WHITE PAPER SPON. The Critical Importance of Archiving in the Financial Services Industry. Published November 2011 SPONSORED BY

Transcription

1 WHITE PAPER N The Critical Imprtance f Archiving in the Financial Services Industry An Osterman Research White Paper Published Nvember 2011 spnsred by SPONSORED BY SPON spnsred by Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn USA Tel: Fax: inf@stermanresearch.cm twitter.cm/msterman

2 Executive Summary OVERVIEW The financial services sectr is amng the largest industries in the United States. Fr example, there are 6,413 FDIC-insured cmmercial banks and 1,100 savings institutins i, 7,598 credit unins ii, 4,525 members gverned by the Financial Industry Regulatry Authrity (FINRA) iii, 631,085 FINRA-registered representatives iv, mre than 11,000 investment advisers registered with the Securities and Exchange Cmmissin (SEC) v, mre than 275,000 state-registered investment adviser representatives vi, and in excess f 15,000 state-registered investment advisers vii. Overall, the financial services industry in the United States emplys apprximately 5.8 millin peple and accunts fr abut six percent f ttal US GDP viii. While the sectrs within the financial services industry are smewhat different frm a regulatry standpint, a cmmn thread running acrss all rganizatins is the need t retain business recrds t varying degrees. Fr example, brker-dealers have the requirement t retain all cmmunicatins bth thse sent and thse received as well as written agreements related t their business activities; while banks, credit unins and advisers need t retain nly certain types f cntent. The bttm line, hwever, is that every financial institutin has an bligatin t retain sme f its recrds fr lng perids f time. Because f the increasing prprtin f cntent that is sent and received electrnically in s, ther types f cmmunicatins, and in ther frmats, financial services firms must deply archiving systems that can a) index all relevant cntent, b) place this cntent int archival strage, and c) prvide the ability t search fr cntent n demand. A failure t implement apprpriate archiving technlgy can result in significant financial penalties, as well as legal sanctins, lss f crprate reputatin and ther negative cnsequences. THE FUTURE OF ARCHIVING IN FINANCIAL SERVICES Sme financial services firms d nt archive their and ther electrnic cntent because f their misperceptin that it is less expensive t pay the fines assciated with nn-cmpliance. That said, it is difficult t ascertain exactly hw many firms fail t meet their retentin bligatins because few decisin makers are willing t admit publicly that they are making a cnscius decisin t vilate federal and ther requirements fr preservatin f cntent. Hwever, given the financial meltdwn that began in late 2008, we can surmise with almst abslute certainty that gvernment and industry versight f the financial services sectr in the cntext f data retentin will becme mre stringent and mre difficult ver the next several years, and that archiving systems will play an even mre imprtant rle in helping financial services firms t cmply with their regulatry and legal bligatins. ABOUT THIS WHITE PAPER This white paper discusses the requirement fr financial services firms t retain cntent f varius types, and it discusses what rganizatins shuld d t satisfy these bligatins. It als prvides a brief verview f ArcMail, the spnsr f this white paper and a leading prvider f archiving systems Osterman Research, Inc. 1

3 Electrnic Cntent Must Be Preserved COMMUNICATION AND CONTENT MUST BE PRESERVED Mre than virtually any anther industry, the financial services industry has strict requirements t retain electrnic cntent f all types. Fr example, securities dealers face the mst stringent requirements: Since 1997, with the update f SEC regulatins 17a-3 and 17a-4, regulated securities firms have had t retain . Mrever, they must preserve this cntent n nn-rewriteable media, prvide a searchable index f the archived data, make it readily and quickly available when needed, and they must stre a cpy f their recrds at an ffsite lcatin fr safekeeping. In July 2003, NASD rule was issued that clarified regulated firms requirements t retain instant messaging cnversatins. In January 2010, FINRA published Regulatry Ntice that clarified regulated firms requirement t retain scial media cntent. The impact f the SEC and FINRA requirements is fairly straightfrward: regulated firms must retain relevant cntent fr lng perids, and they must have ready access t this cntent when required, such as during a regulatry audit. The types f cntent that must be preserved include , instant messaging and scial media cntent with the public and with ther emplyees; accunting recrds; mems; advertisements; stp rders; custmer rders; crrespndence; client cmplaints and ther types f infrmatin that are in sme way relevant t the trading peratins f the firm and the regulated individuals. Mrever, regulated firms must als supervise registered representatives thrugh sampling r ther means t ensure that they are in cmpliance with crprate and regulatry plicies regarding the prpriety f cmmunicatins with custmers and thers. In shrt, financial services firms must a) retain cntent and b) have the means t review it when required. REQUIREMENTS VARY BASED ON ROLES AND FUNCTIONS Requirements fr the retentin f data vary t sme extent based n the rle f the firms and the individuals ffering financial services: Brker-dealers As discussed abve, brker-dealer firms and their registered representatives face the mst stringent requirements fr cntent retentin, including retentin f recrds in a nnerasable frmat, serializatin f the retained recrds, time/date stamping f the cntent, and the ability t dwnlad the indexes f the archived cntent, as well as the recrds themselves. Hedge fund managers Hedge fund managers als have specific requirements t retain under SEC guidelines. Starting in February 2006, hedge fund managers/advisers with assets ttaling mre than 2011 Osterman Research, Inc. 2

4 $25 millin have had t register with the SEC in accrdance with the Investment Advisers Act f 1940, making them liable fr retentin f , instant messages and ther relevant electrnic cntent in much the same way that brker-dealers must preserve cntent. Credit unins Credit unins must als retain relevant recrds f varius types in accrdance with varius requirements at bth the Federal and state levels. Fr example, credit unins are required t cmply with recrds retentin requirements as set frth in 12 CFR, Part 749. The Natinal Credit Unin Administratin s Rules and Regulatins Part 749 recmmends cntent retentin requirements fr credit unins, such as the maintenance f a gegraphically separate Vital Recrds Center, althugh the NCUA des nt regulate these practices. Examples f state requirements impsed n credit unins include: Ohi s (Preservatin f recrds retentin perid dispsal) requires sme recrds t be preserved fr ne year, while ther recrds must be preserved fr six years. Hawaii s HRS 412:3-11(f) requires that n financial institutin in the state shall be required t preserve r keep its recrds r files fr a perid lnger than six years, except as specified in subsectin (g). Rhde Island Banking Regulatin 98-5, Credit Unins, states, Each credit unin shall establish and maintain a written recrds retentin and destructin prgram which shall be available t the Divisin f Banking at each examinatin fr review and cmment, but nt apprval. Such a prgram shall be in cnfrmance with any applicable federal depsit insurance laws, rules, regulatins r plicies. Banks Banks must cmply with a number f Federal and state requirements fr retentin f recrds. Fr example 12 CFR 27.5 requires that Each bank shall retain the recrds required under 27.3 fr 25 mnths after the bank ntifies an applicant f actin taken n an applicatin, r after withdrawal f an applicatin. This requirement als applies t recrds f hme lans which are riginated by the bank and subsequently sld. The Bank Secrecy Act f 1970 requires that banks retain recrds that might indicate mney laundering, including cash purchases f negtiable instruments ttaling mre than $10,000 per day. Anther Federal requirement, 12 USC 1829-Sec. 1829b (Retentin f recrds by insured depsitry institutins) requires the maintenance f apprpriate types f recrds by insured depsitry institutins in the United States where such recrds have a high degree f usefulness in criminal, tax, r regulatry investigatins r prceedings. There are als state requirements with which banks must cmply, such as: Vermnt Regulatin B-92-1 prvides specific requirements fr the retentin f varius types f banking recrds Osterman Research, Inc. 3

5 Mntana s (Retentin f Bank Recrds) sets frth minimum retentin perids fr varius types f bank recrds. Suth Dakta s SDCL 51A-13-1 requires that Every bank shall keep such bks and accunts as the directr may require fr the purpse f shwing the true cnditin f the bank, and shall keep accurate, cnvenient, and cmplete recrds f such transactins and accunts in permanent frm. THE BOTTOM LINE FOR ANY FINANCIAL INSTITUTION Every financial institutin including very small nes must cmply with a grwing number f recrds retentin requirements impsed upn them at bth the Federal and the state levels. We anticipate that these requirements will becme mre stringent and will be enfrced mre vigrusly in the wake f the banking crisis that began in Fall The Restring American Financial Stability Act f 2010 includes several recrds-related prvisins, including Sec. 989(d), which states Fr purpses f cnducting the study required under subsectin (b), the Cmptrller General shall have access, upn request, t any infrmatin, data, schedules, bks, accunts, financial recrds, reprts, files, electrnic cmmunicatins, r ther papers, things, r prperty belnging t r in use by a cvered entity that engages in prprietary trading. Mrever, a US gvernment study published in January 2011 ix discussed the ptential fr making investment advisers cntent retentin bligatins mre stringent. The List f Requirements is Grwing THERE ARE MANY COMPLIANCE OBLIGATIONS Financial services firms acrss the spectrum must satisfy a variety f regulatry bligatins t preserve data, including: SEC 17a-3 and 17a-4 Members f a natinal securities exchange, as well as their brker-dealers, must retain recrds that relate t their business as such, including recrds f rder entries, ledgers, accunt infrmatin, crrespndence, puts x, calls, spreads and ther infrmatin that is relevant t their business. As nted earlier, hedge fund managers/advisers are nw subject t Rule 17a-3 as a result f their requirement t register pursuant t SEC 203(b)(3)-2. SEC Rule requires the bks and recrds f investment advisers t be maintained, including jurnals, ledgers, written agreements and ther business recrds. Rule 17a-4 specifies the length f time fr preservatin f recrds, as well as the manner in which these recrds are t be maintained. FINRA Regulatry Ntice In January 2010, FINRA issued Regulatry Ntice that fcuses specifically n scial media cntent. The Ntice fcuses n financial services firms use f blgs, scial media sites, and ther scial netwrking tls. Amng ther things, the Ntice delineates FINRA s requirement that firms are required t retain recrds f cmmunicatins related t the brker-dealer s business made thrugh scial media sites, and [regulated] firms must have a general plicy prhibiting any assciated persn frm engaging in business cmmunicatins in a scial media site that is nt subject t the firm s supervisin Osterman Research, Inc. 4

6 Mrever, recmmendatins f securities made thrugh a scial media site autmatically trigger the requirements f NASD Rule 2310, a rule that gverns firms and registered representatives recmmendatins abut securities and ther financial prducts. NASD Rule 3010 This rule requires FINRA members t establish written prcedures and a supervisry capability that will enable the rganizatin t mnitr the cmmunicatins f its registered representatives. This nrmally invlves sampling a percentage f s in an archive t determine cmpliance with the written prcedures. NASD Rule 3110 This rule specifies that Each member shall make and preserve bks, accunts, recrds, memranda, and crrespndence in cnfrmity with all applicable laws, rules, regulatins, and statements f plicy prmulgated thereunder and with the Rules f this Assciatin and as prescribed by SEC Rule 17a-3. The recrd keeping frmat, medium, and retentin perid shall cmply with SEC Rule 17a-4. Sarbanes-Oxley The Sarbanes-Oxley Act f 2002 requires all public cmpanies and their auditrs t retain such relevant recrds as audit wrkpapers, memranda, crrespndence and electrnic recrds including fr a perid f seven years. Cmpany fficers are bliged t reprt internal cntrls and prcedures fr financial reprting and auditrs are required t test the internal cntrl structures. Businesses must ensure that emplyees preserve infrmatin whether paper r electrnic-based -- that wuld be relevant t the cmpany s financial reprting. Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act requires that financial institutins prtect infrmatin cllected abut individuals, including names, addresses, and phne numbers; bank and credit card accunt numbers; incme and credit histries; and Scial Security numbers. The Act gives authrity t eight federal agencies and the states t administer and enfrce the Financial Privacy Rule (16 CFR Part 313) and the Safeguards Rule (16 CFR Part 314). The wideranging Safeguards Rule mandates what cmpanies shuld include in their written infrmatin security plan and hw t secure this infrmatin, including using tugh-t-crack passwrds and encrypting sensitive custmer infrmatin when it is transmitted electrnically via public netwrks. GLBA als addresses steps that cmpanies shuld take in the event f a security breach, such as ntifying cnsumers, ntifying law enfrcement if the breach has resulted in identity theft r related harm, and ntifying credit bureaus and ther businesses that may be affected by the breach. Regulatin S-P Regulatin S-P has been adpted by the SEC in accrdance with Sectin 504 f the GLBA. This sectin requires the SEC and a variety f ther US federal agencies t implement safeguards t prtect nn-public cnsumer infrmatin, and t define standards fr financial services firms t fllw in this regard. The rule applies t brkers, dealers, investment firms and investment advisers Osterman Research, Inc. 5

7 Payment Card Industry Data Security Standard The Payment Card Industry Data Security Standard (PCI DSS) encmpasses a set f requirements fr prtecting the security f cnsumers and thers payment accunt infrmatin. It includes prvisins fr building and maintaining a secure netwrk, encrypting cardhlder data when it is sent ver public netwrks and assigning unique IDs t each individual that has access t cardhlder infrmatin. PCI DSS requirements impse a significant burden n any rganizatin that generates electrnic cntent. Sensitive and cnfidential data must be prtected frm interceptin by unauthrized parties, requiring the use f encryptin and ther safeguards. Red Flag Rules Part f the Safeguards Rule, the Red Flag Rules requires financial institutins and creditrs t implement a prgram t detect, prevent, and mitigate instances f identity theft. Affected businesses must develp and implement written identity theft preventin prgrams, which were required t be in place by Nv. 1, The prgrams must prvide fr the identificatin, detectin, and respnse t patterns, practices, r specific activities knwn as red flags that culd indicate identity theft. While regulatins like GLBA, Regulatin S-P, PCI DSS r Red Flag Rules are stensibly fcused mre n security issues, these requirements have imprtant ramificatins fr archiving, as well, since archived cntent must be prtected frm unauthrized access r disclsure. Mrever, archiving technlgies play a key rle in helping rganizatins t satisfy PCI DSS and ther requirements, since archived cntent can be the surce data fr an analytics system fcused n identifying prblems. WHAT ARE THE CONSEQUENCES OF NON-COMPLIANCE? Financial services firms that d nt cmply with the varius requirements fr cntent preservatin can face serius cnsequences, as shwn in the fllwing examples: In September 2011, Ayre Investments was censured and fined $10,000 fr, amng ther things, permitting its registered representatives t use t cnduct business when the firm did nt have a system fr surveillance r archiving. xi Als in September 2011, FINRA censured and fined E1 Asset Management $75,000 fr a number f vilatins, including their failure t prperly retain and archive instant messages sent r received by the firm s registered representatives xii. In February 2011, FINRA reprted that MBSC Securities, BNY Melln Capital Markets and BNY Melln Securities were censured and fined $300,000 fr their failure t prperly retain and review s in a timely manner xiii. In May 2010, FINRA fined Piper Jaffray $700,000 fr failing t retain 4.3 millin s fr a 73-mnth perid ending in December 2008 xiv. In Nvember 2009, FINRA fined MetLife Securities $1.2 millin fr their failure t supervise cmmunicatins adequately, a key requirement with which financial services are t cmply in cnjunctin with their archiving bligatins xv Osterman Research, Inc. 6

8 In February 2007, NASD fined fur brker-dealers a ttal f $3.75 millin fr, amng ther things, nt retaining the s generated by 1,900 registered individuals xvi. In February 2006, Mrgan Stanley was fined $15 millin fr failing t retain s xvii. The firm Strand, Atkinsn, Williams & Yrk was $50,000 fr, amng ther things, failing t retain messages in an accessible, reviewable frmat, and t review incming and utging s during a perid f time. xviii Brwn Assciates, a Tennessee-based brker-dealer, was fined $50,000 fr, amng ther things, failing t prperly archive sme f its business-related s xix. A classic case f nn-cmpliance was the December 2002 SEC settlement with five firms Mrgan Stanley, Salmn Smith Barney, Gldman Sachs, US Bancrp Piper Jaffray and Deutsche Bank Securities fr a fine f $1.65 millin per firm fr their failure t preserve electrnic cmmunicatins and their failure t establish, maintain and enfrce a supervisry system xx. WHAT SHOULD ORGANIZATIONS DO TO REMAIN COMPLIANT? It is imprtant t nte that while mst f the SEC and FINRA fines have fcused n larger institutins, smaller banks, credit unins, brker-dealers and thers are just as vulnerable t fines and ther sanctins fr inadequate recrdkeeping. Given that gvernment versight is increasing acrss all industries, but particularly in the financial services industry, every type f financial services rganizatin must be vigilant t maintain adequate crprate gvernance practices and technlgies in the cntext f recrds retentin. Anther imprtant caveat is nt t fall int the trap f believing that paying fines is cheaper than establishing sund recrds retentin plicies and deplying gd archiving technlgy. While in sme rare cases that might have been true in the past, that is n lnger the case. The tenr f gvernment versight is increasing and the fines will be increasing, making recrds retentin and archiving significantly less expensive than paying the fines in virtually every case. Steps t Address Cmpliance and Retentin Obligatins Osterman Research recmmends that rganizatins in the financial services industry regardless f the aspect f the industry in which they participate undertake a three-step apprach t addressing their cmpliance and retentin bligatins: First, it s critical t understand that yur rganizatin must retain recrds that relate t a wide range f activities in yur business. This is nt an ptin fr any cmpany in the financial services industry, and s every cmpany, regardless f its size, must develp plicies fcused n the retentin f its business recrds. While many f the regulatins that specify data retentin are nt necessarily clear abut exactly what types f recrds t retain and which can safely be deleted, and while sme may nt be cmpletely clear abut the length f time that recrds shuld be retained, it is critical t retain relevant business recrds fr lng perids. The specifics f crprate plicies will need t be hammered ut in discussins with internal 2011 Osterman Research, Inc. 7

9 and external cunsel, cmpliance fficers, regulatrs, cnsultants and thers and will vary based n the particular prducts and services ffered, the states in which a cmpany perates, and s frth. Next, it is critical t deply archiving technlgy that can satisfy cntent retentin plicies. Mst rganizatins deply systems that will archive s and their attachments, but it may als be necessary t archive ther types f cntent, such as files, scial media psts, instant messaging cnversatins and ther infrmatin. Keep in mind the ptential need t sample emplyee frm the archive fr cmpliance r mnitring purpses. Als fcus n lng-term data strage requirements and ensure that whatever archiving system yu deply will be able t satisfy lng-term cntent retentin gals in the cntext f strage space and speed f search acrss large data stres. It is imprtant t nte here smething that may nt be bvius t sme decisin makers: backups are nt archives. While tape and/r disk backups f and ther servers is an imprtant best practice, these backups are nt a substitute fr an archive. Finally, make sure that whatever archiving system yu chse can integrate with and satisfy ther requirements that yur rganizatin might have, such as making available cntent in a frmat that will satisfy regulatrs, external legal cunsel and the like. The ability t prvide cntent in a frmat that will enable easy transfer f infrmatin t thers, particularly regulatrs, is essential because f the smetimes shrt windws that rganizatins are given t cmply with rders t prduce cntent. Summary Archiving in the financial services industry is abslutely essential the ptin fr decisin makers in the cntext f data retentin is nt whether r nt t retain, but nly hw and hw much t retain. Given that requirement and the likelihd that retentin bligatins will becme mre stringent in the future, it is vital that every financial services rganizatin a) create retentin plicies and b) deply the right archiving technlgy that will satisfy its lng term gals. Abut ArcMail ArcMail is the archiving expert, slving critical business issues thrugh best-in-class technlgy and services. Because all businesses need archiving, ArcMail prvides enterprise-class slutins that are scalable t fit any sized business. ArcMail ffers custmers easy t use technlgy and prvides the lwest ttal cst f wnership, ptimizing their IT investment and prviding immediate ROI. ArcMail ffers expertise in archiving issues such as legal ediscvery, user and IT prductivity imprvement, netwrk perfrmance and strage capacity, and much mre. ArcMail s Search and Retrieval capability is the fastest in the industry, in additin, tls and sftware are extremely easy t use, making it simple fr clients t set up and start using within a matter f minutes Osterman Research, Inc. 8

10 2011 Osterman Research, Inc. All rights reserved. N part f this dcument may be reprduced in any frm by any means, nr may it be distributed withut the permissin f Osterman Research, Inc., nr may it be resld r distributed by any entity ther than Osterman Research, Inc., withut prir written authrizatin f Osterman Research, Inc. Osterman Research, Inc. des nt prvide legal advice. Nthing in this dcument cnstitutes legal advice, nr shall this dcument r any sftware prduct r ther ffering referenced herein serve as a substitute fr the reader s cmpliance with any laws (including but nt limited t any act, statue, regulatin, rule, directive, administrative rder, executive rder, etc. (cllectively, Laws )) referenced in this dcument. If necessary, the reader shuld cnsult with cmpetent legal cunsel regarding any Laws referenced herein. Osterman Research, Inc. makes n representatin r warranty regarding the cmpleteness r accuracy f the infrmatin cntained in this dcument. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i ii iii iv v vi vii viii ix x xi xii xiii xiv xv xvi xvii xviii xix xx A put is an ptin cntract giving the wner the right, but nt the bligatin, t sell a specified amunt f an underlying asset at a set price within a specified time. Surce: Investpedia Osterman Research, Inc. 9