As regulators try to keep up with technology and the explosion of electronic communications, broker-dealers are scrambling to remain compliant with the shifting regulatory environment. Two recent regulatory moves that have direct and immediate impact on the financial-services industry are the SEC's interpretive release regarding storage requirements for records retention and the NASD's ruling that instant messages must be retained and supervised just like email.
SEC Interpretive Release
Dating back to early 2001, several firms, including ZANTAZ, have urged the regulators to further clarify the e-mail records retention and storage issues related to SEC 17a-4, specifically the SEC mandate to use a storage technology standard called "Write Once Read Many" (WORM) for electronic retention of documents. As a result, the SEC has recently issued an interpretive release regarding storage requirements for broker-dealers, bringing clarity to the regulations governing electronic-document retention. The outcome of this new interpretive release will benefit both industry regulators and broker-dealers alike.
The release clarifies the rules for use of new technologies to meet the requirements of SEC Rule 17a-4, which states that broker-dealers who preserve records electronically must use a digital storage medium or other system that preserves the records "exclusively in a non-rewriteable, non-erasable format."
The release expresses that SEC Rule 17a-4 does not require a particular type of technology or method be used to achieve the non-rewriteable and non-erasable requirement. It states that, "A broker-dealer would not violate the requirement in paragraph (f)(2)(ii)(A) of the rule if it used an electronic storage system that prevents the overwriting, erasing or otherwise altering of a record during its required retention period through the use of integrated hardware and software control codes."
By not specifying a particular technology, the release has raised questions among securities firms as to which formats can most effectively keep them compliant. When you consider the critical areas of compliance-security, time of retention, accessibility and costs-the distinction among the different alternatives quickly becomes evident.
Optical Disk Technology
In 1993, the SEC recognized optical storage technology as being WORM-compliant because it was a non-rewriteable, non-alterable medium. The main reason companies used it, however, was out of default. It was before the newer, less expensive alternatives were readily available, and before it was clear if these alternatives met SEC regulations. But as these new technologies for data retention-and their acceptance by the SEC-have continued to evolve, the costs and difficulty of operating an optical storage system have escalated significantly.
To give you an idea of the impracticality of optical disk systems, a 3,000-person firm generates about one terabyte of e-mail per year. This amounts to thousands of CD-R's or WORM disks. Once a disk is full, it's removed from the drive and archived in some sort of filing system. If retrieving information from those disks ever becomes critical (which it almost certainly will), it can divert critical IT resources and require several days, possibly even weeks, just to locate the relevant data. Imagine trying to locate an e-mail from three years ago-you'd have to wade through tens of thousands of optical disks! This can cost more than just time and money-it can get you into hot water if you have to respond to a regulatory request.
Disk-Based WORM Technology
Disk-based WORM technology is an extremely scalable and cost-effective alternative. Specifically, it meets the non-rewriteable, non-erasable requirements of the SEC by using integrated hardware and software codes that are intrinsic to the system to prevent any tampering. While the underlying hardware storage (magnetic disk) used by these systems may be rewriteable, the integrated codes prevent anyone from overwriting the records.
Another way that disk-based technology can increase efficiency is by leveraging distributed computing systems capable of massive scalability. This means that instead of filling up one optical disk with a finite amount of data, distributed computing uses computers in remote locations to scale exponentially as storage needs arise. SEC Rule 17a-4 requires financial-services firms to be able to retrieve specific e-mails and produce them immediately in case of an investigation or during litigation. Disk-based systems give users access to their data via a secure user interface. Users can perform text-based searches and select specific records to view in a matter of seconds. This gives broker-dealers the ability to respond to regulators quickly, while satisfying the requirements of the SEC regarding accessibility of archived records. And because the data is online, records retention management is greatly simplified.
If you're using a disk-based technology or any other non-optical technology such as WORM Tape, the SEC requires only that you notify your examining authority at least 90 days before initiating the technology. Your vendor should be proactive in providing assistance in preparing the necessary 90-day notice documentation.
NASD Instant Messaging Requirements
In another recent regulatory development, the NASD ruled that instant messages have to be retained for at least three years and supervised, just like e-mail.
In a notice to its members dated June 18, 2003, NASD says: "Regardless of the informality of instant messaging, it is still subject to the same requirements as e-mail communications and members must ensure that their use of instant messaging is consistent with their basic supervisory and record keeping obligations." The NASD decision followed a similar directive from the New York Stock Exchange, which stated that record retention as outlined by NYSE Rule 440 and SEC Rule 17a-4 applies to instant messages as well as e-mail. Other organizations such as the American Stock Exchange and Commodity Futures Trading Commission have similar rules for their members.
This means that brokerage firms need a solution that enables them to automatically index and archive-and quickly retrieve-all instant messaging conversations. The optimal solution will integrate seamlessly into your e-mail -archiving system, providing an all-in-one, total compliance package.