Regulatory compliance and the rapidly growing use of e-mail for business purposes have created a pressing need for organizations in the banking industry to reconsider the meaning of e-mail management. Financial institutions must re-evaluate the effectiveness of their existing strategies and processes to accommodate increasing e-mail volume, mitigate risks and ensure regulatory compliance. In doing so, they should also look for areas where the implementation of such process improvements could help them gain an advantage over their competitors.
According to an IDC forecast, an estimated 60 billion e-mail messages-up from 31 billion in 2002-will be sent daily around the world by 2006. TowerGroup estimates that by 2007, the securities industry alone will handle over 95.8 million e-mail messages per day. While it is estimated that about half of this e-mail volume consists of personal messages, spam, viruses and the like, the remaining messages do indeed have real business value.
E-mails of business value can ranging from bank employees exchanging advice or customer-related information to reports findings. Customer e-mails can range from their e-mailing their account managers about financial matters to bank officials using e-mail to disseminate targeted information to their customer base. These e-mails are records of business being transacted and should, therefore, be managed, sorted, filed and made accessible to the organization in much the same way that traditional paper correspondence would be.
Beyond the need for banks to manage e-mail for logistical or business process reasons, there are industry regulations to comply with, such as NASD Conduct Rules 3010 and 3110 and SEC Rules 17a-3 and 4, which dictate specific requirements regarding the archiving, monitoring and retrieval of business-related e-mail records. Further complicating the issue are state regulations and federal laws such as the Sarbanes-Oxley and Gramm-Leach-Bliley acts are two examples. Such regulations address the management of company records in general, including e-mail.
Banks that have neglected or outright ignored these regulations have done so at their financial peril. For the last few years, newspapers have been flooded with stories of high-profile corporate blunders involving financial institutions mismanaging e-mail, and associated million-dollar fines imposed by the Securities and Exchange Commission. These spectacularly costly examples illustrate that e-mails contain important business-related content and should be managed with the same care as other corporate records. If not, the result could be severe consequences.
Almost everyone understands that e-mail must be managed as a corporate record, and in a compliant manner. What is not clear for many firms in the financial services industry is how to unravel the complexities of managing e-mail to be compliant with the various regulations governing their businesses. Additionally-above and beyond compliance-there is the question of how to merge immediate risk mitigation with longer-term business improvement requirements.
Any sort of compliance-related initiative, of course, needs to be undertaken with the guidance and participation of legal counsel to ensure thorough and relevant compliance to any and all applicable regulations. While the list below is by no means comprehensive, given regulatory differences at the jurisdictional level, whether state, federal or international, most financial institutions in the United States need to address at minimum the following:
* Under the Securities Exchange Act of 1934-Rules 17a and 17a-4 for broker dealers-the storage and retrieval of paper and electronic records-including e-mail-that are related to broker dealer records are addressed in detail.
* The National Association of Securities Dealers Conduct Rules (3010 and 3110) address the monitoring, storage and retrieval of records and specifically correspondence, again including e-mail, that's related to the business of the securities firm.
* The Gramm-Leach-Bliley Act addresses the protection of nonpublic personal information at financial institutions. While the act does not specifically address e-mail, it does mention "establishing appropriate standards ... relating to administrative, technical and physical safeguards to insure the security and confidentiality of customer records and information." If e-mail is used to communicate such information, either to or from the customer, then it would presumably fail under this clause.
* The Sarbanes-Oxley Act addresses financial reporting and auditing processes within organizations as well as increased corporate transparency. It adds substantial criminal provisions for violations of the act. Again, the act does not specifically address e-mail per se, but it does contain various clauses that impact how companies manage paper and electronic records, which includes e-mail.
In addition to those mentioned above, there are many other state and federal regulations. According to the American Records Management Association, there are more than 8,500 state and federal regulations that affect records management.
Clearly, e-mail is part of a larger records management mandate for financial services organizations. It has been established as a legitimate form of business communication and recognized as corporate record. In the process of incorporating e-mail into a formal records-management system, companies should also apply consistent policies to all records regardless of format.
Until 12 months ago, fewer than five percent of companies were actively managing e-mail as a corporate record, with most banks using back-up tapes as their primary method of managing e-mail. Today however, financial institutions are starting to take steps to implement specific technology to meet pressing regulatory requirements. Many are now beginning to deploy tools that perform a passive archiving function, whereby most if not all e-mail is stored in a repository from, in which messages may be recovered in the event of a regulatory audit or investigation.
Compliance issues have become some of the most important ones on on a CEO's plate. Banks know it's not just about protecting themselves, it's about doing the right thing for consumers. Generally, to effectively address compliance issues, the product should provide minimum functionality, including the ability to:
Store: With this requirement, there is a need to balance low-cost storage alternatives with the obligation to be responsive to any record requests. The system should provide for single-instance storage of messages, to reduce risks related to records management costs related to storage and retrieval of multiple copies.
Capture: This should be automated where possible, thereby reducing the need to rely on end users, consequently reducing user error. For instance, there could be problems if more than one user archives the same message and duplicate copies are created in the repository. The system should, however, allow exceptions-based manual capture of messages as well, for those instances when the best judgment may outweigh newly automated procedures.
Index and classify: This involves the indexing and classification of e-mail records to facilitate rapid and easy retrieval of relevant records when required for compliance or litigation discovery purposes. This should also be automated where possible to prevent user error. Various degrees of automation exist-from basic rule-based classification to artificial-intelligence-driven classification.
Retrieve and demand: Effective retrieval would depend on reliability of storage, capture and classification. Here's an example of the urgency for this: In July, UBS was sanctioned by a federal judge during a human resources-related case, for not providing relevant e-mails and for allowing backup tapes to be destroyed. This example shows that such measures are not only for regulatory compliance, but also for discovery in legal cases.
Secure: Financial institutions should have the appropriate technologies and policies in place to ensure confidentiality of personal client information. The product should allow for configurable security access whereby only those individuals within the organization who have appropriate access levels can view and/or act on the e-mail.
Audit: Many regulations require audit trails be produced on demand, along with any requested e-mail records, to verify compliance.
Even with these minimum archiving capabilities, however, banks that decide to deploy such mechanisms should keep in mind that what they will end up with is effectively a "self-insurance policy." Like all insurance, such solutions bring a certain peace of mind, but that's all.
Established enterprise content- management vendors' products today offer functionality that extends beyond simple passive e-mail archiving, with considerably more benefits, both immediate and long-term, than self-insurance. These software products activate e-mail by allowing organizations to store and share e-mail and other documents in a single repository, connect to other enterprise applications like records management to ensure appropriate retention and disposition of e-mail, and even automate business processes that might include e-mail, using workflow tools.
Integrating e-mail into processes has huge benefits for banks focused on customer retention and service. Imagine, for example, having a unified customer-communication process, a system where voice messages and images like photos and signatures are scanned and all electronic documents, faxes and e-mail are stored together and managed through a single set of business processes. Instead of this data residing in a number of different systems and applications, now there can be simply one secure repository where all pertinent content or documents relating to a specific customer can be easily found.
For example, e-mail messages can be linked back to a customer transaction or account record within the institution's customer relationship-management system. The productivity gains and cost savings from this sort of configuration can be substantial. Such products will become more prominent and fully integrated into policies and business processes in the future, and as we are already seeing, "archive-only" products will wither away. Banks would not want to invest in an e-mail archive when they can get so much more from a total enterprise content-management product.
When seeking out an e-mail management system, banks should acquire one that simplifies the capture, search and retrieval of organizational e-mails deemed of business value, based on internally defined business rules that can be incorporated into the capture process. The system should also support both automated and manual capture processes, to ensure that no messages fall between the cracks. Captured e-mails and their attachments should be indexed and stored in a secure repository, alongside other corporate documents, which allows for robust search options. A significant added value would be to deploy a system that easily integrates with other enterprise systems so that the knowledge contained within the e-mail can be shared across different business functions and be managed as business records.
Ultimately, legislation indicates that e-mail is a written record of business activity and needs to be managed with the appropriate retention and disposition processes applicable to other corporate documents. In complying with this, all organizations, particularly those in the financial industry, need to have a vision that encompasses the larger potential benefits an effective e-mail management system can bring to their businesses. Risk mitigation and business improvement do not have to be at cross-purposes, and in fact, a truly effective and valuable product should enable both.
Adam Wilkins is vp of business development and a senior partner at Yaletown Technology Group.
