The current wave of investigation by securities regulators of Wall Street firms regarding e-mail messages, required to be retained by law, may cause financial services firms to scrutinize their e-mail retention policies and practices with a critical eye.
E-mail and instant messaging (IM) are increasingly used as business tools, thus the need for compliance, administration, records management and retention has become paramount. E-mail-now in the forefront of today's scandals-Enron, the Andersen document destruction case, and Wall Street analyst conflicts, is used as a way to trace historical corporate events, private conversations and to piece together the intentions of analysts and corporations alike.
Securities and Exchange Commission (SEC) rules for e-mail retention have long been criticized by brokerage firms as too costly to implement. Some firms choose to react by casting broad non-descript corporate e-mail policies or by electing to keep all e-mails indefinitely. As the SEC rules and records clauses for 17a-3 and 17a-4 are set to be reworked and instituted in May of 2003, e-mail retention is at the heart of financial service firms' internal discussion.
When Rule 17a-4 was originally adopted in 1939, it had a paper-only requirement for the initial retention of records. In 1997, the SEC amended paragraph (f) of Rule 17a-4 to allow broker-dealers to store records electronically. The SEC and the National Association of Securities Dealers (NASD) currently identify e-mail and IM traffic as communications that must be monitored and saved. Nearly 10,000 brokerage firms are held by SEC requirements to keep all correspondence related to a stock trade for six years. Federal securities law dictates that e-mail which is related to a firm's larger business be kept for three years. The rules are written to protect consumers from misleading or illegal information by their advisors. The SEC's chairman, Harvey Pitt, is reviewing its policy on the use of the Internet, and indications are that the e-mail storage requirements may be made less burdensome.
Pressure is also coming from internal quarters for firms to manage their e-mail practices and potential 'smoking guns' as a means of protection against possible investment scandals. A recent problem area is initial public offerings (IPO), as the NASD investigates whether brokers may have charged excessive commissions. New York's attorney general, Eliot Spitzer, has requested electronic documents from bulge bracket firms and their key company analysts. E-mails have been used to examine how closely analysts and investment bankers at a company worked together. E-mail analysis plays a key role in cases as a way of discerning analyst intent.
With the anticipation of increasingly strict enforcement of SEC Rule 17a-4 and NASD Rules 2210 and 3010, which require firms to monitor and store communications with clients, firms should be advised to look at their e-mail retention practices.
Within the judicial system, electronic and paper records are not distinguished from each other. Both need to be provided to the courts within a reasonable time. The burden of doing so has caused firms repeatedly to settle in court, rather than weed through reams of documents.
Instituting e-mail records retention programs, policies and software is a way to avoid such potentially expensive and damaging situations. Conducting an analysis of the ability of a company's technology systems to use e-mail retention software or have native capabilities accessed is advisable.
E-mail packages such as Microsoft Outlook already have native e-mail retention capabilities. E-mail retention management software packages are also available in the marketplace. Records management professionals working alongside IT professionals can institute a favorable program for a company. Records management professionals bring to the table the knowledge and expertise regarding different retention requirements for the host of e-mail information being created by a company.
An analysis of the company's technology systems, records creation and areas of potential risk are part of the process of e-mail records assessments. After determining the capabilities of a company's technology systems, recommendations can be made as to which software vendors and packages align with the current company systems. Examining the volume and potential high-risk areas of information creation can help decide which of the company's technology systems and area of records creation are most appropriate to target and in what order.
After conducting an e-mail and electronic records assessment, a formal and detailed corporate e-mail policy is put in place in collaboration with the IT department. The document outlines specific instructions for e-mail users regarding the handling e-mails of all types. A records retention program is also instituted which includes e-mail generation and destruction.
Given the recent climate of investigation and inquiry of financial services firms, as well as the reworking of the SEC rules and records, a company is well advised to form a record retention program that takes into account and addresses users' e-mail creation. Keeping e-mails for longer or shorter times than guidelines dictate exposes a company unnecessarily to risk.
Elizabeth Schnitzer, M.A. is a consultant with Iron Mountain Consulting Services (www.ironmountain.com) headquartered in Boston.