Newer Regulations Keep Banks On Their Toes When it Comes to Content

Compliance demands highlight need for enhanced content management strategies.

ROUNDTABLE PARTICIPANTS

Stricter rules and advanced technology are increasing the type of content banks need to manage and archive. With legislations such as Sarbanes-Oxley and the USA PATRIOT Act, financial institutions need more comprehensive technology solutions in order to comply with these regulations. The need to archive imaged checks and other paper documents now goes hand-in-hand with the management of e-mail, IMs and other types of communication. BS&T associate editor Cynthia Ramsaran recently interviewed a number of industry executives on the topic.

Q: What are some of the newer content-retention regulations with which banks are dealing? What is the number-one priority when it comes to compliance/content management?

A: Jan Scites, Scites Associates: The number-one priority is meeting the requirements of the Sarbanes-Oxley Act, which requires certain financial reporting and retention, with deadline for compliance in 2004. In terms of retention, the key for banks is to meet all current retention rules and have clearly established retention schedules. These schedules need to be made available to regulators. Companies must also demonstrate, through self-audit and external audit review, that schedules are being consistently met.

A: Christopher McLaughlin, FileNet: Clearly, Sarbanes-Oxley has has the most impact of the recent newer regulations, especially from a content management and retention point of view (Section 103). However, we are also helping customers to address compliance issues related to SEC regulations governing the retention of trade documents, MISMO requirements related to mortgage loan document retention, as well as emerging regulatory concerns related to the retention of e-mails and instant messages. Among our customers, Sarbanes-Oxley is currently the most pressing issue driving their interest in enterprise content management (ECM). However, we are also seeing rapidly increasing interest and demand around Basel II compliance requirements. With these newer regulations, however, customers are not released from responsibility for compliance with multiple older regulations-not the least of which is privacy. We are developing solutions that can adapt to the demands of top-down corporate expectations while safeguarding the organization's ultimate responsibility to its customers.

A: Robert D. Kugel, Ventana Research: Public companies have been going through process assessement to identify weak spots in internal control. A company's internal audit processes may exclude some or all records management issues. Often, accountability for retention and deletion is not clear. In many companies, records management has been an after-thought and therefore handled in an inconsistent fashion. Digital and paper records are managed differently, and within a corporation, each may be stored in different ways from one business unit to the next. This inconsistency can pose internal control issues. Also, document retention policies may be incorrect. Managing records has been a dull, clerical function that few people in any organization want to think about. Sarbanes-Oxley, however, has made the issue more important. Sarbanes-Oxley requires management to attest to the adequacy of the internal controls and the quality of the financial reporting. In practice, compliance with Sections 404 and 302 will involve ongoing documentation to be able to demonstrate conformity with the law. All of these documents will have to be retained, along with all of the papers created by the audit firm that evaluates the internal controls.

Q: What are some of key tools and strategies banks are using to comply with document or e-mail management regulations?

A: Scites, Scites Associates: Financial institutions are adopting records management policies for the enterprise. These policies include retention and destruction schedules, records definition, business process management and annual compliance self-audits. Many banks are also implementing write-once, read-many (WORM) server technologies for capturing records. Other tools they are implementing include document management, Web content management, legacy integration software and data and storage optimization.

A: Nina P. McIntyre, Kubi Software: Messaging stores are difficult to manage in part because they are so unstructured. As the use of e-mail has grown, banks, like other organizations, have seen messaging stores expand into vast, undifferentiated seas of data, with business-critical communications hopelessly intertwined with messages that are mundane, ephemeral, personal or virus-bearing. To cope with this overload, some banks have adopted a strategy of separating the wheat from the chaff.

A: McLaughlin, FileNet: Specifically, enterprise content management solutions can combine business process management capabilities with document management and imaging capabilities. Interestingly, we believe that compliance is as much a process issue as it is a content or document issue. Compliance is not just about constructing "digital landfills" that store massive amounts of documents. Compliance is an issue of ensuring that controls exist throughout the organization to ensure that corporations are well-governed and fair in their reporting of information to customers, partners, shareholders and regulators. While content plays a critical role in this equation, the process by which the content was prepared is equally important. So, we are working with our customers to build compliance frameworks or architectures leveraging proven technologies like enterprise content management and business process management. Not only will these technologies or tools allow our customers to address current regulations like Sarbanes-Oxley, they will also instill a proper foundation to address other compliance mandates, such as Basel II, the USA PATRIOT Act, HIPAA, GBLA, etc.

Q: Are there specific deadlines that companies must meet?

A: Scites, Scites Associates: There are specific deadlines under Sarbanes-Oxley, HIPAA and the USA PATRIOT Act of 2001. In meeting Sarbanes-Oxley deadlines they need to be able to show financial transparency, methods to access records, and financial end-to-end processes. Of course, financial institutions that are publicly traded must meet all securities laws. If they have a broker/dealer they must also meet NASD rules. Recent SEC enforcement actions indicate that they intend to strictly enforce both existing and new rules.

A: McLaughlin, FileNet: The deadline that is most rapidly approaching is the deadline for Section 404 of the Sarbanes-Oxley Act, which takes effect in mid-2004. On an international basis, there are also some intermediate-term deadlines for Basel II, as well as some potential, country-driven regulatory issues. For example, the FSA in the U.K. is slated to begin regulating the mortgage loan industry in that country beginning in 2004.

Q: What about instant messages (IM)? Can IM be archived?

A: McIntyre, Kubi: From a compliance perspective, it would certainly be more prudent to archive the organization's instant messages than not to. Instant messaging does pose particular problems with regard to management, though, as IM communications tend to be even more spontaneous. The answer is not to ban IM use, as that would cede competitive advantage to other banks, but to develop sensible policies for its use, and to look for software solutions that tightly integrate IM with the rest of the communications infrastructure, including e-mail.

A: Kugel, Ventana: Today, instant messaging systems have created the need for real-time monitoring of far more material than ever before. Some firms have banned the use of instant messaging because of the compliance issues they pose, but monitoring systems have been effective. Not long ago, one brokerage firm we know of dismissed a well-regarded analyst after their system picked up an inappropriate e-mail communication between the analyst and a company that was being courted by the investment banking arm of the business. Some brokerage firms have outsourced the monitoring and records-keeping functions of electronic communications to third-party vendors that offer this service.

A: Scites, Scites Associates: IMs present significant challenges to financial institutions. If a company is not yet using IM, I would recommend that their corporate policy be not to allow it as part of their business process. In effect, they ban it. If it's currently using IM, and it is not part of the business process, then store what you have to, [and then] discontinue use and implement a policy stating no use. Some corporations argue that IM is like a phone conversation and therefore should not be be kept. IMs are not phone calls, they are digital records. If they are part of a business process they must be kept. If IM is in use, there are software and storage tools available. A corporation needs to establish a policy and process for IM and then consistently adhere to that policy.

Q: What trends or possible new regs are you watching?

A: McLaughlin, FileNet: We are working with a number of our customers around Basel II and expect that, as result of this Accord, many financial services organizations will renew their focus around risk management and, in particular, operational risk management. We are also monitoring the evolution of the USA PATRIOT Act and expect another interaction of this legislation within the foreseeable future. Among our customers, Sarbanes-Oxley is currently the most pressing issue driving their interest in enterprise content management; however, we are also seeing rapidly increasing interest and demand around Basel II compliance requirements. And, in the longer term, we feel that Basel II is a much more strategic issue for our financial services customers. With these newer regulations, however, customers are not released from responsibility for compliance with multiple older regulations-not the least of which is privacy. We are developing solutions that can adapt to the demands of top-down corporate expectations while safeguarding the organization's ultimate responsibility to its customers.

A: Scites, Scites Associates: As more corporations are audited/investigated, one trend is obvious. The fines are getting bigger, indicating no tolerance for failure to meet requirements. There are also more shareholder lawsuits, which will create a body of case law that will impact the definition of acceptable business practice in this area. Top executives will be held accountable and it will not be a defense that they were unaware of their organizations' failure to comply.

A: Kugel, Ventana: I don't expect to see much of a loosening of regulation or enforcement of investment banks and brokers. With so many people invested directly or indirectly in the markets, it is likely that the SEC and other regulatory bodies will keep the heat on because it's good politics to do so. Second, everyone is waiting for the test cases and their resolution that define how Sarbanes-Oxley actually will be implemented and enforced. There are still many questions as to how some of the high-level concepts will be interpreted by the courts. Third, it is not clear how strictly the auditors will interpret the rules initially, but it is likely that over the next several years audit firms will raise the bar on what constitutes "adequate" control. If the auditors don't look closely at a company's records management systems in the initial Sarbanes-Oxley 404 audit, they probably will do so in the following year.

Q: What other forms of content do banks need to retain to comply with current regulations? What challenges do they face?

A: Kugel, Ventana: For years institutional brokerage firms have recorded calls to enable them to resolve disputes over verbal instructions. The retention of these sorts of communications is covered by the SEC's existing rules. Outside this application there are a lot of regulations that prohibit recording calls without the explicit consent of the party being recorded, so managing phone messages is not as much of an issue. What has changed over the past three years is not so much the rules, but how they are, or might be, enforced in the future. What's also very different today compared to 10 years ago is that much more communicating is taking place in a recordable and searchable form (e.g., e-mail and instant messaging) that used to be done face to face or over the phone. Also, to be competitive, brokers must maintain Web sites for their clients that offer frequently changing content. These firms therefore must supervise and maintain records of far more communication than ever before.

A: McLaughlin, FileNet: The ability to manage Web content can be crucial for reconstructing messaging, reporting, or even specific customer offers that are displayed on your Web site on a given day and time. FileNet ECM also incorporates WCM capabilities and, as a result, we are able to rapidly reconstruct a specific Web page or site, with full fidelity, at a given point in time. This capability is typically referred to as a roll-back and is often essential in responding to regulatory inquiries or litigation. Clearly, the Web is yet another channel by which we communicate with customers, partners, shareholders, etc. And, in short, companies need to be able to prove what was displayed on their Web site at any given point in time.

A: Scites, Scites Associates: For banks, any transaction information in whatever form must be kept. This includes images, e-mail, IMs, voice calls, voicemail and documents (electronic and paper). The number-one challenge is how they will store and retrieve data for purposes of regulatory compliance, audit and conducting their business in a cost effective way. This involves funding the purchase of storage and retrieval (global search tools) hardware and software and hiring expert resources to implement, monitor and manage the records to meet compliance requirements. Corporations may be in a situation where they have to save everything.