by Robert Smallwood, KM World
04-01-2006
What's driving the rush to implement e-mail archiving/management software? One big reason is that an estimated 60 percent to 70 percent of business-critical data resides in e-mail, but there is also a bigger stick: compliance. The law has become a strong motivator for businesses, especially in this era of increased government scrutiny resulting in lengthy court cases, fines or even jail time.
Some of the regulations apply to a broad swath of firms, such as Sarbanes-Oxley (commonly referred to as SOX), which applies to all public firms and regulates financial auditing, quality control and independence standards, requiring executives to certify the veracity of their financial reporting. SOX mandates that public companies save all business records, including electronic records and messages, for no less than five years, and relevant audit-related documentation (including e-mail records) must be retained for seven years.
Other regulations are specific to vertical markets, most especially the financial services, investment brokerage and banking segments. Many financial services and related firms are upgrading existing systems to improve their ability to quickly search and find relevant e-mail records when discovery requests are made. Here are some key laws impacting the retention, preservation, searchability and production of e-mail records for financial services entities:
Financial services firms
Gramm-Leach Bliley Act
Financial institutions must ensure the security of non-public personal information; as such, they are required to maintain and store those communications in compliance with the SEC's Rule 240.17a-4 and NASD's rules 3010 and 3110 (all e-mails must be preserved for a period of not less than six years, with the first two years in an easily accessible place).
Investment broker dealers
Securities & Exchange Commission (SEC) 17a(3,4) Records of Certain Exchange Members, Brokers & Dealers
A broker or dealer must preserve records and documents for three to six years, the first two years of which they must be in an accessible place. All documents and records must be time-stamped, stored in a non-rewritable/non-erasable format, organized and indexed, with a duplicate copy stored separately from the original. The indexes should be duplicated and stored separately from the original, and they should be available for examination and preserved as long as the documents and records.
NASD 2210--Communications with the Public
All sales literature and correspondence made available to customers or the public (including e-mail) must be maintained for three years from the date of each use including the name of the person who prepared the literature and/or approved its use. Any communications (including e-mail) that deal with the performance of past recommendations or actual transactions should be stored at a place easily accessible for the accounts or customers involved.
NASD 2711
All research reports--including any written or electronic communication that includes an analysis of equity securities of individual companies or industries and that provides information reasonably sufficient upon which to base an investment decision--must be retained for three years following its publication.
NASD 3010
A system should be established and maintained to supervise activities of all registered representatives, including the use of e-mail and Web sites. Written procedures must be developed for the review of any written and electronic correspondence with the public relating to investment banking or securities business. If an electronic or manual pre-use review is not done, appropriate supervisory procedures should be developed, as well as monitoring and testing the procedures, educating employees on the procedures and documenting the education of the employees. All correspondence relating to investment banking or securities business should be retained along with the names of the people who prepared and reviewed the correspondence, and the retained records should be readily available to NASD.
NASD 3110
All books, accounts, records, memoranda and correspondence should be retained in the same format as stated in SEC Rule 17a-4 (i.e. non-rewritable, non-erasable, and time-stamped). All e-mails and Internet communications that relate to the broker/dealer's business must be retained for at least three years, the first two years in an easily accessible place.
IDA 29.7 (The Investment Dealers Association of Canada)
All client correspondence and related documents, including e-mails, must be retained for five years from the date of creation.
Banks
Office of the Comptroller of Currency (OCC) Advisory: Electronic Record-Keeping
Banks should implement an electronic record retention system to allow litigation, audits, bank supervision and compliance with laws and regulations. Systems should also prevent external access by third parties, and provide backup, internal controls, record destruction and record retention.
Federal Deposit Insurance Association (FDIC) Advisory: Information Technology Risk Management Program
It requires encryption of electronic customer information while in transit or in storage.
Basel II
Banks must create internal processes to control, supervise and enforce risk management practices, including those involving internal communications (e-mail).
Download: Full Article in PDF Format