Investment dealers have taken up the challenge of ensuring that their correspondence is properly archived. A bylaw amendment by the Investment Dealers Association of Canada last year places the onus on IDA members to keep e-mails entering and leaving their companies.
“I would think everyone is compliant,” says Larry Boyce, vice president of sales compliance and registration at the IDA in Toronto, explaining that e-mail archiving software has helped members. “We occasionally find a firm that doesn’t have everything in place, but as times go on, firms gradually acquire these systems, whereas they may have had something fairly rudimentary before.”
The regulations give the IDA the right to request copies of their members’ e-mails at any time. If the dealer does not provide them, the consequences are severe, Boyce warns.
A company that wilfully disobeys the rules could be subject to punitive or remedial damages, or both. Prosecution is an option, as is the mandatory appointment of an employee to oversee the proper archiving of correspondence. Companies that can prove they made a best attempt to meet the requirements of the bylaw, but fell short, would probably be subject to more lenient measures, Boyce says.
The regulations were developed post-Enron Corp. and WorldCom Inc., in an environment in which securities regulators are aggressively trying to prevent obfuscation through the alteration or removal of documents. The IDA has taken a strong line, updating its regulations specifically to include electronic communications, forcing brokerages to rethink their handling of e-mail correspondence.
The amended bylaw — 29.7 — previously dealt with sales and advertising literature, but the update widened the scope of the regulation considerably. The term “correspondence” was not included before, although some correspondence would be perceived as sales literature and, therefore, included in the original bylaw. Definitions used in the original bylaw did not include electronic communication (not many people were sending e-mail in 1982). Now, things have changed.
“By implication, some forms of correspondence were included. But this time we included it specifically,” Boyce says. “Anything that’s going out to the client that’s specific to that client becomes correspondence.”
What does this mean? In short, IDA members have to save any e-mail correspondence exchanged with external parties for five years from the date of creation. Advertising and sales materials have to be saved for only two years.
The sheer number of e-mails passing through a firm’s e-mail systems each day makes this a daunting task. Employees cannot be held responsible for collecting their own e-mail, warns Bassam Zarkout, director of records management solutions for content management company Mobius Management Systems Inc.
“This needs to be done without user involvement, and it must be done before the user has the opportunity to edit or delete the e-mail,” he says. “So it must be done at the server level by the information technology department. And it must be done in an auditable and reliable manner.”
Most investment dealers will have their own e-mail servers — computers that acts as virtual post offices for the companies’ incoming and outgoing e-mail. Many e-mail servers create their own archive of received e-mail, making it theoretically possible to store five years of e-mail directly in the system.
Storing e-mails
However, large, unmanaged stores of e-mail have been known to slow down some e-mail servers. There is no guarantee the server will be able to hold five years of communications effectively, especially with the large file attachments that many financial professionals now send electronically. Searching for such e-mails is also far from intuitive.
Mobius sells e-mail archiving technology that monitors the e-mail server, capturing e-mails at the time they are sent from the company or received by employees. The software then takes note of how long to retain the e-mail and stores it on a backup medium so it can be retrieved later.
However, to be truly safe, companies should also back up their archived e-mail so that in
the event of a disaster, they will still be able to recover their correspondence. Ideally, such backups should be archived to a secure site away from the company’s premises and stored on an optical disc that does not allow information to be changed once it has been stored. That way, a company can provide a more convincing case that e-mail has not been tampered with after the fact.
@page_break@Many companies are not comfortable managing the archiving, storage management and backup processes themselves. Some have handed the whole tangled mess off to a third party. Fortiva Inc. , for example, encrypts e-mail on a firm’s premises using an appliance, a small box designed as a closed system that needs no maintenance. The appliance then transmits the encrypted e-mail to Fortiva’s offices, where the encrypted data is stored; the originating firm can then search the archive remotely over the Internet. Fortiva also backs up the data to a location thousands of miles away to provide extra protection in the event of a disaster.
Elliot Johnson, vice president of information technology at Toronto-based investment dealer GMP Securities Ltd. , uses the Fortiva solution to archive his e-mail. The amendments to Bylaw 29.7 last year did not adversely affect GMP, explains Johnson, because, as a U.S.-registered company, GMP already fell under Securities and Exchange Commission and National Association of Securities Dealers regulations. Many other investment dealers based in Canada but with U.S. connections will be in a similar situation and may be subject to archiving requirements under U.S. legislation, such as the Sarbanes-Oxley Act.
Johnson chose an outsourced solution because it minimizes the set-up effort involved.
But he also liked the search facilities within Fortiva’s product. The system integrates with Microsoft Corp. ’s Active Directory, a type of computerized address book used to explain to e-mail systems who works in which department.
“As a result, [Fortiva’s system] can search among groups. I can put in a rule saying I want to see all mail between investment banking and research meeting certain criteria,”
he says. Boyce says companies choosing sophisticated software could benefit. “Do you want someone popping up at the examination for discovery with material that you don’t know you sent?” he asks.
Dallas-based Entrust capitalizes on complex search mechanisms for e-mails. Suhayya Abu-Hakima, vice president of content technology for the company, provided much of the text analysis capability within Entrust’s “entelligence compliance” server software through her company, AkimaNow! , from which Entrust purchased the technology last year. Instead of simply searching for keywords, the product analyses the text of e-mails and looks for concepts.
“Entrust’s technology uses the idea of relationships as a way to relate information to other information,” she says. “We can do things such as fuzzy matching, stemming (searching on the roots of a word) and analysis of misspellings.”
Such advanced search techniques are all very well, but these e-mail archiving products will not protect dealers in all cases. If advisors are using instant-messaging technology, which allows people to chat with each other online, the firm must archive that, too. IE
Companies on track to meet new e-mail archiving rules
Software companies are helping firms meet IDA requirements to store all correspondence — including e-mail — for five years
- By: Danny Bradbury
- September 29, 2005 September 29, 2005
- 11:52