Managing digital information presents some major challenges for the financial-services-IT community. Use of electronic records is growing at a dramatic rate, while mismanagement of digital information seems commonplace. As reported recently by the General Accounting Office, even the electronic-records policies and practices of the National Archives and Records Administration (the country's official recordkeeper) "have not yet evolved to reflect the modern record-keeping environment."
Take no solace that even experts are having a difficult time because, as we have witnessed over the past year, failing to properly manage e-records can make once-great companies fall, motivate regulators to mete out onerous penalties and form the basis of criminal convictions.
Information technology now makes it possible, if not totally convenient, to transact business virtually anywhere, anytime. Instant messaging, groupware, e-mail, messaging pagers, personal-digital assistants, Web-enabled-mobile phones, peer-to-peer networks, and so on, are used daily throughout most financial-services companies. However, these technologies are commonly used without much thought about how good records-management policies and business rules should be applied.
Unfortunately, there often seems to be a fundamental lack of understanding of even the most basic principles regarding e-records and a total disconnect between what the IT professionals do and what the laws require. Just because a brokerage company has no policy to ensure that it captures and reviews e-mail sent from a Registered Representative's PDA to a client does not make it right. Failing to apply the company retention rules to electronic records does not mean that the seemingly innocuous practice will be acceptable to regulators. Even though instant messaging seems "casual," one should not conclude that an instant message can't be considered a business record or otherwise need to be retained. Web sites not only require maintenance of the technology but also need management of their records. As content changes, there may be a need to capture each new view in a snapshot.
Real business is conducted regularly with technology that seems "casual." However, when otherwise temporal-messaging systems are used to do business, their casual nature no longer matters. It's the content that matters, not the system through which it passes or on which it is stored. For example, according to the guidance provided to brokerage firms by the NASD, Conduct Rule 3110 dealing with books and records: "requires that correspondence with public customers, both written and electronic, be maintained in compliance with NASD rules and the SEC Rules 17a-3 and 17a-4. This means that an RR's (registered-representative) e-mail correspondence with the public relating to the firm's business, generated both at the office and at home, is subject to these provisions."
Failing to apply formal policies and practices to the use of communications in business will result in information about business events being improperly managed.
First, communications technologies may inadvertently memorialize, and create a record of business "conversations" that otherwise would have been temporal if they had occurred on the telephone or in person. So, for example, it may be advisable to instruct employees to refrain from writing unsubstantiated personal opinions in e-mail, instant messages or on chat databases because they may be taken out of context and used against the company in a lawsuit.
Second, communications technologies may not allow for methodical capture and management. In other words, had the same "conversation" or business event taken place in a paper-based environment, a reliable record that was managed from creation to disposal would likely have been created. Either case demonstrates the need for Wall Street-IT professionals to take a more active role in their ownership of the firm's information "crown jewels" sooner rather than later. The sooner that formal policies and rules are applied to new communication technologies, the faster the problem can be controlled; non-record data separated from important records; database and storage loads reduced; laws and regulations complied with; and the efficiency of enterprise-data management improved.
Instant Messaging (IM)
A number of court cases have been filed where electronic messages, including instant messages, have been offered as evidence. In one case, because there was apparently no readily available means for IM retention, a needed message was cut and pasted to a word processing document and later offered as evidence in a lawsuit. However, the court excluded the message because it was deemed unreliable in the absence of authenticating metadata. This case demonstrates that the courts still care about evidentiary characteristics such as completeness and trustworthiness when it comes to IM records and other e-records.
The point is clear - manage e-records properly, and they can be useful evidence. Manage e-records poorly, and they will be attacked and likely excluded by the court. SEC and NASD regulations may also require that firms retain certain IM messages. As such, firms need to develop and implement formal policies and practices regarding the use of IM and the retention of IM messages before the technology is implemented.
The use of a Web site to advertise or transact firm business can have profound legal implications. According to the NASD, "Web sites are advertisements and are subject to all requirements of NASD..." In addition, a court recently made clear that a litigant was remiss in not producing Web pages that were needed in a lawsuit. The court ordered the defendant "to produce copies of all versions of its Web site for a specified 69-day period," and "log files and back-up tapes of (their) Web site."
The court penalized the company for not producing the Web pages and for seeking to destroy the requested Web content. Among other things, this case demonstrates that the contents of a Web site should be considered to contain records that require formal management policies and practices that are similar to those applied to paper records. Thus, for example, it would be a mistake to assume that a regulator that requires customer complaints to be retained would apply a different requirement to a complaint just because it was "filed" through the firm's Web site.
Further, if Web records are going to be considered usable, the courts are going to require trustworthy evidence and integrity in their management from creation to use. For example, a court recently excluded a paper printout of a Web site page because only part of the Web page printed to paper. Portions of the text that could be viewed on a computer screen were cut off when printed to paper. Because the complete record was no longer available and no one could fill in the missing text, the court concluded, "something was not better than nothing." Because a company's legal interests can be jeopardized by simple technology decisions during implementation, there is a need to get it right upfront.
Chat Room & Discussion databases
The NASD has made clear that non-company chat rooms are considered "public forums" and "chat-room participation by RRs is subject to the same guidelines as public appearances."
On a separate note, how does IT manage inner-office-discussion databases? Say, for example, a company allows employees to communicate on internal discussion areas about "business-related" topics and, in this instance, the marketing group discusses the sales pitch that will accompany a new financial product marketed to parents of college-bound kids. One of the employees flippantly mentions that "if the poor parents buy this investment they will be forced to send their kids to local community college." Some time down the road, in the context for a lawsuit, the plaintiff requests all records, communication, and so on. The chat discussion database is requested. Does the "damning" chat still exist? Is the chat content managed according to the company-retention schedule? What if a technologist who owns the system gets rid of such databases whenever storage space is used up and is unable to show that the contents were not destroyed in anticipation of receiving a lawsuit? Worse, what if the dialogue is captured on back-up tapes and retained long after retention rules otherwise required.
Recognizing and managing data wherever its exists as a potential company record will not only promote the company's competitive value of "faster, better, cheaper," but will make sure that IT is truly harnessing the value of its technology, and properly managing its valuable resources.
ABOUT THE AUTHOR
Randolph Kahn, attorney and consultant, Kahn Consulting, Inc.
Randolph Kahn is an attorney and consultant with expertise in the legal, risk and policy issues of records, digital information and e-business processes. He is a principal of Kahn Consulting, Inc.
------------------------------ ------------------------------ ------------------------------
WS&T is looking for commentary pieces for its online resource centers and print magazine. If you are an executive-level employee at a financial institution, feel free to submit a 200-word description of the topic you wish to cover to Managing Editor Anthony Guerra at [email protected] A typical "Industry Voice" piece might begin by describing an IT problem financial executives are facing and some possible ways to solve it, or merely an executive musing about the pros and cons of a new industry trend or proposal.