Industry Letter - October 13, 2015: Requirements on Use of Symphony Communication Services

TO: All DFS-regulated Institutions

FROM: Anthony J. Albanese, Acting Superintendent of Financial Services

RE: Requirements on Use of Symphony Communication Services

DATE: October 13, 2015

The New York State Department of Financial Services (“DFS”) has entered into agreements (the “Agreements”) with five DFS-regulated financial institutions (the “Banks”)¹ regarding their use of a third-party e-communications platform engineered by Symphony Communication Services LLC (“Symphony”). The Symphony platform, which launched on September 15, 2015, utilizes end-to-end encryption to send encrypted messages that only the sender and recipient institutions can decrypt by using a private decryption key. Though the message is transmitted through the Symphony platform, Symphony does not have the ability to decrypt the message. In addition to end-to-end encryption, Symphony’s promotional materials highlighted “guaranteed data-deletion” as a central feature of the platform.

Symphony’s promotional materials and other publicly available information prompted DFS to seek additional information regarding the Banks’ intended use of the platform. DFS requires its regulated financial institutions to maintain records in a reliable, safe and secure manner. Accordingly, DFS reviewed the Symphony platform to determine whether it could be deployed in a manner consistent with those principles. In order to ensure appropriate regulatory compliance, DFS entered into the Agreements.

In the Agreements between DFS and the Banks, the Banks have agreed as follows: (i) prior to using or expanding the use of the Symphony platform, the Bank will require that Symphony maintain copies of all Bank communications sent through the Symphony platform for at least 7 years; (ii) the Bank will store a copy of decryption keys for encrypted messages transmitted through the Symphony platform with an independent custodian or custodians, i.e. one not controlled by the Bank; and (iii) the Bank will inform DFS of the location of the stored decryption keys.²

It is the view of DFS that the use of the Symphony platform must include these safeguards to ensure safe and sound operations. Accordingly, any DFS-regulated institution that is considering using the Symphony platform should ensure that the entity’s anticipated use conforms to the standards included in the Agreements and should contact Jeremy Schildcrout at DFS at (212) 709-3572 (or [email protected]) to execute a similar agreement.

¹ The five institutions are Goldman Sachs, Deutsche Bank, Credit Suisse, The Bank of New York Mellon, and Société Générale

² Example Agreements can be found at http://www.dfs.ny.gov/banking/agree_symphony_09142015.htm