If you keep any primary records exclusively in electronic format you know you have to meet all those tedious requirements under SEC 17a-4(f) (see other blog entries, below). ESM=Electronic Storage Media.
You have a choice to make: do you attempt to meet the requirements using an in-house system or by hiring a third-party vendor? Or both? Some firms use third parties to archive and monitor their e-mails, IM’s and external message systems like Bloomberg; and they use an internal system to store and backup their other—non-communications—records. The goal in either case is to ensure proper archiving, back-up and recovery, and content management.
Quick apology: I have no expertise in this area—the tech side, that is. The vocabulary is foreign to me and therefore I use layman terms when speaking to the issues. But consider this: I’m not very different from small B-D business owners who are struggling to understand the rules and implement a compliant system. Regulators should—and I’ve seen evidence that they do—cut firms some slack in this area.
Your choices of third parties are many: Seccas, Smarsh, Iron Mountain Digital, Amicus and AdvisorMail, to name a few. As time goes by these services become more conversant in SEC-speak and more able to meet your regulatory compliance needs without resistance or ignorance. They meet the storage, serializing, indexing and backup requirements, they provide back-up copies on disk when requested, they issue representation letters as required, and they provide nice software tools for searching data and completing lexicon-based compliance reviews. And their pricing is pretty good: a one-time set up fee plus a small fee per month, per user/mailbox. This is a nice way for very small firms to meet ESM rules because you are leaving the technical stuff and the hardware expense to folks in the know. [That said, remember that member firms have been cited with violating the rules because their vendors didn’t meet the rules…that is, compliance is ultimately your responsibility, not the vendor’s.]
In-house systems for very small firms tend to be, well, non-compliant. Many firms keep records on their hard drives, then periodically download them to disk or tape. Their records are rewritable and erasable for a period of time prior to being stored in WORM (write once, read many) format. That gap of time is technically not okay under the rule. Also, they generally do not have indexing or auditing capabilities. Lastly, they may not make back-up copies of the archives that, too, are serialized, indexable and subject to an audit system. And, while these firms may have notified FINRA/SEC of their use of electronic storage, a) their representations may not be true; and b) they may not understand or meet the obligation under 17a-4(f)(3)(vii) to have a non-affiliated third party issue an ‘access letter’—a statement that the third party can get to and provide records requested by regulatory authorities. Firms that meet every letter of the ESM rules most likely have an expensive system or full IT staff in place. One such system is put out by EMC. Their software and hardware products are, as far as I can tell, state of the art and—important for you—completely compliant. And at least one third party vendor I know uses the EMC system in providing services to firms like yours. The problem here, depending on the firm’s size, is cost. EMC’s policy engines, ‘E-Mail Xtender’ and “Disk Xtender,” may be affordable choices for establishing records storage, indexing and destruction parameters, but in both cases you’ll still need a hardware storage system to hold those records and enforce the established policies (such as EMC’s “Centera” product). That’s where it gets expensive. Then again, if you’re spending a lot of time and money storing your records and updating your servers, breakeven may be just a few years away.
How far to go in attempting to meet every aspect of the ESM rules?—that is the question. Is a good faith, less-than-absolutely-compliant approach acceptable? It is if you say it is, but you may be forced to defend your choices. The more resolute and sincere your defense, the more apt you are to win your own principle-based vs. rule-based battle. Not the war, though: that rages on.
Footnote: Another consideration… the cost of discovery. If your system feels good enough, but doesn’t meet every requirement, and if your firm is subject to a regulatory investigation, you will spend huge bucks to recover and produce requested records. This possibility should be built into any cost benefit analysis.
Links (without permission but with luck, permitted):
EMC: http://www.emc.com/solutions/business-need/compliance-ediscovery/index.htm
Smarsh: http://www.smarsh.com/prinsite/my/default.asp
Seccas: http://www.seccas.com/
Amicus: https://www.amicus.com/solutions/EMM/
Iron Mountain Digital: http://www.ironmountain.com/digital/
AdvisorMail: http://www.advisormail.net/emailcompliance/index.asp
Stay tuned; another--maybe my last?--entry on the audit aspect of ESM rules is forthcoming.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment