Streamlining Email and Content Supervision in an Increasingly Regulated Electronic World



Similar documents
Agile enterprise content management and the IBM Information Agenda.

Integrated archiving: streamlining compliance and discovery through content and business process management

WHITEPAPER. The Companion Guide to FINRA/SEC Social Networking Compliance

How To Preserve Records In A Financial Institution

Mastering Complex Change and Risk through Smarter Engineering Collaboration

The Financial Advisor s Guide to Social Media Regulations

Enterprise content management solutions Better decisions, faster. Storing, finding and managing content in the digital enterprise.

Compliance Requirements and Social Media Usage: FINRA and SEC

Professional. Compliance & Ethics. 19 The seven deadly sins of unethical organizations. 49 Anti-corruption and global supply chains

Veritas AdvisorMail. archiving, compliance, and ediscovery solution designed specifically for U.S. financial services companies

IBM Unstructured Data Identification and Management

IBM Policy Assessment and Compliance

archiving, compliance, and ediscovery solution designed specifically for U.S. financial services companies.

IBM ediscovery Identification and Collection

Improving sales effectiveness in the quote-to-cash process

Contract management's effect on in house counsel

EMC White Paper EMC Xtender Provides Records Management for Microsoft Exchange Server 2003

Security Intelligence Solutions

HP StorageWorks Reference Information Storage System Designed to Assist Financial Services Organizations Comply with Retention Requirements

Optimizing government and insurance claims management with IBM Case Manager

Simplify IT and Reduce Costs with Automated Data and Document Archiving

The ComplianceVault Archiving & Retrieval Appliance and the SEC a-4 Requirements

Becoming an Agile Digital Detective

WHITE PAPER. FINRA Compliance Guide: Enterprise Social Networks

IBM ECM Employee Lifecycle Management August HR best practices: Managing employee information from hire to retire

Web application security: automated scanning versus manual penetration testing.

Enhance visibility into and control over software projects IBM Rational change and release management software

IBM Tivoli Netcool Configuration Manager

Add the compliance and discovery benefits of records management to your business solutions. IBM Information Management software

MICROSOFT EXCHANGE ONLINE ARCHIVING, DATA RETENTION AND RULE 17A-4 COMPLIANCE DATE: SEPTEMBER 22, 2015

Streamline Enterprise Records Management. Laserfiche Records Management Edition

Leveraging a Maturity Model to Achieve Proactive Compliance

Legal Considerations for Archiving Why implementing an effective archiving solution can help reduce legal risk

TO BE OR NOT TO BE (Archiving), That is the question!

Four keys to effectively monitor and control secure file transfer

ECM Migration Without Disrupting Your Business: Seven Steps to Effectively Move Your Documents

IBM Content Navigator

Ten steps to better requirements management.

IBM Security Intelligence Strategy

CA Message Manager. Benefits. Overview. CA Advantage

IBM Content Analytics with Enterprise Search, Version 3.0

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Director, Value Engineering

Software License Asset Management (SLAM) Part III

Better management through process automation.

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Compliance and Security Solutions

Laserfiche for Federal Government MEET YOUR AGENCY S MISSION

Why You Should Consider Cloud- Based Archiving. A whitepaper by The Radicati Group, Inc.

The Smart Archive strategy from IBM

Emptoris Contract Management Solution for Healthcare Providers

Web Protection for Your Business, Customers and Data

The biggest challenges of Life Sciences companies today. Comply or Perish: Maintaining 21 CFR Part 11 Compliance

SAME PRINCIPLES APPLY, BUT NEW MANDATES FOR CHANGE

Software change and release management White paper June Extending open source tools for more effective software delivery.

ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES

Archiving and the Cloud: Perfect Together

The key to success: Enterprise social collaboration fuels innovative sales & operations planning

agility made possible

CA Supervision Supervision Handbook for Financial Service Providers

Provide access control with innovative solutions from IBM.

Thought Leadership White Paper

Cohasset Associates, Inc. NOTES Managing Electronic Records Conference 1.1. The discipline of analyzing the. Value Costs and Risks

Regulatory Notice 07-59

5 WAYS STRUCTURED ARCHIVING DELIVERS ENTERPRISE ADVANTAGE

Software Asset Management Toolkit

ACCOUNTS PAYABLE AUTOMATION FOR SAP

IBM Tivoli Netcool network management solutions for enterprise

Laserfiche for Federal Government MEET YOUR AGENCY S MISSION

WHY YOU SHOULD CONSIDER CLOUD BASED ARCHIVING.

IBM CommonStore Archiving Preload Solution

Brochure. ECM without borders. HP Enterprise Content Management (ECM)

A proven 5-step framework for managing supplier performance

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

IBM QRadar Security Intelligence April 2013

IBM Tivoli Asset Management for IT

Compliance Solutions FOR BROKER-DEALERS. Archiving the financial services world. message archive search message archive search message archive search

Lowering E-Discovery Costs Through Enterprise Records and Retention Management. An Oracle White Paper March 2007

Product Lifecycle Management in the Medical Device Industry. An Oracle White Paper Updated January 2008

PROACTIVE ASSET MANAGEMENT

EMC DOCUMENTUM XCP Accelerate the development of custom content-enabled solutions to support case management

Oracle Knowledge Solutions for Insurance. Answers that Fuel Growth

Real World Strategies for Migrating and Decommissioning Legacy Applications

Combining the power of content and process with the right content management solution. IBM Information Management software

Transcription:

March 2013 Enterprise Content Management Streamlining Email and Content Supervision in an Increasingly Regulated Electronic World

Page 2 ING Firms Fined for Review Failure In February 2013, FINRA fined five ING affiliates $1.2 million for failing to capture millions of emails, and for failing to review nearly six million messages flagged by their review software. 13 Federal compliance requirements, particularly those that address registered representative communication archiving and content supervision, can feel like moving targets. At the same time, the way financial professionals interact continues to undergo a massive shift toward electronic and mobile channels. All this can make compliance officers feel as if they re no longer standing on solid ground. This paper explores the implications of current regulations, lays out solid best practices for compliant processes, and presents a solution that can provide audit-proof* supervision that fulfills federal, industry, and internal requirements. The Realities of Capturing and Monitoring Electronic Communications Just a few years ago, employees tended to have one company-supplied email address with which to communicate electronically. Today, that s definitely not the case. From instant messages and personal web-based email accounts to myriad mobile devices, the variety of communication channels that must be monitored has grown dramatically. In fact, a 2012 survey found that more than half of all financial services firms allow iphones, ipads and Android devices on their corporate networks. 1 The need to retain and monitor information sent across these platforms has made compliance activities significantly more complicated, and federal regulators have expressed that the guidelines apply to all messages, regardless of how they are carried. As more new ways to communicate emerge, application of security laws and selfregulatory organization (SRO) rules must also evolve. Compliance officers have to be nimble, acting quickly to mitigate risk as scrutiny and enforcement by federal regulators is on the rise. In the first half of 2012, FINRA fined financial services firms more than $39.4 million 15 percent more than the year prior. Some of these penalties exceeded $1 million, and that doesn t begin to measure costs to the firms reputations, given the public arena in which these sanctions play out. 2 It s no surprise that, given the sheer volume of information requiring oversight and the fragmented archiving systems many companies rely on, even firms with systems in place are failing to identify potential violations and are incurring fines.

Page 3 Citigroup Pays for Not Saving Email FINRA levied a $750,000 fine on a Citigroup unit in 2011 for not retaining millions of emails during an archive upgrade. 14 Interestingly, some of the most recent violations point to inefficiency and lack of reliability in the supervision process itself, rather than dubious broker behavior. It s no surprise that, given the sheer volume of information requiring oversight and the fragmented archiving systems many companies rely on, even firms with systems in place are failing to identify potential violations and are incurring fines. These failures suggest that the answer to reliably supervising vast numbers of messages with limited resources lies in advancing technology. Until recently, however, technology solutions tended to focus on the archiving portion of the requirement even Gartner analysts were just beginning to address the potential for electronic communication supervision within archiving frameworks in their most recent Magic Quadrant report. 3 Interpreting Regulatory Rules and Guidance The goal of any email supervision program should be to demonstrate that adequate review is being performed. Regulators know that firms can t read every email and instant message sent. Rather, a consistent process must be in place, and reviews should be performed by knowledgeable personnel who can recognize issues and escalate them as needed. There is no free pass for new communication platforms, no matter how challenging. FINRA requires firms to establish policies regarding just what forms of communication can be used. 4 Then, according to the FINRA and SEC guidelines, the rules are based on the content and audience of the message rather than the form of communication. 5,6 Consequently...FINRA expects a firm to have supervisory policies and procedures to monitor all electronic communications technology used by the firm and its associated persons to conduct the firm s business. 7 Just as important, firms must ensure that they have processes in place to keep records of these communications, as required by previous SEC, NASD, and NYSE rules. Some channels, including instant messages, online message boards, e-faxes, personal email, and websites have been specifically called out within the regulations, but the rules have been written to apply to platforms we can t yet envision, referring to any existing and future electronic communications technology that this guidance may not address. 8 The SEC position on this was written long before email was imagined and still sums up the attitude toward SRO compliance today. The Investment Advisers Act of 1940 states that...no person shall be deemed to have failed reasonably to supervise any person, if:

Page 4 Piper Jaffray: Retention and Disclosure Violations In 2010, Piper Jaffray was fined $700,000 for issues with email retention, as well as failure to inform FINRA of the problem. 15 a) there have been established procedures, and a system for applying such procedures, which would reasonably be expected to prevent and detect, insofar as practicable, any such violation by such other person, and b) such person has reasonably discharged the duties and obligations incumbent upon him by reason of such procedures and system without reasonable cause to believe that such procedures and system were not being complied with. 9 Simply put, complying with subparagraph A requires that adequate policies and procedures are in place. Of course, subparagraph B is more difficult to satisfy. Demonstrating that these duties have been reasonably discharged requires showing that the procedures have been put into practice and carefully adhered to. This adherence requires establishing workflows and maintaining full audit trails detailing what steps were taken and how decisions were made. If you follow best practices in establishing your electronic content supervision procedures, it will be difficult to charge your organization with failure to supervise. Should a misleading or questionable email surface, one of two things can happen. You can either produce evidence of adequate email review, making it much more difficult to bring action against your firm, or you can pay the high price tag associated with inadequately monitoring employee communications. But it helps to know that, if you follow best practices in establishing your electronic content supervision procedures, it will be difficult to charge your organization with failure to supervise. Guidance Regarding Review and Supervision of Electronic Communications and Content As FINRA acknowledges, technological innovation has dramatically changed how firms deliver, receive, and store communications. Fortunately, the organization has issued clear guidance for developing systems and procedures for reviewing and supervising electronic communications.

Page 5 Any technology solution designed to automate electronic content supervision must be structured enough to demonstrate compliance, yet flexible enough to adapt to changing inputs and guidelines. 1. Lexicon-based search technology to flag messages. Automated search tools can identify content that might contain evidence of improper conduct, customer complaints, errors, and other content as required by SRO and internal policies. However, an effective system should provide the ability to Customize the list of trigger words and phrases to your policies, clients, product set, and so forth, and update it regularly. Include jargon, slang, misspellings and common errors. Review images and identify attachments designed to thwart review. Exclude disclaimers and email template text, such as having trouble viewing this email? or the firm does not guarantee, which might appear in every email. Review foreign-language and encrypted messages. Restrict access to the list of terms. 2. Additional random sampling of content. Certainly, no system can detect highly sophisticated codes or carefully worded infractions. But by combining lexicon-based search with random sampling, firms can monitor a percentage of communications containing unstructured information files (JPG, JPEG, BMP, GIF, TIFF, PDF, etc) and attachments to check for policy or rule violations. This approach will increase the chance of finding emails written including unstructured content specifically to avoid triggering the lexicon search flagging. While random review is required, there s no specific percentage recommended for random review, although this option offers an opportunity to keep closer watch on specific offices or business units, or even individuals with a disciplinary history. 3. Secure access and administration. Security is essential to a supervision system starting with control of the keyword list. After all, if employees know what terms will trigger a flag, they can easily craft messages that will sail through. 4. Well-defined reviewers and responsibilities. Not only must procedures be clearly delineated, firms must also clearly identify who is responsible for performing the reviews. FINRA requires all reviewers to have sufficient knowledge, experience, and training to adequately perform reviews. In addition, firms must be able to demonstrate that their reviewers meet these criteria.

Page 6 MetLife Suffers Supervision Failure MetLife Securities and three affiliates were fined a total of $1.2 million in 2009 for failing to establish adequate review procedures. 16 5. An audit log of all reviews and actions taken. This piece of the puzzle is key to demonstrating adequate policies and procedures are being followed. FINRA requires that Members must evidence their reviews, whether electronically or on paper, and be able to reasonably demonstrate that such reviews were conducted. 10 The evidence of review should at a minimum, clearly identify the reviewer, the communication that was reviewed, the date of the review and the steps taken as a result of any significant regulatory issues that were identified during the course of the review. 10 6. Timely search and review. Federal regulations suggest that reviews should occur within reasonable timeframes, but they also ask that firms recognize how hard it can be to solve a problem if it isn t addressed quickly. Daily review is the most efficient approach, because a backlog of flagged content can easily become overwhelming. 7. Archiving according to internal and industry guidelines. Archiving is the one practice most financial services firms already observe, holding on to business-related electronic communications for three years in a non-rewriteable, non-erasable format. 11 But it s no longer enough to merely retain content. Archive systems must also support e-discovery, because these requests can be time consuming and expensive, placing an undue burden on the firm to identify and provide nonprivileged documents in a timely manner. Ultimately, any technology solution designed to automate electronic content supervision must be structured enough to demonstrate compliance, yet flexible enough to adapt to changing inputs and guidelines. Automated, Intelligent Content Supervision: izon Compliance Designed to meet the demands of the financial services industry and built on the IBM ECM platform, izon Compliance provides a single integrated solution for review and audit-proof supervision of post-archival content such as email, documents and instant messages. The izon Compliance solution searches archives daily for potential infractions, based on the organization s policies and trigger keywords and phrases. Flagged content is sent to legal, human resources, or compliance reviewers as appropriate, along with a message about why the message triggered review. Auditors can view

Page 7 the documents in question in an intuitive interface, enter comments, and document that the review has been completed. Their actions and notes are preserved in an audit trail to demonstrate adherence to procedures and comply with FINRA recommendations. 12 In fact, izon Compliance provides detailed audit trails of the complete supervision and referral process. All activities including versions and changes, reason codes, and escalation of message review are captured to provide the necessary auditable proof of adequate, consistent supervision. The izon Compliance solution is unique in its ability to integrate with other departmental systems to provide functionality beyond basic archiving and content review. For example, izon Compliance can integrate with human resource systems to act as a central repository for certifications and employee data that can assist a reviewer in making a decision about questionable content. Or it can integrate with legal and compliance case management databases to cross-reference pending litigation, prior warnings, or past violations. This additional detail can save reviewers significant time by ensuring that the most complete, up-to-date information is available at their fingertips. Fewer false positives and duplicate messages help reviewers stay on top of the volume of communications that require their attention. While ensuring compliance is the first priority, izon Compliance also delivers exceptional efficiency, reducing the time and costs associated with content supervision. For example: Industry-leading, lexicon-based search combined with meaning-based searches substantially reduces false positives while pinpointing more likely violations, compared to other solutions. Adaptable, automated referral processes direct flagged content into workflows based on reason codes, eliminating the need for manual escalation and review. Bulk review capabilities allow multiple items to be reviewed and annotated at one time, minimizing duplication of effort. Custom warnings and notifications are easily generated and delivered to appropriate parties with a click of the mouse. A reliable language-translation option is available and ideal for global organizations.

Page 8 Customer Story: Financial Services Company with Approximately 40,000 Licensed Securities Representatives Challenge: This organization supervises the email of 40,000 licensed securities representatives. Traditionally, this content was searched using simple word-based lexicon lists that resulted in an enormous amount of false positives and junk messages. On average, the legacy system returned more than 15,000 messages for review each day. Naturally, reviewers were extremely overtaxed and unable to review 100% of the flagged messages, exposing the company to risk. The izon Compliance Solution: In a head-to-head review of the same pool of messages over 15 days, izon Compliance flagged about 85% fewer messages. However, the izon Compliance system identified 25% more violations. What s more, izon Compliance accelerated review time through its automation and integration capabilities. In a single click, reviewers had access to certification dates and prior legal case histories of licensed representatives, and they could issue automated warning letters for minor firsttime offenses. They could also highlight messages with the same subject line and bulk review messages. Unlike the legacy system, emails that were flagged for referral were given reason codes and comments and were tracked through the entire workflow. Conversely, referrals in the legacy system resulted in messages being printed out and added to folders. Finally, izon Compliance was able to help spot trends and identify reporting and supervisory training issues within lines of business and clusters of representatives. The bottom line: Ultimately, the customer Reviewed fewer flagged emails. Identified more violations. Saved more than an hour for each violation by not having to seek additional information in other departmental systems. Had no need to print messages or create an additional paper trail. Derived more meaningful metrics from the process. Could manage and track requests for ad hoc searching. Was able to conduct a 100% review and meet all FINRA requirements. Being presented with fewer false positives and duplicate messages helps reviewers stay on top of the volume of communications that require their attention and allows them to complete more reviews in a more timely manner. Complemented by detailed reporting that document the review process, izon Compliance helps ensure that the supervision process has been consistently accomplished. Prevent the Unnecessary Costs of Noncompliance Electronic communication isn t going anywhere it s only going to keep growing, with new channels and new devices making supervision even more of a challenge. Your organization can constantly add resources, risk noncompliance or find a reliable way to increase the efficiency of your supervisory processes. Compared to the costs of the first two options, izon Compliance, with its smarter combination of meaning and lexicon-based search technologies and robust archiving, is a forward-thinking, economical solution.

Page 9 About IBM Enterprise Content Management Enterprise content management solutions from IBM help companies realize the strategic value of content for better insight and outcomes. IBM ECM delivers highvalue solutions that can help companies transform the way they do business by enabling them to put content in motion: capturing, activating, socializing, analyzing, and governing it throughout the lifecycle. IBM can help organizations identify critical content within large information volumes and prioritize it to gain insight to inform business decisions. We help businesses put the right content in the hands of the right people at the right time while effectively managing the cost and risk of enterprise content from capture to disposal. IBM has provided ECM solutions to more than 13,000 companies, organizations and governments around the world, helping them remain competitive through new intelligent innovation. For more information visit: ibm.com/software/ecm About Atlantic Software Technologies, Inc. Atlantic Software Technologies is an IBM Enterprise Content Management partner that has been focused on high-value business process automation for more than ten years. From the company s headquarters in New York, AST provides products, technologies, and personal service that help customers bring people, systems and processes together to create efficient and effective global solutions. For more information visit: www.izoncompliance.com

Page 10 Resources We hope you find these resources helpful as you seek more information about IBM ECM and Atlantic Software Technologies. Solution Profile Download a quick overview of izon Compliance by Atlantic Software Technologies. Copyright IBM Corporation 2013 IBM Corporation 3565 Harbor Boulevard Costa Mesa, CA 92626-1420 USA Produced in the United States of America March 2013 All Rights Reserved. See how izon Compliance can benefit your organization. For more information, contact: IBM Atlantic Software Technologies Kristen Meyer 703-934-1125 kristenmeyer@us.ibm.com Engage with IBM ECM Online Communities ECM Blog IBM ECM @ Facebook IBM ECM @ Twitter IBM ECM @ LinkedIn IBM ECM @ You Tube Additional Information www.izoncompliance.com Marjory Dury 212-682-4160 mdury@astworld.com 1 Smarsh, Electronic Communications Compliance Survey Report, (June 28, 2012). 2 Kenneth Corbin, FINRA Broker-Dealer Penalties Soar in 2012, Financial Planning, (August 10, 2012). 3 Gartner, Magic Quadrant for Enterprise Information Archiving, (October 29, 2010). 4 FINRA Regulatory Notice 07-59, Supervision of Electronic Communications, (December, 2007). 5 FINRA 07-59. 6 SEC 17 CFR Part 240, Reporting Requirements for Brokers or Dealers Under the Securities and Exchange Act of 1934, (February 5, 1997). 7 FINRA 07-59. 8 FINRA 07-59. 9 SEC Investment Advisers Act of 1940, Section 203(e)-6. 10 FINRA 07-59. 11 SEC 17CFR Part 240.17a-4, Records to be Preserved by Certain Exchange Members, Brokers and Dealers. 12 FINRA 07-59. 13 FINRA, FINRA Fines Five ING Firms $1.2 Million for Email Retention and Review Violations, (February 19, 2013). 14 Reuters, Citigroup to Pay $750,000 Fine for Not Saving Emails, (December 8, 2011). 15 FINRA, FINRA Fines Piper Jaffray $700,000 for Email Retention Violations, Related Disclosure, Supervisory and Reporting Violations, (May 24, 2010). 16 FINRA, FINRA Fines MetLife Securities and Affiliates $1.2 Million for Email Supervision Failures, (November 18, 2009). IIBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm. com/legal/copytrade.shtml. (link text) Other company, product, or service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. While efforts were made to verify the completeness and accuracy of the information contained in this document, it is provided as is without warranty of any kind, express or implied. IBM is not be responsible for any damages arising out of the use of, or otherwise related to, this information. Nothing contained in this document is intended to, nor will have the effect of, creating any warranties or representations from IBM (or its suppliers or licensors), or altering the terms and conditions of the applicable license agreement governing the use of IBM software or receipt of IBM services. Each IBM customer is responsible for ensuring its own compliance with legal requirements. It is the customer s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. *izon Compliance keeps track of and can report on all communication supervision activities that have occurred, including what the search criteria, lexicon list contents were used on any given day. Our software will meet the evidencing requirement, but is no guarantee of full compliance with the regulation.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information