Communication Archiving Compliance Regulations for Financial Organizations
Let’s take a look at some important regulations that govern financial sector organizations:
FINRA 11-39
Firms must retain, supervise, and retrieve business communications, irrespective of whether they are completed from a personal or work-related device.
NASD Rules 3010/3110 & SEC Rule 17a-4 & 17a-3
These rules require all dealer/broker organizations to retain emails pertaining to trading activity for at least 6 years. The rules also impose a requirement that for the first two-year term, the documentation must be maintained in easily accessible and indexable storage.
Markets in Financial Instruments Directive (MiFIDI&II)
This law states that all electronic communications related to trading in corporate brokerage firms and financial advisory firms must be recorded and preserved. The information must be stored in a medium that cannot be deleted or tampered with and must be available on client requirements. The archived data must be stored for a minimum of 5-7 years. This law governs financial organizations in the European Union.
Sarbanes-Oxley Act
All public trading companies must save business records, including electronic communications, such as social media messages, emails, and others, for at least five years. Although this is a U.S. law, it applies to European companies listed in the U.S.
FSA
Financial firms must record, retain, and store relevant communications for six months. This law is applicable in the United Kingdom.
SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (LODR)
This policy mandates the systematic categorization, review, and retention of all important business documents for five years in company systems and archiving for another three years. This regulation applies to banks and financial organizations in India.
The Information Technology Act 2000
With a further amendment in 2008, this act states that electronic records, including email as evidence, are permitted under the Indian Evidence Act 1872, the Civil Procedure Code, and the Criminal Procedure Code. Although each of the aforementioned regulations imposes its individual requirements, compliance is still based on the following concepts:
Data Permeance
The data must be retained in its original state without being tampered with or deleted.
Data Security
The information retained must be safeguarded against threats such as unauthorized human access, spyware, and virus attacks.
Auditability
Consequences of Non-Compliance
Stringent controls and penalties imposed by these regulations force financial organizations to take regulatory compliance seriously. While doing so, every 1 in 4 organizations experiences a storage management issue. The email size has drastically increased from 22 KB to 350 KB. It is believed that most business organizations in the U.S. are allotting more than 150 MB of storage to a user. Additionally, these organizations use quotas for email storage to prevent messages from overloading and degrading the performance of their primary server. The downside of these quotas is that they may lead to serious implications and non-compliance. However, the consequences of non-compliance with these quotas or other means can be devastating:
Litigations
According to the American Management Association, nearly a quarter of U.S. employers are implicated in lawsuits. The Litigation Trends Survey by Fullbright and Jaworski claimed that in 2007, nearly 29% of U.S. businesses were embroiled in at least one litigation, with more than 32% battling $20 million lawsuits or more. During litigation, the parties involved are required to submit case-relevant information promptly. In such cases, the cost of information retrieval may outweigh the damages sought in the case. For instance, in the case of Zubulake vs.UBS Bank, the cost of restoring 77 tape backups was $165,954, whereas the lawsuit damage was only $107,694.
Fines
According to Osterman Research, financial services that do not comply with various state and federal regulations for information retention and preservation end up paying serious fines. In 2016, the Financial Industry Regulatory Authority (FINRA) announced that 12 major financial firms were fined $14.4 million for inadequacies in preserving customer or broker-dealer records. Some firms included Wells Fargo Securities, LLC & Wells Fargo Prime Services, LLC, RBS Securities, Inc., LPL Financial LLC, PNC Capital Markets LLC, etc. Even though most fines are focused on large financial organizations, small financial organizations like broker-dealers, credit unions, or banks may also be fined for inadequate information management.
Reputational Risks
Irrespective of whether the organization is guilty, the effects of getting entangled in lawsuits or fines can be severe. It may affect the overall corporate trust or the financial positioning of the organization and indirectly provide a business advantage to the competitor. Additionally, the damage caused to the company within its community can be equally detrimental. All these reasons help us understand the increasing importance of safe and secure cloud-based email archiving.
What is Email Archiving?
Advantages of Email Archiving for the Financial & Banking Industry
Compliance readiness
The most significant advantage of email archiving for enterprises in the financial and banking industries is helping them comply with regulations like RBI, SEBI, and IRDAI, which require long-term data preservation. Proactively meeting compliance requirements reduces business risk and keeps regulatory authorities from breathing down their necks. Scalable cloud email archiving for the financial industry can help preserve email data long-term and offer rapid discovery and extraction tools to enhance audit readiness. Also, cloud data management platforms that support an integrated compliance management workflow ease the job of seeking external expert reviews on potential breaches.
Litigation readiness
Growing litigations are part and parcel of operating in the financial and banking industries. According to Fullbrights’ Second Annual Litigation Trends Survey, 90% of enterprises face litigation at some point. Thus, facing litigation is almost inevitable. Businesses can improve litigation readiness if they can find and present evidence quickly, accurately, and in a form acceptable to the courts. Cloud email solutions for the financial industry where the data preserved is immutable with an intact audited chain of custody can pull up data for electronic evidence. Accurate and fast ediscovery with an in-built workflow to support internal legal reviews can help case management. The correct email archiving solution for the financial industry can reduce litigation costs and protect against frivolous law suits.
Automated Data preservation
The correct email archiving service for the financial industry automates data capture based on industry regulations, laws and an enterprise’s data protection policies. Besides increasing productivity, automatic archiving using journaling reduces the scope of human errors in data preservation initiatives. Since this process ingests a copy of all transacted emails in real-time, it is agnostic to what happens to the emails after delivery to the users’ mailboxes. In other words, the financial services institute is assured of a 100% capture of all emails, thus improving compliance confidence, and delivering peace of mind. Related: Building data resiliency for the financial services organizations
Secure from Interference
Enterprises can experience the benefits of a robust security system that protects their critical data by choosing cloud-based email archiving meant for the financial industry. Cloud-native solutions like Vaultastic leverage the shared security model of public clouds like AWS to deliver robust security “OF” the cloud and “IN” the cloud. Security OF the cloud includes all infrastructure elements like compute, storage, network, and more. And security IN the cloud includes security controls deployed at various layers of the stack, including strong encryption, role-based access, WAFs, and many more controls. This multi-layered security makes the solution bulletproof, and the 256-bit encryption makes the data useless even if it gets into a hacker’s hands. Thus, the archived data is immutable, tamper-proof, and highly durable during its stay in the cloud.
Advanced eDiscovery for Quick Access
Time is of the essence during audits conducted by regulatory authorities. Modern data archiving solutions enable immediate access to the indexed data with advanced ediscovery tools. Powerful search tools that can scan the preserved data across any period with complex query formations find relevant results in seconds and minutes rather than hours and weeks, thus saving valuable time. Saving queries for reuse add to the productivity boost. New-age email archiving solutions for the financial industry also support boolean query constructs to help narrow search results to the exact requirement. Responding rapidly to audit queries indicates to the auditors that your data management systems are technically advanced, organized, and in adherence with the regulatory guidelines – adds brownie points for your brand image.
Business Continuity
Imagine that the email system is out of order or inaccessible and business communication has come to a halt. Such downtimes can cost a financial or banking enterprise dearly. Each year, IT downtime costs enterprises a staggering revenue loss of $26.5 billion. Worse still is the loss of reputation. A robust email archiving solution with self-service and in-built disaster recovery can help restore communication operations in minutes. Users can view all their emails using self-service access, continue to respond to earlier emails, and even send out new ones. These email transactions maintain the primary brand and email domain, ensuring no change in how the recipients receive or perceive the communications.
