Adhering to the array of SEC and NASD regulations around e-mail retention is going to be a full-time job for firms that hope to avoid the fines, lawsuits and bad press that come with non-compliance.
It is estimated that over 16 billion business e-mail messages are sent a day, and financial firms are stuck with the unenviable task of figuring out how to deal with them. "Dealing with them" includes managing, archiving, retrieving and monitoring e-mails and instant messages.
Regulators are cautioning financial-services firms to beef up their e-mail-management systems and implement an e-mail-compliance policy or face heavy fines and possible lawsuits. As many firms struggle to figure out if their business is compliant, others have yet to develop an e-mail-retention policy.
There are rules and regulations for the creation, management, storage and disposition of e-mails. And many have been updated, clarified, reinterpreted and amended in the face of recent scandals. Regulators are coming down on non-compliant firms with force. So how does a financial-services firm ensure that it is compliant? And what steps must it take to get there?
SEC Rule 17a-4 and NASD 3110 state that broker/dealers and exchange members must preserve all electronic communications relating to the business of their firm in a non-rewritable, non-erasable format for three years, two of which must be in an easily attainable place. And NASD Rule 3010 states that broker/dealers must implement a supervisory system to review messages between their salespeople and customers.
So, when the SEC, NASD and NYSE cracked down on five of the top financial-services firms - to the tune of $8.25 million in fines - it became clear that they meant business.
"Failing to manage e-mail is tantamount to mismanagement of corporate assets," says Randolph Kahn, Esq., founder and principal of Kahn Consulting, Inc., an information-management-consulting firm.
Developing a Policy
Making sure that you fully understand the particular rules and regulations that affect your firm is the first step for setting up a company-wide e-mail-management policy. Rules for broker/dealers, for example, differ from those for investment advisers, who, according to the Investment Advisors Act, are not required to use non-rewritable, non-erasable media. The act does, however, specify that records must be indexed, kept in duplicate and retained for up to six years.
"You must also look at what you want to accomplish from a business point of view," says Thomas Bookwalter, president of 17a-4, LLC, an e-messaging, management-consulting company. Adhering to the law is one aspect of e-mail management, but when assessing a firm's current solution, "It's important to identify the gaps and help design a solution that addresses both the legal requirements and the firm's business objectives," he says.
Executives in the legal, compliance, human resources and technology departments should also be consulted when developing a firm's policy. "Executives must negotiate and incorporate everyone's interests, including who is responsible for owning and managing the content of the system, how it works, and how you have budgeted for it," Kahn says. A leader should be appointed if everyone's concerns are to be addressed.
Joe Abbruzzese, senior vice president of Infrastructure and Client Services at Lehman Brothers, says, "You have to have a champion at the highest level of the company spearheading the policy. It's a costly, complex process and, once implemented, it must be rigorously and religiously followed."
Failure to implement or follow such a policy is considered negligence in the eyes of the law. In fact, the Sarbanes/Oxley Act states that employees of publicly traded companies can be penalized for the inadvertent destruction of records. So, high-level executives cannot shy away from getting involved.
An e-mail-management policy is useless, however, if no one adheres to it. "The policy needs to be carefully explained to all users, with an explanation of the corporate liability involved if the procedure is not carried out," says Kahn. And everyone needs to be trained. "It is not sufficient to draft something and be done with it," he says, adding that once the system is up and running, it should be monitored to ensure that everyone is using it correctly.
NASD Rule 3010 and 3110 require the constant supervision of a broker/dealer's electronic communications, either by pre-review or post-review. So, many firms are implementing systems that assist in the supervising and reviewing of e-mails by using lexicons that search for prohibited expressions or by doing an automatic sampling of correspondence. Many systems release the messages first, so as not to interrupt business flow, and survey them afterwards. But it is up to the brokerage houses to come up with their own interpretation of the law from a risk perspective, says Kahn.
Decisions must be made about when and how many of the messages are reviewed, and what is the right percentage of supervision. "Would the SEC, in this environment, be happy if they knew that you only looked at or automatically searched through 5 or 10 percent of these communications?" Kahn asks. Probably not, he says, so it may be better to err on the side of caution.
SEC Rule 17a-4 also requires that a third party be hired to help regulators download records from a firm's storage media in the event that the firm cannot or will not provide access. Several vendors, such as Diversified Information Technologies, Iron Mountain, Sector and Zantaz provide this type of service, as do some outside auditors.
Choosing a Solution
Keeping apace with the recent regulations and interpretations is paramount when choosing a solution. Recently, the SEC clarified Rule 17a-4 stating that all electronic communications - including instant messaging - used to conduct "business as such" must be captured and retained in a non-erasable, non-rewritable fashion. NASD members must also ensure that their use of IM is supervised and recorded under the same guidelines as their e-mail correspondence.
Vendors are now offering IM software that frames out what it regards as conversations or dialogues and passes them onto archiving systems to be integrated with a firm's e-mail messages. Vendors, such as FaceTime and IM Logic, offer technology for capturing IM, and others, such as Legato and KVS, have systems for indexing and archiving IM correspondence.
But storage is not management. And deciding which messages contain pertinent business information "or business as such" remains difficult. Lehman Brothers opted to go with a system that automatically saves all correspondence, Abbruzzese says, declining to name the vendor. "We elected to take the high road and save everything rather than trying to continually interpret what is considered 'e-business as such,'" he says.
All pertinent messages must, however, be indexed and archived in a structured manner that is easy to access and retrieve. Most solutions offer full indexing and surveillance capabilities, allowing firms to efficiently retrieve e-mails and attachments by using detailed search criteria and filters that look for keywords, phrases, dates, and sender/receiver identification.
"Many archiving vendors also offer surveillance capabilities that allow messages and attachments to be quarantined for further investigation if they contain certain words or phrases that may signal e-mail policy violations or criminal activity," notes Patrick C. Gordon, principal consultant at Compliant Systems Consulting, a consulting firm focusing on e-mail and record retention.
If a firm chooses a system that filters out unnecessary e-mails, "You've got to come up with a way to determine what you keep and what you don't keep, and do it in a technological way that doesn't kill your e-mail functionality," notes Kahn. Some systems do a periodic search, using buzzwords to get rid of unnecessary e-mails, while other use auto classifications that capture only what the system thinks it should.
The cost of saving all e-mail, including non-business e-mails, verses the cost of filtration must be considered, notes Gordon. But with the SEC paying such close attention to e-mail archiving, it may be safer to save everything. "It ends up being a trade off between compliance and discovery in litigation; storage space is inexpensive compared to the risk and cost of not complying," Gordon says.
Another issue to consider is the protection of the company's information. "Properly managing your e-mail will help preserve shareholder value and will protect your enterprise and its executives," notes Bookwalter. And from a legal standpoint, "You've got to review your e-mails for things such as attorney/client privilege before they are turned over to a litigant or regulator," notes Stephen Shine, senior vice president and senior regulatory counsel at Prudential Securities.
In-house vs. Outsourcing
Some firms find it's cheaper and more efficient to build an e-mail-storage system, while others opt for an outsourced service provider. "You have to assess your current infrastructure and look at how much you've invested in it so far. Then look at whether or not your internal staff and compliance people can build an infrastructure that would be 17a-4 complaint," says Bookwalter.
Beyond the cost of storage, the other big investment is "intellectual capital," notes Abbruzzese. "It will take your best people to figure this out," he says.
After considering all its solution options, Lehman chose to outsource. "If you look at the total cost of ownership, you'll most likely find that a service provider can do it more cost effectively and with quicker implementation, because this is their core competency," Abbruzzese says. The technical application is not core to your business and offers your business no competitive advantage, notes Bookwalter, so it may be easier to transfer the technology risk to an outsourced company. "I'd say put your energy into the surrounding process and policy and let the vendors - whether it's in-house or outsourced - provide the technology."
Most importantly, "You want to find a vendor that is SEC compliant, financially solvent and can deliver the system and technology in a timely fashion," says Kahn.
Also key is the negotiating of a service-level agreement, warns Abbruzzese. "You want to focus on response time, availability and security," he says. You should also discuss what happens if your relationship dissolves, he advises.
Types of Technology
Several types of media exist for e-mail archiving, protection, availability and compliance. "You have to look at usage and the probability of access in deciding which way to go," says Gordon.
For years, many broker/dealers assumed that they had to use optical media for storing communications. However, in May the SEC issued an interpretive release stating that a variety of non-erasable and non-rewritable media can be used for storage - opening the market to an array of new products. These new solutions may reduce cost and improve efficiency.
In line with the SEC clarification, paper, microfiche-optical disks, WORM tape, and magnetic-disk array are all considered compliant. Vendors are now offering new products such as EMC's Centera, a magnetic-disk array. Net Appliance and Hitachi have also come out with magnetic-disk-array solutions.
The Bottom Line
"Take a look at what you're doing with e-mail and then invest in a solution that can deliver it faster, better, cheaper in a legally compliant way," says Kahn. E-mail management is about managing your business. "It's company information that you are saving; don't sacrifice business information for a cheaper technology," he warns.
By protecting e-mail, a firm is not only complying with the law, but protecting itself. "E-mail is the guidebook to the soul of your company," Bookwalter says.
|Vendors Vie for a Piece of the E-mail-Compliance Pie|
Type of solution: Centera and Centera Compliance Edition - a content-addressed-storage solution designed to meet the unique requirements of "fixed content" - unchanging digital assets retained for active reference and long-term value. Centera provides online access for a wide range of fixed content including, electronic-business documents, e-mail archives, check images and electronic statements.
Clients Include: Commerzbank and Scottrade
EMC recently agreed to acquire Legato.
Type of solution: Exigen Compliance Process Backbone: includes imaging, archive, retention, retrieval and security of all communication documents requiring compliance.
Clients Include: Talbot Financial Network (a regional office within Financial Network Investment Corporation) which is a broker/dealer affiliate of ING Advisors Network.
Type of solution: IM Auditor 4.0, IM Guardian, IM Director: Security, management and control solutions for instant messaging (IM) and other forms of real-time communications in the enterprise.
Clients Include: BankOne, Citigroup, Jefferies & Co, Soundview Technologies, Thomas Weisel Partners, Toronto Dominion Bank and Wachovia Securities.
Type of solution: IMlogic IM Manager: helps companies to cost-effectively meet the compliance archiving and policy requirements for IM, as dictated by the regulatory bodies, by providing tools to capture and review all IM traffic.
Clients Include: Merrill Lynch, Bear Stearns, Stifel Nicolaus, FTN Financial
Type of solution: Enterprise Vault: Archiving compliance, NASD supervision, and discovery-support software-based solutions for e-mail, Sharepoint Portal Server (SPS), File Systems and instant messages.
Clients include: Lehman Brothers; Datek (Ameritrade)
Type of solution: EmailXtender is a centralized data-storage and retrieval system. It automatically moves data off the e-mail-message server and into the storage system, capturing and indexing all incoming and outgoing e-mails. EmailArchive is a solution for e-mail-storage management. It delivers policy-based archiving for unlimited quantities of e-mail by moving e-mail data off the primary servers, freeing up space. EmailXaminer helps organizations monitor e-mail content to assure compliance with government regulations and corporate policies. EmailXaminer is also a data-storage and retrieval system.
Clients Include: Client names not available.
Type of solution: SectorEmail Comply: regulatory e-mail archiving (17a-4), e-mail-record-lifecycle management, e-mail-record search and retrieve, SEC 3rd party services, other record archiving. Managed services.
Clients Include: Client names not available.
Type of solution: ZANTAZ delivers Digital Safe, a scalable, secure archiving solution - SEC 17a-4 compliant solution that captures, archives and retrieves electronic correspondence and digital documents; Digital Supervisor content monitoring and supervision solution - tracks, scans and archives electronic communications (e-mail and IM) for NASD and SEC compliance; MegaTape Restore data restoration and electronic discovery solution - restores massive volumes of backup tapes for legal and regulatory purposes and provides custom-search capabilities for urgent requests.
Clients Include: Client names not available
*These are only a sample of vendors in this space.
Dealing With Regulators
At a recent WS&T event on e-mail archiving, Steven Shine, senior regulatory counsel, Prudential Securities, was asked how to deal with regulators.
He explained that if there is an issue, there will be a number of regulators requesting e-mail records - including the Securities and Exchange Commission and multiple self-regulatory organizations, as well as civil litigants (if there is litigation involved). Shine says, "So what is reasonable under the circumstances and in the case of a joint audit? You've got to be able to deal with regulators and you've got to be able to have the conversation with them and make them understand that no matter what your system capacity is, you're not going to be able to turn around multiple requests and enormous requests in a period of just hours. Twenty-four hours has been the commission standard; sometimes 48 hours. But in the case of enormous requests, multiple requests from multiple regulators and litigants, there's going to have to be a little bit more understanding."
"What you're going to need to do is have a gatekeeper to make sure priorities are set and that these requests are handled as expeditiously as possible. One other complicating factor - as with any document - before it is turned over to a regulator or to a litigant, it has to be reviewed. You've got to review your e-mails for things such as attorney/client privilege and you've got to do that in electronic medium."