Corporate compliance has been under a white-hot spotlight this year. For the securities industry, it all came to a head in April with the $1.4 billion settlement between the SEC and ten of the nation's top Wall Street firms. In addition to tougher regulations for broker-dealers, the settlement sent a ripple effect across the technology industry, with new solutions claiming to ensure compliance.
Unfortunately, many of these "compliance solutions" are a reaction to an emerging opportunity-storage and mailbox extension products adapted to address the requirements of regulated securities firms. However, these are not purpose-built compliance solutions that were architected from the ground up to solve the complex requirements of SEC Rule 17a-4 and other applicable records retention regulations. The shortcomings of such solutions can end up costing your firm more than time and money; it can cost unwanted exposure and damage to its reputation.
So before you implement the latest compliance solution, focus on a more important, immediate matter: Your own, clearly defined compliance strategy. And when developing your strategy, make sure it encompasses three key areas: E-mail and instant message archiving and retrieval, communication monitoring and supervision, and legacy data restoration.
E-mail and Instant Messaging Archiving and Retrieval
The first and most important area of your strategy is a fully compliant e-mail and instant-message archiving system. Think of it as the cornerstone of your strategy, in that you'll build all the other areas of your compliance system around it. A good digital archiving solution should give your firm the operational advantages of current cost-effective technologies, and deliver the essential components that can meet the requirements of industry regulations.
Operationally, you'll want to find a system that saves money, is easy to implement and easy to use. There are standards-based technologies (such as magnetic disk-based technology) that, when integrated in a parallel processing, distributed computing environment, offer massive scalability and tamper-proof security capabilities that your firm will need to accommodate the explosive growth of electronic communication. Keep in mind such systems are not easily built in-house without significant domain expertise.
From a compliance standpoint, your system will need to meet industry regulations such as SEC Rule 17a-4, which states that broker-dealers must preserve all electronic records "exclusively in a non-rewritable, non-erasable format." Creating such a system that not only scales, but also provides efficient retrievability poses some significant technical challenges. According to IDC, by 2005 the number of e-mails sent annually will exceed nine trillion. For a midsize to large financial-services firm, this can translate into hundreds of gigabytes and even terabytes of e-mail per month. Archiving that volume of e-mail to a compliant, WORM-based system with the capability to retrieve specific records on demand requires a purpose-built records management solution developed to cost-effectively scale as archiving needs grow.
The rule also requires, however, that broker-dealers must be able to produce those records in a timely manner in case of an audit or regulatory investigation. That means your archiving system has to provide powerful index and search capabilities coupled with the ability to immediately retrieval specific information quickly and accurately. This also helps reduce the costs of discovery requests when responding to litigation. In addition, you'll need to ensure your solution meets the third party downloader requirement: having an intermediary to store your records offsite in the event that your firm is unwilling or unable to provide access to the regulators.
But e-mail isn't the only thing you need to archive. A recent NASD memo to its members stated that: "Regardless of the informality of instant messaging, it is still subject to the same requirements as e-mail communications and members must ensure that their use of instant messaging is consistent with their basic supervisory and record keeping obligations." So, make sure your system can capture, index and retrieve instant messages as well.
Here are a few suggestions on what to look for in your digital archiving solution:
--Ability to capture, index, archive, search and instantly retrieve all electronic documents, from e-mail and instant messages to faxes and online transactions
--Preserve documents on tamperproof media, ensuring the highest level of document authenticity, integrity and security
--A solution built specifically in accordance with SEC, NASD, NYSE, AMEX and other pertinent industry regulations
The second area of your compliance strategy -- and one that should integrate seamlessly with your digital - archiving solution - is a comprehensive content monitoring and supervision system. Regulations such as NASD 3010 and NYSE 342 require organizations to establish and maintain a system of supervision, demonstrate that their system is complete, evaluate it on a regular basis, and ensure that it remains effective.
In order to meet these regulations, your supervision system needs to be able to effectively monitor all employee electronic communications including e-mail, attachments and instant messages. It also needs to record this supervisory activity and keep auditable records of reviews and other monitoring. Some features to look for in a compliant-ready supervision system include:
--Highly efficient review and administration tools
--Ability to index, review and search all electronic communications and attachments
--Ability to flag and annotate selected messages
--A lexicon that can scan e-mail and instant messages against multiple lexicons of words and phrases; make sure the lexicon is customizable to your firm's environment
--A convenient interface that makes it easy for administrators and reviewers to use the system
--Easily integrates into your existing infrastructure and environment
--Compatible with all major e-mail and instant messaging management systems
According to NASD Rule 3010 and NYSE Rule 342, you'll need to ensure you develop supervision guidelines for company/industry violations, key words for your lexicon, and any reporting procedures that will streamline the supervision process. It will help keep your costs down, both in terms of time and risk.
Legacy Data Restoration
Legacy data restoration is the critical third part of your compliance strategy. Companies often address their data restoration needs only when compelled by a regulatory request or subpoena, which can leave them with enormous costs and unwanted exposure. It's better to take proactive measures to restore and archive your historical e-mail, especially if it is stored on non-compliant media such as backup tapes.
By converting data from back-up tapes to secure digital repositories, records can be retrieved in a fraction of the time - and at a fraction of the cost - when compared to restoring and searching through backup tapes every time you need to find a record. Look for a solutions provider that can handle large-scale, complex data restoration projects.
On the surface, data restoration from tape and other media can appear to be a rather simple concept. However, there are several areas involved in restoring data that can create significant anxiety within your IT department: varying versions and types of tape drives, firmware, media, e-mail software, backup software, not to mention complexities involving the data that's on the tapes. There are solutions providers that specialize in processing tens of thousands of tapes containing hundreds of millions of messages in a short amount of time, taking the resource-draining burden off of your IT department.
Some important points to consider when restoring your data:
--Automatic de-duplication of data for attorney review-this greatly reduces the burden of wading through irrelevant data
--Fully automated restoration process-automation drives down costs. Consider a vendor that has significant experience restoring data from complex environments
--Security and chain of custody-this ensures that only authorized people have access to your data, and it tracks their activity with it
The End Result
It's all about minimizing cost and business risk. That said, when developing your strategy make sure you get all of your firm's key decision makers involved. Section 404 of the Sarbanes-Oxley Act will require top management of public companies or other companies subject to SEC regulations to become more conversant in their accounting systems and controls. With the deadline approaching to comply with section 404, it will be critical to have controls, policies and procedures in place and documented by that time.
If you decide to go with a third party for your compliance solution, make sure you choose a company that specializes in compliance technology, and has direct, relevant experience working with regulatory issues. Such a partner will have the compliance expertise and technical know-how to keep your firm safely within industry regulations.