Navigating the regulatory straits of records management in the fi nancial markets industry

Transcription

1 IBM Business Consulting Services Executive Brief Financial Markets Navigating the regulatory straits of records management in the fi nancial markets industry Creating and implementing an effective records management strategy

2

3 Executive summary Financial markets firms are obliged to capture and store records for each business transaction. Market pressures are growing for effective solutions. Although seemingly simple, records management and preservation is affected by countless sometimes conflicting internal, external and regulatory requirements. Firms relying on traditional methods may fall behind competitors that are implementing more effective procedures and systems that can help them achieve compliance at lower cost and risk. The cost to implement an enterprisewide records management program can be significant. To help ensure an enduring, cost-effective records management program, firms need technology tools that can help improve and automate compliance efficiencies while preserving and leveraging existing investments, thereby helping to reduce overall costs and risk. With the right strategy, financial markets firms can implement effective records management programs that address both data retention and regulatory mandates. Such programs can be implemented quickly and in an incremental fashion based on the needs of the business. By involving key internal players from the beginning and leveraging technology tools, records management solutions implementations can be made manageable and cost effective. Mounting pressures necessitate more effective records management methods Financial markets firms are feeling tremendous pressure both internally and from clients and regulatory agencies to put effective records management programs in place. Within the last five years, several major industry players have been penalized and fined for loss of client information, inability to retrieve records and inaccurate data 1. Currently, self-regulatory organizations (SROs) and national and international governing agencies responsible for monitoring financial institutions and practices do not explicitly require that financial markets firms have comprehensive records management policies in place. However, these supervisory bodies do expect firms to manage and preserve records in accordance with established rules and regulations. Consequently, to comply with regulatory guidelines, firms need to develop and put into practice robust records management programs enterprisewide ideally, as efficiently and cost-effectively as possible. Conflicting requirements can impact implementation of an effective program In addition to complying with the demands of federal regulatory agencies, like the United States Securities and Exchange Commission (SEC), a financial markets firm must abide by the rules of SROs. Entities such as the Commodity Futures Trading Commission (CFTC), the National Association of Securities Dealers, Inc. (NASD) and the New York Stock Exchange (NYSE) have expectations regarding what kinds of data are kept, the duration of data retention, storage format, and other factors that a firm must meet. In addition, a firm must also adhere to regulatory directives of the states or regions in which it does business. Now, to add another wrinkle: If a firm does business internationally, it must conform to international laws that sometimes conflict with U.S. regulations. For example, data management mandates for client account information are dramatically different in the United States than in the United Kingdom. Additionally, stipulations regarding storage format can conflict. For example, articles of incorporation must be saved permanently, in hard-copy format, in the United States, while nations like Japan require that such information is stored electronically. Information portability is another issue in some regions. In Switzerland, for instance, certain financial information must be maintained within Swiss boundaries data cannot be transferred beyond its borders.

4 In addition, problems related to the legal process of discovery or attempted discovery of corporate e- mails have plagued the fi nancial markets industry for the last several years. To date, most of the highly publicized incidents have been associated with fi rms lack of compliance with regulatory policies governing processing and retention. , as a discoverable source of information in litigation, can make or break a case and, therefore, should be a concern for any midsize to large organization considering ways to best approach data management. Growing amounts of complex data add to the challenge Records management requirements have been around for decades. But, as the volume and complexity of information has grown, it s becoming harder to capture data and produce records in the formats that regulators require. For example, regulators may consider an original image of a Web page, which can change daily, a valid record. And for most fi rms, fi nding a dated version of this image can prove complicated at best. In establishing a comprehensive records management policy, fi nancial fi rms need to meet or exceed the best practices of similar organizations. Beyond this basic requirement, records management requirements are, to some degree, open to interpretation. Each fi nancial markets fi rm, depending upon its area of focus and the regulatory mandates with which it must comply, will approach records mangement slightly differently. However, a few constants exist. In constructing a data management policy, every fi rm needs to: Identify which rules local, national and international affect the firm Determine how the firm will interpret relevant regulations Understand how these rules impact the business. Additionally, fi nancial markets fi rms should expect a gradual intensifi cation of control standards over the next few years. Typical compliance programs are, in general, designed to cover just the basics of today s regulatory requirements and, if unaltered, may well prove insuffi cient in the future. And, fi rms relying on traditional, manual records retention processes will likely see a mounting proportion of their operating budgets used to support these practices. Technology is a key to implementing a cost-effective records management program. Taking the first step Developing a records management program including schedules, policies and procedures, and audit metrics often turns out to be more challenging than many companies anticipate. First, there is no standardized defi nition of record on which to base the program. Therefore, every company has to look at its own business operations and determine which pieces of information should be considered records and then decide which retention rules to apply to these records. Creating a team dedicated to analyzing and tackling these issues is essential.

5 A financial markets firm might begin by analyzing how it administers the existing records environment. This includes looking at what and how information is collected, as well as appraising the effectiveness of existing methods and policies around data collection and retention. Then, firms need to clearly establish what additional information needs gathering based on whether the organization adequately meets current and future regulatory demands and where it falls short. Each of these steps is central to establishing a functional records retention and management strategy. To better guide this process, companies must: Develop overarching data management methods and policies for records creation and storage including considerations about data format, maintenance and archival Gain a comprehensive understanding of SRO, state, national and international records management requirements Review the specific business functions of each business line because a single document may be required at different times by varying regulatory bodies. Next, financial markets companies need to establish their overall program approach. In addition to getting executivelevel buy-in, firms must determine: Who will lead and staff the records mangement program Where is the best place to start what issues or pains most need addressing What is the firm s current state of affairs which records practices are effective and where gaps exist. Creating a team of players Once the program scope is established, firms should assemble and charge a team with establishing and running an effective records management program. Team members should be pulled from each key area of the organization. They should be managers who can speak to and lead the development, implementation and management of an effective records management program for their respective department. Key areas to involve in the records management team include: Legal/compliance Business lines Information technology General services Corporate records/archives. In addition, a records czar is often appointed to head up the records-management operation. This person typically has a good understanding of the functions of the different lines of business. Having a records czar running the program during all phases beginning with the recordsmanagement pilot and continuing through the firm s ongoing records management efforts is a precursor for success. Ideally, the records czar has: A deep understanding of the business lines and the ability to identify pertinent regulatory and business information required for capture and retention Knowledge of all the processes involved in effective records management

6 The ability to identify the core applications and systems used within their business lines Adequate authority to take action against those thwarting records management efforts. Putting the data preservation and maintenance strategy into action Getting a team in place and communicating the project goals effectively is just half of the equation. The other half is creating a comprehensive retention schedule, standardizing companywide policies and producing audit metrics to demonstrate a credible, compliance-driven records management strategy. A firm s policies and procedures should provide governing advice for the creation, management, access, retention and disposal of all records. This means that measures must be in place to classify records, define retention periods and prescribe data destruction processes. Additionally, audit metrics based on industry best practices should be defined to provide a way to measure program effectiveness and identify areas needing improvement. Furthermore, records management policies and procedures need to be documented both to clearly guide employees on roles and responsibilities and to demonstrate the firm s commitment to meeting regulatory demands. Training and tools also should be put in place to empower employees to participate in the compliance process. A firm s planning and design efforts get put to the test with program implementation. We have seen a number of client firm s begin incrementally with a pilot study in a single line of business or around a specific product. This way, the financial markets firm is able to learn from successes and failures and scale accordingly in other business lines and product offerings. By starting small and using lessons learned, firms can save both money and time. Other firms have approached the challenge more aggressively and have undertaken programs using available technical solutions and leveraging best practice knowledge and the experience of outside consultants. Companies might begin by selecting a particular records capture need or small set of needs. For instance, some firms start their pilot project by dealing with Sections 17(a)-3 or 17(a)-4 of the Securities Exchange Act of 1934 as it applies to a small subdivision of their broker/dealer business. Other organizations get even more specific, dealing exclusively with electronic communications as required under SEC 17(a)-3 and 17(a)-4, NYSE 440, and NASD This incremental approach will better enable the team to define the initial records creation protocol and capture process that will help build the baseline of the company s strategic data management program. The speed with which the program is expanded is determined by the company s needs and appetite for change. Ongoing vigilance At its most basic, a firm s records management program must conform to legal and regulatory requirements, and verify that employees are aware of their roles and responsibilities. However, neither is a one-time operation. As rules and regulations change, firms must continually update and enforce retention schedules, policies and procedures, communicate changes to employees and plan for program maintenance, enforcement and enhancement. Additionally, accountability is essential to program success. Regular internal audits can help firms most effectively achieve enterprise visibility around compliance issues. And by benchmarking against internal and industry standards, firms will be able to identify areas where they are doing well, areas that need improvement and areas where official corrective action is required.

7 Deploying technology solutions to better enable data management Technology is a key to effi ciently and cost-effectively enable records management across multiple repositories. But building a successful records management program may prove diffi cult using point solutions. Instead, it is anticipated by employing an IT records management architecture, fi rms can more easily: Manage data in native repositories, thereby limiting expensive migration Use a single interface to access multiple content sources and systems IBM has a clear understanding of the regulatory and compliance issues your company is facing. And we have the technical and business analysis skills to design, implement and deliver an integrated technical solution that is designed to be capable of working with existing IT applications and meet the requirements of your organization. In addition to our industry expertise and best-practice methodologies, IBM has the technology enablers that can store and support your fi rm s records management policies as well as integrate your existing point solutions. With our industryleading skills and experience, we can help your company successfully resolve its records management issues. Create electronic records management controls Assign retention rules to documents, either automatically or manually Apply lifecycle rules to a declared document Use the same management structure for both electronic and physical records Leveraging technology doesn t necessarily mean throwing out existing IT investments. Protecting your investments requires bridging existing and new archive and retention capabilities. Document and records retention integration technology is readily available to do just that. To do this most effectively, many fi rms engage an outside consulting fi rm to help them merge technology and business capabilities. Bringing in an expert to help ensure success IBM can bring the various pieces together to create a records management solution that is designed to suit your organization s needs. We bring to the table deep fi nancial markets industry knowledge. We understand your business, the records you generate and the processes you use.

8 For more information To learn more about IBM Business Consulting Services and our financial markets records management offerings, please contact your IBM representative or visit: ibm.com/bcs References 1 Securities and Exchange Commission Study and report of violations by securities professionals. sec.gov/news/studies/sox703report.pdf Copyright IBM Corporation 2005 IBM Global Services Route 100 Somers, NY U.S.A. Produced in the United States of America All Rights Reserved IBM and the IBM logo are registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates. G