The Compliance Imperative: Managing Record Retention in a Rapidly Changing Regulatory Environment
Jin J. Lee wishes to thank James Santangelo and Rosalind Conway for their contributions to this article. James is a director and Rosalind is a manager in PricewaterhouseCoopers' Information and Document Retention Services Practice.
If you're responsible for data retention related issues and work within the financial services industry, you may even remember the date: March 10, 2004. That is the day that the SEC brought - what represented at the time - an extraordinary "documents case" against Banc of America Securities (BAS). During a Securities and Exchange Commission (SEC) investigation into whether the company had engaged in improper trading practices, BAS repeatedly failed to promptly furnish key records requested by the SEC, including electronic mail - particularly with respect to an e-mail exchange relating to matters BAS knew was under investigation, specific compliance reviews and compliance and supervision records concerning the personal trading activities of a former senior employee of the firm. When BAS ultimately did respond to the SEC's request, its responses were often incomplete, inaccurate or unreliable. The consequences to BAS? Censure and a civil penalty of $10 million.
It's simply a different world. How an enterprise goes about managing the record retention implications associated with a staggeringly large and ever-expanding volume of electronic information and data is no longer merely a data management challenge. It's a critical issue driven by a new wave of litigation, expanding government investigations into corporate wrongdoing and an increasingly complex set of business, legal, regulatory and compliance issues. Today, whether or not companies take a strategic approach to records retention program management is an issue that can have a material impact on competitive differentiation, corporate performance and changes to shareholder value.
What exactly is driving the need for better record retention programs? What do executives have to understand in order to navigate the multitude of record retention variables in today's highly regulated business environment? What do they have to do to meet the record retention requirements associated with legislation such as the Sarbanes-Oxley and the Health Insurance Portability and Accountability Acts? And, in light of the fact that information and record retention is now such a fundamental component of a comprehensive risk management program, what are the key issues that managers should consider when implementing an enterprise-wide record management program?
Coping with a Complex and Evolving Set of Regulations
To begin, it's difficult enough for any company just to keep current with the wave of federal, state or industry-specific regulations that either directly or indirectly impact their record retention practices. From the SEC to the U.S. Department of Health and Human Services (HHS) to the National Association of Securities Dealers (NASD), regulators are rigorously enforcing books and records regulatory requirements associated, for example, with the following:
The Sarbanes-Oxley Act (SOX): Section 802 (Criminal Penalties for Altering Documents) imposes penalties and/or fines for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA specifically requires healthcare institutions to implement a comprehensive information security plan.
SEC Rule 17a-4: This particular SEC rule defines the types of records that security brokers and dealers are required to preserve, as well as how long and with what media these records must be stored.
NASD 3010 and 3110: This requires that brokers and dealers monitor and supervise the external transactions and communications of registered representatives, including the monitoring, archiving and retrieval of instant message traffic as addressed by SEC Rule 17a-4.
These and other evolving regulations require companies to comply with a tremendous number of retention periods, storage methods and other specifics depending on a broad number of factors. These factors include which types of data the company collects, which industries the organization operates within and which geographical regions, countries, states and local jurisdictions define its theaters of operation.
Consider, for example, the differences in the insurance statutes of three states - Florida, Missouri and New York: Florida does not specify the record retention period for policy records; Missouri requires that, for each Missouri policy issued, a policy record file must be maintained for the duration of the policy term plus two calendar years; and New York requires that a policy record for each insurance contract or policy, except as otherwise required by law or regulation, must be maintained for six calendar years after the date the policy is no longer in force or until after the filing of the report on examination in which the record was subject to review - whichever is longer.
Enforcement and Court Actions Are Raising the Stakes
New regulations are not just in effect, they're also being enforced. For example, within the seven-month period that followed the SEC enforcement action against Banc of America Securities, three other high-profile legal actions began to change how executives in the financial services industry view the risks of non-compliance with respect to data retention practices:
- In Zubulake v. UBS Warburg (UBS), the U.S. District Court for the Southern District of New York entered a motion to sanction UBS on July 20, 2004, for destroying e-mails sent or received by UBS personnel relevant to the litigation. The court's sanction: ordered UBS to pay all "reasonable expenses, including attorney's fees" incurred by the plaintiff (Zubulake) in connection with the making of the motion for sanction; and instructed the jury that if it decided that the destroyed e-mails would have been material in deciding facts in dispute in the case, the jury would be to infer that the e-mails would have been unfavorable to UBS.
- The SEC announced on August 23, 2004, that it fined four firms (Adams Harkness, Inc.; Needham & Company, Inc.; Janney Montgomery Scott LLC; and Morgan Keegan & Co., Inc.) for violating the record-keeping requirements of Section 17(a) and Rule 17a-4 of the Exchange Act concerning business-related internal e-mail communications during the period of July 1999 through June 2001. Each of the four firms consented, without admitting or denying the findings, to a cease-and-desist order and to undertakings to ensure that they are in compliance with the record-keeping requirements of Section 17(a) and Rule 17a-4 of the Exchange Act.
- On October 14, 2004, New York Attorney General Eliot Spitzer announced his office's filing of both criminal and civil lawsuits against Marsh & McLennan, the largest U.S. insurance brokerage firm, a probe based partly on a trail of internal e-mails.
And the fines are getting larger. In fact, on the day this article was written, the Wall Street Journal reported that the New York Stock Exchange, the SEC and the NASD had imposed upon J.P. Morgan one of the largest fines ever levied for e-mail retention violations - $2.1 million. In this particular case, J.P Morgan was not actually accused of intentionally destroying e-mails. The bank was held to account "for initially incorrectly telling regulators that it had provided a complete set of e-mails that were requested as part of the investigation." In a written statement, Susan Merrill, the NYSE's chief of enforcement put it bluntly: "[J.P Morgan's] representation that its e-mail production was complete, without disclosing that it had failed to retain, locate and restore all e-mail responsive to our investigation, is simply unacceptable."
Current Corporate Practices: High Costs and Unmitigated Risks
Understandably concerned - and clearly prompted in large measure by increasing litigation and regulatory pressures - more and more executives are reviewing their current record retention policies and procedures to ensure that they are effective and operational. However, more often than not, these reviews are uncovering an unsettling host of problems, oversights and management deficits across the full spectrum of corporate record retention practices.
Too often, companies are not retaining records as required by laws and regulations, retaining records too long - which unnecessarily exposes companies to the higher risks and costs associated with a potentially broader scope of discovery or inadvertently destroying records that should have been preserved.
In many cases, policies simply don't exist. In the absence of guidelines, individuals are making key decisions - in an uncoordinated manner, applied inconsistently across the enterprise - on what to keep and for how long, and on where records and documents saved are to be stored. When policies do exist, they are often outdated, rarely reviewed or infrequently subject to compliance assurance and enforcement.
Electronic discovery during litigation or investigation can place an enormous burden on the organization's resources. Many companies have vast amounts of unmanaged electronic information within the corporation (especially embedded within e-mail records, backup tapes and databases). Preservation processes often do not effectively preserve potentially relevant information. Frequently, retention responsibilities have not been delegated to individual business unit managers. And, many key personnel stationed at touchpoints across an organization's overlapping information supply chains are either not aware of the policies and their responsibilities or are aware of these governance mechanisms, but do not have the knowledge or the tools to differentiate between records and non-records.
In short, managers are realizing that if prompted to respond to a court order with respect to electronic discovery, their organization may not be able to find the required information or furnish it in a timely and cost-effective manner. What's the solution? Designing, implementing and sustaining an enterprise-wide records management program.
An Integrated Approach: The Key to Effective Records Management
An effective record management program can not only help control costs and manage IT resource requirements related to electronic discovery, but can also mitigate risks associated with potential business disruption, monetary sanctions or negative impacts to corporate reputations or brand integrity. But how should companies go about implementing such a program? Here are a number of actionable steps managers should take to ensure that the program is a successful one:
Obtain explicit buy-in from senior management. A records management program isn't a technology initiative; it's a policy-driven mechanism necessary to comply with laws and regulations. As such, records management is fundamentally a core component of a broader approach to enterprise-wide governance, risk and compliance. Because the program's success depends so much upon explicit and sustained support across many different functions and business units, securing senior management buy-in is essential.
At each stage, engage the right set of internal stakeholders. Ownership of any records retention process almost never resides with one individual. Instead, an effective records retention program depends on the contributions and coordination necessary among multiple stakeholders in the process - each of whom must be clear about his/her role and responsibilities and committed to the program's success. Among the most important roles is that of the general counsel whose office provides a critical center for ongoing policy maintenance, litigation support and risk management activities. The general counsel will typically lead the efforts to 1) develop records retention policies and procedures and 2) manage investigations and litigation processes including complying with e-discovery obligations in a timely and efficient manner - from both a preservation and production perspective. The general counsel will also coordinate these efforts with other stakeholders, which include the chief information officer (CIO), the chief compliance officer (CCO), internal auditors, records administrators and business and functional managers.
Understand your organization's specific records retention environment. Make sure that effective decision making is based on a clear understanding of your current lines of business and the specific regulations that affect them; critical business processes and the types of information that they generate; existing record retention policies that govern information management; how this information is used and stored as records, including the related technological infrastructure and systems used to archive and secure them; and how the record management organization is structured and how effective they are at execution. If the program has not been reviewed in the past two or three years, make sure that such an assessment is undertaken to measure program effectiveness, particularly with respect to compliance.
Establish clear and consistent policies and procedures. Engaging an effective record retention program requires a top-down approach to establishing sound policies and procedures that are fully integrated with business processes and regulatory requirements and, at the same time, highly practical from an implementation standpoint. A well-documented set of policies and procedures can be particularly valuable - not just in thwarting allegations that the policy was implemented in order to eliminate "bad documents" or destroy relevant evidence, but also to help identify cases where information has been destroyed as a normal part of the records retention process.
Deploy a fully integrated, technology-enabled, enterprise-wide program. In addition to communicating and deploying these policies and procedures across the enterprise, also apply leading technology solutions to capture, archive and retain the records. Organize a network of compliance coordinators to facilitate the program, and include general counsel in all decisions made and implemented. In addition, look carefully into whether existing technology can address retention and archiving requirements - especially for electronic records such as e-mail and databases.
Be sure to establish a methodology that integrates record retention compliance with the broader management architecture of corporate governance, risk management and compliance activities. That means ensuring key success factors are engaged such as clear, supportive and committed messaging from the company's top executives; performance reporting to senior management; change management procedures to educate executives, administrators and staff about their respective responsibilities; and preestablished lines of communication between key stakeholders such as outside counsel, inside counsel advising specific business units, IT technology personnel and even external IT service providers, if necessary, during the discovery process.
Conduct periodic assessments and audits. One of the biggest challenges in implementing a record retention program is ensuring that employees comply with the policies and procedures on an ongoing day-to-day basis. Periodic assessments and audits should be completed to assist in evaluating and auditing the following areas: whether company record retention policies, procedures and retention schedule are up to date with respect to current laws and regulations, changes in business environment and technology innovation; whether the technological infrastructure and systems (i.e., e-mail) necessary to achieve all document retention objectives are in place; whether the storing, archiving and retrieving of well organized and inventoried records is proceeding in an effective manner; whether the record management organization structure is still effective and people still comply with the policies and procedures; and whether periodic communications and training are conducted on a regular basis.
The Benefits of an Effective Program
What's the payoff for this effort? First, cost savings: when you know what you have, where it is located and how it is stored, it eases the costs of preservation and production during electronic discovery. Second, risk management, governance and compliance performance improves. Why? Because with a clearly defined set of roles and responsibilities, the organization is demonstrating controls and compliance through routine and regular reports to senior management while also ensuring that systematic treatment of information supports clear explanations of why some types of information are available - and not others.
Third, your IT resource utilization improves because now you're proactively planning for system enhancements rather than falling back on "fire alarm" implementations when problems suddenly surface. Fourth, the organization's competitive footing expands because it is now fostering information and knowledge management through a structured program. And fifth, legal footing is enhanced with effective support from the office of general counsel and the establishment of predetermined litigation "hold" procedures.
In summary, an approach based on a top-down compliance strategy and bottom-up assessments and audits is the best way to keep pace with the complex changes in the business, legal and technical components of the current record retention regulatory environment.