Canada’s Financial Services Firms Prepare for E-mail Archiving Mandate

Jul 20
07:15

2010

kieron dowling

kieron dowling

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

Will multi-million dollar fines, criminal indictments, and exorbitant e-discovery costs play a role in Canada’s financial services future? Possibly, if Canadian securities dealers, portfolio managers, and other financial services firms violate the pending legislation proposed by the Canadian Securities Administrators. By year’s end, these firms will be subject to tough, new e-mail storage and retrieval rules defined in National Instrument 31-103 (NI 31-103).

mediaimage
Will multi-million dollar fines,Canada’s Financial Services Firms Prepare for E-mail Archiving Mandate  Articles criminal indictments, and exorbitant e-discovery costs play a role in Canada’s financial services future? Possibly, if Canadian securities dealers, portfolio managers, and other financial services firms violate the pending legislation proposed by the Canadian Securities Administrators. By year’s end, these firms will be subject to tough, new e-mail storage and retrieval rules defined in National Instrument 31-103 (NI 31-103). Among other requirements, NI 31-103 mandates that registered firms keep their records — including electronic messages — in a durable form that can be “promptly” provided to regulators if a record is requested within two years of its creation. After two years, requested records must be delivered in a “reasonable period of time.” In fact, NI 31-103 requires firms to keep some records for seven years after the departure of a client. NI 31-103 confirms the importance of e-mail as a formal communications medium and adds another regulatory layer of protection for financial services firms and their clients. It reinforces the trust that underpins Canada’s financial system and provides a means for resolving disputes. Clearly, compliance is in everyone’s best interests, but how, exactly, do companies comply with NI 31-103?Compliance and technology. Some firms have already raised concerns about overwhelming costs of physical storage and difficulties in developing a suitable e-mail archival and retrieval system. Others are operating under the impression that backup copies of their e-mail servers will meet the record keeping requirements. Both groups are mistaken. E-mail archiving doesn’t have to be expensive or difficult — powerful, easy to use solutions can cost less than $50 per user — but it can’t be done with backup technologies.Simply put, backup tapes don’t archive all e-mail messages. If a user sends an e-mail to a co-worker and minutes later, both users delete all traces of that e-mail, the backup tape will not capture that e-mail. Backup tapes don’t maintain copies of e-mails exchanged between backups or retain copies of e-mails deleted by users after the backup is replaced with a newer one.Worse, backup tapes impede e-mail retrieval. With no search capability, backup tapes require IT staff to manually search for requested e-mails. In addition to the high costs of the related e-discovery, the integrity of the e-mails retrieved can not be confirmed. Similar to the user-deleted e-mail above, if a user receives an e-mail and subsequently edits and re-saves it, overwriting the original, a backup tape would not have a copy of the original.An e-mail archive, on the other hand, stores, indexes, retrieves, and monitors all inbound, outbound, and internal e-mail messages and file attachments in real time. It can ensure that e-mail and attachments have not been altered. An e-mail archive would retain a copy of the user-deleted e-mail as well as the original and modified versions of the user-edited e-mail. And an e-mail archive’s index expedites e-mail retrieval as IT staff — and in some cases, end users — can search on parameters such as sender, recipient, subject line, date sent, and text in the message header, body, or attachment.E-mail archiving policies. Implementing a real e-mail archive solution may be one of the first steps Canadian financial services firms take to comply with NI 31-103, but it won’t be the only step. Beyond deploying technology, each firm must establish its policies for e-mail use and retention. The tips below offer guidance toward that end.•     Involve the company. Policy for how e-mail will be used and retained should be developed with input from across the organization — IT, legal, HR, compliance, customer relations, and administrative departments. Make sure international divisions of the company are included, too.•     Create two policies. Create one policy for retention of e-mails and another for company-wide usage of e-mail. While separate, the policies should be developed side by side. Both should be reviewed and updated annually.•     Communicate your usage policy. All employees should be notified, not just through e-mail, but through face-to-face training and discussion in department meetings. Be specific and detailed. Everyone in the company should understand both appropriate and inappropriate use of e-mail, and that violating usage guidelines is a punishable offence. Employees should also know that copies of everything they send are being archived (this knowledge alone often results in fewer instances of inappropriate messaging).•     Start archiving now. Don’t delay archiving in the absence of a retention policy. Ideally, the policy comes first and dictates the parameters of the archive setup. But for many companies, a policy can take months to develop and gain consensus. Don’t risk a damaging noncompliance situation or costly e-discovery process in the meantime. A flexible in-house archiving solution can easily be adapted as policy takes shape.Ultimately, the e-mail record keeping requirements introduced by NI 31-103 will help protect investors, improve market efficiencies, and reduce risk. By implementing an e-mail archiving system, Canadian financial services firms can help protect their clients while also protecting themselves.