Regulators show they're willing to play hardball, fining five Wall Street firms a total of over $8 million for failing to preserve e-mail.
In the second round of high-profile action taken for failing to preserve internal e-mail communications, five major financial-services firms were fined $1.65 million each and told to review their internal record-keeping procedures.
Without admitting or denying the accusations in the joint action brought by the Securities and Exchange Commission, the National Association of Securities Dealers and the New York Stock Exchange - Deutsche Bank Securities, Goldman Sachs, Morgan Stanley, Salomon Smith Barney and U.S. Bancorp Piper Jaffray became the latest victims to face regulatory scrutiny. The action stems from investigations into analyst/investment-banking practices on the Street and the resulting e-mail evidence du jour.
But as regulators begin to take a more active role in overseeing the financial-services industry - document retention and storage in particular - some are challenging that the rules themselves are difficult to interpret and should be clarified. Scott Kursman, vice president and associate general counsel for the Securities Industry Association, says that the main problem with e-mail retention policy stems from outdated definitions.
According to SEC Rule 17a-4 and NASD rules 3010 and 3110, financial-services firms are required to supervise and record all electronic communications related to their business as such for a period of not less than six years, with the first two years in an easily accessible place. It is this "business as such" definition that many firms are questioning.
"You have a 1939 standard with the 'business as such' rule applying to modern methods of communication," says Kursman. "So the provision that's applicable in this case says you have to retain communications pertaining to your business as such. The SEC says the content of the communication is determinative as to whether it pertains, which may have been fine when firms drafted a couple of memos a day but when firms generate millions of messages it's hard to determine whether each individual e-mail is going to be retained."
Kursman also says that the essential problem is that the definition of 'business as such' differs from firm to firm. In addition, the fines for the five firms arose in the context of analyst investigations, which put more pressure on regulators to drive home a message. "Before, I think regulators were more apt to recognize that the rule was problematic," he adds.
Jeffrey Plotkin, partner at Eiseman, Levine, Lehrhaupt & Kakoyiannis, and former SEC assistant-regional administrator for New York in the broker/dealer division, says that the firms should not be bogged down with the 'business as such' definition. He says many firms have not updated their e-mail retention policies and technology because of cost, indifference and other reasons, such as e-mail being a potential liability because it can be used in litigation.
Plotkin points out that the lack of clarification around the 'business as such' definition is not a plausible excuse for most firms in not complying. "Anybody who is well versed in the securities regulations knows that typically the regulations are aimed at the investment banking and securities areas of the firm," Plotkin says. "It doesn't mean human resources, business-type accounting or janitorial services, nobody could argue that they didn't understand that."
But Kursman says the SIA has engaged in a dialogue with regulators for several years on this issue and that an agreement on how the rule might be updated was close when high-profile events like the Enron collapse made the issue of document storage and retention a "political hot potato" for the regulators to address.
"They said this is not the best time to be dealing with this and we understood, but now it's come 180 degrees where we were on the verge of addressing the problem, and now the firms are getting hit with fines when everyone was aware it was a problem," says Kursman.
Kursman says that the five firms that were recently fined had some policy and means of retaining internal e-mail, so the bar for what constitutes "business as such" was probably set very high in the course of the regulator's investigations. "They just didn't rise to the level of satisfaction that was needed in this regulatory environment," he says.
All five firms contacted by Wall Street & Technology declined any interviews. But a public statement issued by Andrew Duff, president and chief executive officer at Piper Jaffray, said that while the firm did retain large volumes of e-mail, its retention of e-mail communications and procedures were deemed inadequate to meet the requirements of SEC Rule 17a-4.
Although no one would personally comment on any technology or retention policy changes, Duff also said that current e-mail procedures and enhanced software now fully meet the regulatory requirements.
Salomon Smith Barney would not comment specifically on the technology or policies in place for e-mail retention and storage but issued this statement, "This settlement resolves a complex regulatory issue that has been the subject of much discussion over recent years. We're pleased to have the matter resolved."
Questioning the Technology
When it comes down to the technology and regulatory requirements, Kursman questions the method mandated by the regulators to store e-mails. He says the so-called WORM, Write Once Read Many, storage is outdated and inefficient. "WORM was not intended for e-mail and it makes accessing and searching very difficult, so the more you want to comply with the retention rule, the more problematic it is under the record-storage rule," he says.
"You have to physically move documents by transferring them or writing the e-mail onto a different format and that is time consuming," explains Kursman. "WORM technology is the notion of physically imprinting something onto a media and that's an extremely slow process and you have to read everything to find what you're looking for."
Plotkin adds though that regulations often trail behind the evolution of technology, resulting in different firms having different levels of technology. But that should not stop firms from complying.
"These enforcement cases are a shot across the bow, now firms have to make the investment and pay attention to the requirements," he says. He also points out that there are other technology options available that meet the regulatory guidelines, including digital archiving and indexing - available from several providers - which makes the process more cost effective.
"Firms are going to have to look at e-mails as seriously as they view any communication with a client," adds Plotkin. "I don't foresee any sort of new rulemaking coming out, and I don't think the ambiguity or the possibility of rule changes or the development of technology is an excuse to ignore the whole framework."
Banc of America Securities Gets Up to Speed
Regardless of the questions and regulatory wrangling surrounding e-mail retention and archiving, Vincent Faughnan, chief compliance officer at Banc of America Securities, says that his firm made the move to digital archiving over a year ago. Faughnan says that his firm began looking for e-mail archiving technology back in 2000 and went live with a solution from Zantaz in early 2001.
Before moving to the Zantaz solution, Faughnan says that the firm was relying on tapes for storage. "Basically, the tapes were unwieldy and it was difficult to retrieve anything," he says. Faughnan adds that the firm is using the Zantaz solution as a service bureau, with the technology to define policies and capture e-mail on the firm's servers and the storage and archiving off site with Zantaz. The digital-storage solution enables end users to index, store and search e-mail documents more quickly and effectively.
But Faughnan says even with a system in place, he would like more guidance when it comes down to 'business as such' and what e-mails must be stored.
"It's fair to say that there just hasn't been a whole lot of guidance form the regulators. There are open issues about the status of which e-mails to store, the status of instant messaging and a lot of misinterpreted advice," he says. "I'd like more definition and clarification as to what e-mails are required to be stored this way."
Faughnan says that, because of the lack of guidance, his firm is forced to save almost every e-mail, something that is expensive, probably somewhat needless and creates other issues for the company. While he says he doesn't expect the regulators to come out with any changes to the "business as such" definition any time soon, he says it would be nice.