Director of Information Governance
and General Counsel
Financial institutes are required to maintain and produce a variety of records related to their business activities, many of which exist in an electronic format. In order to satisfy the increasing number of regulatory mandates around electronic data, organizations should assess their regulatory obligations and streamline efforts to capture, maintain, identify and produce these records to regulators. Globanet offers ten steps to guide organizations through this complex process.
As a result of the Dodd-Frank Act, the financial regulatory landscape is in a state of flux with new rules being promulgated every month. The objective of these new regulations is to increase transparency and to ultimately reduce systemic risk to capital markets. What this means functionally is that financial institutes must have their internal records in order so that they may accurately and quickly report on activities to regulators and, in some instances, the public.
Although the Securities and Exchange Act and Financial Industry Regulatory Authority (FINRA) rules have long directed organizations on financial recordkeeping requirements, there are now additional regulations requiring institutions to retain and deliver records to regulators. Collectively, these rules layout specific requirements around the creation and retention of electronic records, including mandates around storage requirements and the designation of a third party who may access an institution’s electronic financial records. In order to satisfy these requirements, organizations need to ensure not only that the appropriate records are being captured and maintained, but that the records can be quickly located and produced to the requesting authority. Requesting parties may include the U.S. Securities and Exchange Commission (SEC), FINRA, the U.S. Commodity Futures Trading Commission (CFTC) and state regulators.
Below we lay out ten steps to help organizations efficiently capture, maintain, identify, and produce electronic records in accordance with regulatory mandates and industry best practices. Of course, where to begin will depend on the maturity level of the organization’s information governance program and existing methods and policies.
1. Know the rules that govern electronic data
There are several regulations that will shape an organization’s compliance program around electronic records, including:
SEC Rule 17a-3: Requires broker-dealers to maintain certain records including trade blotters, asset and liability ledgers, income ledgers, trial balances, customer account ledgers, securities records, order tickets, trade confirmations, account statements, employee records, and customer complaints.
SEC Rule 17a-4: Specifies the manner and duration that broker-dealer records must be retained, including explicit guidelines for storing records on electronic media. This rule also requires the designation of an independent third party who can access and deliver electronic records to regulators if called upon to do so.
CFTC Regulation 1.31: Requires records to be retained for a period of five years and kept readily accessible during the first two years. Additionally, any records stored on electronic media are to be produced immediately upon request by the Commission or Department of Justice. This rule also requires the designation of an independent “Technical Consultant” to deliver records to regulators if called upon to do so.
FINRA Rule 4500 Series: Member firms are required to maintain books and records in accordance with SEC Rules 17a-3 and 17a-4, including customer account information and customer complaints.
NASD Rule 3010: Member firms must establish, maintain, and enforce written procedures to supervise all electronic communications used by the firm and its associated persons to conduct the firm’s business.
FINRA Rule 2210: Members must maintain all communications with the public in accordance with SEC Rule 17a-4.
2. Identify the data that needs to be captured
There are several record types that must be maintained by financial institutions, many of which are likely to be in an electronic format. Typically, these records can be classified in the following categories:
- Business Records: includes corporate documents such as articles of incorporation, meeting minutes, stock certificate books, and broker-dealer forms.
- Financial Records: includes proof of money balances of all ledger accounts, audited annual reports and audited financial statements.
- Communications with the Public: includes advertisements and sales literature, all written and electronic communications sent and received, and electronic notices.
- Account Records: includes account profile information, account updates, written account agreements, and account statements.
- Transaction Records: includes blotters, ledgers, and trade tickets.
- Personnel Records: includes identification information, employment history, disciplinary history, fingerprint cards, and compensation information.
- Compliance Records: includes lists for all associated persons and principals, compliance and supervision manuals, exception reports, and customer complaints.
Some data types, like account information and transactional records are likely to be stored in a structured format which makes capture and retrieval fairly simple. However, there are several record types which are likely to be stored in an unstructured format which makes capture and retrieval more challenging. These record types include website materials, email messages, instant messages, chat room communications, and social media posts.
3. Work with IT to determine which records types are already captured
After the organization has developed a comprehensive list of the record types that must be captured and maintained, work with Information Technology resources to determine which are already being captured and identify any gaps. It is important to understand how the records are being captured, the format of those records, how the records are stored, the retention policy for each record type, and how the records can be searched and produced. Additionally, it is also important to understand whether backups or other copies of electronic records exist and how those backups are maintained
4. Define and implement retention policy
Unlike non-regulated industries where retention policies are typically defined by the organization, retention periods for financial institutions are clearly spelled out, albeit across several regulatory sets. SEC, FINRA, and CFTC rules all lay out retention periods for various record types ranging from one month to the life of the company. Not only is it important to identify and document the retention period for each record type, it is equally important to establish and document the processes for enforcing retention and deletion of records. This is especially true for records that are not natively stored in a system that automates the retention and deletion process, such as social media or web content.
5. Capture and standardize data
Once the required records and appropriate retention periods for each have been identified and documented, work with IT to ensure that data is being captured and properly stored. Some record types may be created, captured, and retained in the same application. Other records, such as data collected from trading platforms, may be created in one application and retained or archived in another application. For those records that are the subject of systemic compliance review or audit, data should be stored in a format that is conducive for use by compliance review tools. Additionally, the format of the records and the manner in which they are stored should allow for indexing and subsequent search. For example, records that originate from trading platforms like Bloomberg or Reuters may be maintained in large bulk files. These data types can be further processed and parsed into individual messages so that they can be archived and searched to produce single, discrete messages.
6. Centralize data sources for immediate search and access
The manner in which data is stored will certainly impact the level of effort exerted by both IT and Compliance to manage, access, and produce records. By reducing the number of repositories in which data is stored, organizations can considerably reduce these efforts and, ultimately, costs. Consider using a data archiving solution to capture and centralize unstructured data types such as email, instant messages, web content, and even unique data types like messages from trading platforms. Standardizing on a best of breed solution will reduce the complexity and risk of maintaining compliance data. Industry analyst, Gartner, has identified and ranked various archiving software vendors, as shown in their Magic Quadrant below:
Source: Gartner, Inc. Magic Quadrant for Enterprise Information Archiving, December 2012
7. Deduplication data for maximum storage ROI
Where possible, reduce the duplication rate of data to 0%. Data is duplicated at various points along the collection chain. Duplicate data requires more hardware, storage and human capital to collect, manage, supervise, and retire. Most archiving solutions have deduplication capabilities, and many of them are quite efficient, however care should be taken to remove duplication as close to the data source as possible to minimize the requirements and costs along the entire compliance data stewardship chain.
8. Ensure that your compliance data is fully indexed and searchable
In contrast to other industries, indexing of data so that it is easily accessible is not optional for financial institutions. Indexing allows for the search and retrieval of discreet records based on various criteria such as custodian, date, data source or keyword.
Both SEC and CFTC rules require records stored on electronic media to be indexed so that organizations can quickly locate and deliver information to regulators. For structured data, records are natively stored in a format that allows for easy search. Unstructured data, on the other hand, isn’t always in a format that makes identification easy. For example, instant messages may need to be captured, then parsed into individual messages or conversations, and then indexed in order to effectively locate and produce the appropriate records. In addition to easing the challenges associated with locating a needle in a haystack, a complete index also helps to ensure that organizations are producing the requested records and nothing beyond that.
9. Maintain authenticity of your data
Although most regulatory investigations will not end up in court, it is important to maintain authenticity of your data as if it may be used as evidence in future proceedings. This means that critical components must be preserved including metadata (author, create date, last revised date, etc.) and content (body of an email, charts in an advertisement, IM conversations, etc.). It is important to work with your IT resources to confirm that the processes used to capture, index, and review electronic records are not altering or deleting critical components of the data. Additionally, if data is moved from its original repository, an organization may be called upon in court to provide chain of custody for that data.
10. Develop compliance supervision processes and engage independent auditors
NASD 3010 requires organizations to establish written procedures for reviewing electronic communications. There are several technology solutions on the market that automate and reduce the burden of manual compliance review. Many of these platforms require data to be fed or pushed to the solution, where it can then be sampled based on keywords and other criteria and presented to reviewers for assessment. When evaluating such solutions, it is important to bear in mind that no solution will likely meet all of an organization’s needs and that gaps may need to be filled through manual processes.
Regardless of the technology or method employed, it is critical that each step of the supervision process is clearly documented and can be audited. This means that each decision point needs to be logged so that an organization can demonstrate compliance to regulators. Additionally, it is advisable to engage an independent auditor to assess the supervision process to determine whether the procedures are sound and in line with industry best practices.
As regulatory recordkeeping requirements expand, it is imperative that financial institutes regularly examine their ability to comply with regulations. Scheduled audits of supporting policies, processes and technologies to ensure that requisite data is being captured and maintained are advisable. Additionally, working closely with IT to identify and implement supporting technologies will not only improve success rates, it will also likely result in improved efficiencies and cost savings for both groups. If your organization does not have the IT or compliance resources to address these requirements independently, work with outside professionals who can provide guidance.
Director of Information Governance
and General Counsel
Shannon Smith is the Director of Information Governance and General Counsel at Globanet where she manages a portfolio of ediscovery and compliance offerings, including services to support the industry-leading ediscovery platform, Clearwell.
Shannon also consults directly with corporate legal teams to develop policies and processes to support information governance programs. As an experienced attorney, Shannon brings an extensive knowledge of regulatory compliance, litigation readiness, and records management issues to her role.
She is a member of industry groups EDRM and Sedona Conference and has contributed articles to a number of publications including Corporate Counsel and Information Management. Shannon has also spoken to various groups regarding cloud technology, preservation processes, and reducing ediscovery costs. She is a Certified eDiscovery Specialist and holds both a Juris Doctorate and MBA from Loyola Marymount University.
Globanet is a leading provider of archiving and ediscovery solutions worldwide. Founded in 1996, the company is a pioneer in archiving and intelligent information governance, and has developed a portfolio of software and services to help organizations manage data from creation to expiry.
Globanet’s proprietary solutions include the Merge1 message capture platform for regulatory compliance and Migrate data migration software. A Symantec Platinum Partner with Master Specialization in Archiving and eDiscovery, its professional services team has extensive experience with industry-leading Enterprise Vault and Clearwell. Globanet’s broad range of services includes policy and solution design, installation and configuration, data migration, custom add-ons and project-based ediscovery consulting.