The Check’s In the Mail

Concerns over compliance with e-mail-retention rules dominated a recent discussion moderated by Wall Street & Technology at InformationWeek's annual technology conference in Tuscon, Ariz.

One of the major challenges facing the securities industry is not only storage of all electronic records - including e-mails and instant messages - but being able to access the material in the event of an investigation. "Retention without accessibility is not retention," warns Jay Cohen, vice president and chief corporate compliance officer of The MONY Group, a diversified financial-services firm that owns Advest, a retail-brokerage firm.

Another lesson learned by financial-services firms is that backup is not retention. Cohen, a former prosecutor, cited a recent case involving the research investigation of five major securities firms fined by the National Association of Securities Dealers $1.65 million apiece. Although the firms had stored e-mails on backup tapes for several years, they were fined because they were unable to retrieve the e-mails according to the rule's requirements.

In the course of regulatory review or litigation, firms must be able to "access what the regulators are looking for," and companies that don't have that ability will be in a difficult situation, Cohen says. At that point, they will be forced to resort to "enormous expenditure of time and resources," to retrieve the information.

Even though the number of e-mails flowing through the financial industry is skyrocketing, Richard Rzasa, vice chairman and chief information officer of technology solutions for TD Waterhouse, told the audience his firm is saving all of them. "I think the storage vendors are going to make out best in this exercise," jokes Rzasa. But Rzasa was perfectly serious in saying, "We are retaining all of the e-mails that our associates send to customers and colleagues, and archiving them in a third-party system."

To be more proactive in interrogating e-mails, Rzasa is currently implementing an artificial-intelligence, fuzzy-logic technology and applying that with a lexicon of unacceptable terms to the e-mails, "to figure out if the firm has a rogue broker or someone who is misleading the customer," he says. TD is also making sure that every instant message - the technology is only deployed in a few areas of the firm - is being captured and surveilled as well.

Instant messaging has come to the forefront because regulators have made it clear "retention applies on the basis of content, not medium," says Cohen. Meanwhile, financial-services firms are grappling with how to interpret the rules with regard to time period and storage in a "readily accessible place."

Cohen says the rules require retention periods ranging from two to seven years for e-mail and other electronic records.

Rzasa says, "We're being very, very conservative under the rules which say to retain electronic records for three years - and two years in readily accessible place." But how much time a firm has to retrieve and turnover records to a regulator is still open to interpretation. "Is it 48 hours? Is it 24 hours? Is it two hours?" he asks. "As you have to get more real time with being able to provide more access, obviously the cost of it goes up."

Martin Colburn, executive vice president and chief technology officer of the NASD, says accessibility means firms need to "spend the resources to not only backup the data, but to be able to restore it and restore it readily. What we've done is actually put (our own e-mails) online and have compliance people check it on a regular basis," says Colburn. "We recommend that because we believe that self-compliance is as much a tool as the enforcement of the rules."

Though e-mail retention dominated the agenda, the session also covered the policies firms are putting into effect to comply with Sarbanes-Oxley and The USA Patriot Act, as well as the evolving partnership between the chief information officer and the chief compliance officer.