institutions to replicate.

The first is experience. It’s essential that a vendor understands the compliance issues a bank faces, the problems that can occur during migration and the typical financial security requirements.

The second is best practice. It’s very hard for a financial institution to know how their competition have solved similar problems. At Kerv, we have seen numerous deployments and without breaking any confidence we usually know the problems that will be encountered and the best ways to overcome them.

Helen: I heard a rumour that that Kerv is currently the only service provider that provides CDR reconciliation for Teams recording. Is that true and why is it important?

Well, it’s always hard to say exactly what other suppliers are doing. But, yes, I believe that is currently the case. We have the capability to give clients a full list of the calls that are made in their Teams environment and we already have this live and working with a major financial customer.

CDR reconciliation is not strictly a compliance requirement, so it can be easily overlooked. But it’s an important data point because it gives customers confidence that in the event of a failure, they will have much better information about exactly what has happened and why.

Helen: What recommendations would you make to a CIO who is selecting a vendor to implement compliant call recording?

There are three attributes that are essential for a successful partnership in this space.

The first is a thorough investigation into the credentials of the company selected. What are their resiliency processes? How do they deal with failures?

The second is their maturity in implementing access controls and data security, as I said earlier, security for financial organisations is paramount.

Finally, I would want to understand how they will integrate their security policies with those of the customer. Each financial institution is different and ensuring that the vendor can respond to these variations is key for success.

Helen: That’s very interesting Kyle, thanks for sharing your thoughts with us today.

About Kerv

Kerv Communications Compliance Practice has years of experience and unrivalled technical knowledge, delivering ground-breaking compliance projects for global financial institutions, assisting customers in taking the next steps in the migrating, capturing and managing the evolving state-of-the-art communications compliance.