Last updated July 15, 2008

Home
Personal
Contact
Biography
Resume
Family
Credits
Magazines
Newspapers
Wire Services
Clips
Most Recent
Wall Street
Banking
Payments
Consumer
Investing
Energy
Technology
Security
Web Services
Journalism
Politics
Russia
War
Blog
Books
Media
Advice
 

Electronic Recordkeeping: Still a Compliance Minefield

By Maria Trombly | Securities Industry News | September 1, 2005

Do you keep backups of your e-mails? If so, you could be in for a very nasty surprise.

Backups--usually tapes created daily and stored off-site for disaster recovery purposes--could put a financial firm in hot water if a judge or regulatory agency demands to see particular e-mails or instant messages. That's because backups were never intended for that type of searching.

Even companies that rely on a modern archiving system with real-time search and retrieval capabilities can run into trouble. For example, if that archive goes back three years but there are also ten-year-old tapes in a warehouse somewhere else, a court or regulatory agency can ask to see the contents of those tapes. And if the tapes are as disorganized as has been typical when financial industry regulators come calling, there could be a heavy price to pay.

This summer, for instance, Morgan Stanley was hit with a $1.58 billion judgment because it was not able to produce e-mails promptly. Usually, a defendant is presumed innocent until found guilty. But in this case, which was heard in Florida, the judge instructed the jury to assume that the firm was guilty because of its perceived foot-dragging in retrieving the messages. "It's absolutely huge," says Benjamin Catalano, an attorney at Dorsey & Whitney. "The judge viewed it as a stonewalling strategy on the part of Morgan Stanley."

The precedent in this case is limited by the fact that it was tried under Florida law, notes Catalano. However, such fines change the economics of compliance. "It becomes much more costly for noncompliance than in the past," he says. "Traditionally, if you lost a damaging e-mail, it was usually to your benefit."

Tape Troubles

One problem with backup tapes is that it's difficult to search for a particular message. Backup tapes are usually stored by date. Sometimes there's an index of the contents of each tape, but this index is usually just a summary and, as in the Morgan Stanley case, may not accurately reflect the actual contents. If a firm wanted to retrieve all messages containing "Martha Stewart," for example, it would have to pull all the tapes from the time period in question, load them one by one, and sift through the contents.

Tape backup warehouses are a "huge digital landfill," says Peter Mojica, VP of product management and strategy at archiving vendor AXS-One. "A lot of companies in the broker-dealer space are used to doing things the way they have for many years when it comes to backup."

At Toronto-based First Associates Investments, for example, IT staff have to retrieve backup tapes, restore them, and then send the data to whoever is requesting it. "It's very manual and not too easy," says information security officer Brian Erdelyi. "There's a lot of effort there."

First Associates is switching to an e-mail archiving system from Fortiva that uses a combination of tapes and disks. "We're starting to deploy it now and are working with our compliance department so we can get them set up to start reviewing messages," says Erdelyi.

In general, disks are good for data that must be recovered easily and quickly--such as the most recent two years' e-mails, which must be "readily accessible" under Securities and Exchange Commission regulations.

Another issue is that if there's both a backup and an archive, then the two systems have to be in sync: If an e-mail is stored for three years in the archive, then there can't be four-year-old e-mails stashed away in the tape warehouse.

That's a difficult problem to solve, explains Michael Gundling, SVP of product management at archiving vendor iLumin Software: "Among our larger customers, probably less than half are doing that correctly. And there are probably holes in all of their policies. I don't think anybody is doing it perfectly today. But, with the recent headlines, everyone is examining their data protection policies."

One option is to get rid of backups completely, instead storing messages in searchable archives from which they can be automatically deleted after a certain period of time. Disk storage has fallen in price to the point where it's comparable to tape--especially when the cost of managing and retrieving messages is included.

"We need to get away from the world of it's on a backup tape in a warehouse and we have to pay someone to go get it for us,'" says Gundling.

Encryption Option

Another option, if a company insists on having backup tapes for messages, is to encrypt the data. If a tape is lost or stolen, the contents would be unreadable. On top of that, after a certain point in time the firm will simply be able to throw away the decryption key, leaving the tapes as good as erased--without having to send someone to the warehouse to dig them up and dispose of them. AXS-One offers this solution to its customers, Mojica says.

But it's not just old backup tapes that brokerage firms have to worry about now. New technologies such as instant messaging (IM) and hand-held devices such as the BlackBerry fall under the same laws as e-mail. Some firms delay rolling out the latest tools until compliance technology catches up.

"We chose not to implement instant messaging until we were confident we could become compliant," says Matthew Hoban, VP and director of information technology at Minneapolis-based Miller Johnson Steichen Kinnard (MJSK), a privately held boutique investment firm.

That point came a year and a half ago. Hoban's firm decided to go with FaceTime to capture IMs and attach disclaimers to the conversations and to use iLumin's Assentor product to monitor the conversations.

Unfortunately, it isn't enough to simply store all the messages in an archive. For a variety of reasons, including applicable laws and regulations, brokerages have to review these messages for illegal or inappropriate content.

Reading every e-mail or IM transcript is impossible. Even a random sampling of messages would inundate compliance officers with trivial personal missives that could obscure such zingers as "I just got an inside tip--sell ImClone now!"

Tools such as Assentor rank messages according to potential compliance interest. The product is smart enough to differentiate "this refrigerator comes with a 30-year guarantee," which the SEC doesn't care about, from "this stock is guaranteed to return 15 percent," a big no-no.

However, there are some gaps in coverage. If an employee goes home and logs on to his corporate e-mail account, the message goes through the company's e-mail server and is appropriately processed. But if an employee logs on to, say, AOL IM, a public network, at a nonwork computer, there is currently no way to capture those messages, which in clients' eyes would appear legitimate and compliant--the functional equivalent of stealing office letterhead and typing off-the-books letters to customers.

"There is nothing to stop someone from going home and making all kinds of promises to their customers," says Hoban. "I've heard of brokers doing that--using private communications to make bad promises."

To keep this kind of activity down, firms rely on education, management oversight and just plain monitoring for suspicious behavior--like e-mailing copies of research reports home. But technology is starting to address the issue. One solution to the IM problem is to forbid the use of free, popular services like AOL IM and to switch to enterprise IM instead. Enterprise-grade systems cost money, but messages are routed through a firm's own servers and compliance engines.

IBM has an enterprise IM product, and most of the free public IM systems offer paid enterprise versions as well. Bloomberg has long had IM capability built into its trading network, and Reuters Messaging has emerged as an alternative on Wall Street.

"They provide a server that we can install that will allow us to archive those messages," says First Associates' Erdelyi, who has been using Reuters Messaging for more than a year. The firm blocks public IM networks.

BlackBerrys

MJSK's Hoban said he is careful about adding communications options. Until recently, employees weren't allowed to use BlackBerrys. "We finished testing BlackBerry functionality last week," he says. "It's becoming more and more of a need as more reps go out and visit with clients." Both the incoming e-mails from customers and outgoing e-mails from brokers are funneled back through the firm's e-mail servers and compliance engines.

Another new tool is cell phone text messaging, or short messaging service (SMS), which is particularly popular in Europe and Asia and among North American youth. It's spreading into the corporate arena, but not at MJSK. "We disallow text messages on the security level of the phone when we receive it from the carrier," Hoban says. The reason? There is currently no way to capture those messages.

The biggest pain point for securities firms isn't a lack of technology, say people in the field. It's the rising cost of compliance technology that is already available.

"We're a mid-sized regional firm, doing fairly well financially, but there is just more and more regulatory practice," says Hoban. "We're not complaining--it protects our clients and our firm. But we have to spend an increasing amount of money to maintain that compliance."

(c) 2005 Compliance and SourceMedia, Inc. All Rights Reserved.

http://www.securitiesindustry.com/stp/ http://www.sourcemedia.com

 

Maria Trombly can be reached at 011-86-21-6387-7243 or by email at maria@trombly.com