Email archiving is a common requirement for many different types of industries. When it comes to broker dealer compliance, FINRA is the regulator for this particular financial industry. And the email archiving requirements that FINRA has in place are very specific. Let’s look at some of the FINRA record retention rules in detail:
FINRA 3010 – Supervision of Sales Activities. This rule requires firms to maintain a system to supervise correspondence and transactions with their users. Included in this system are written procedures and the review of outgoing and incoming electronic correspondence on a regular basis.
FINRA 3110 – Books & Records. This rule requires members of firms to make and preserve accounts, records, memoranda, books and correspondence in conformity with all applicable regulations, statements, and rules under SEC 17a-3. Also, the record keeping medium, retention period and format must company with Rule 17a-4 under the Securities Exchange Act of 1934.
SEC 17a-4 – Electronic Storage of Broker-Dealer Records. According to SEC 17a-4, broker-dealers must store required records in a non-rewriteable and non-erasable format. Therefore, the storage system used must be a system that prevents alteration or erasure of records for defined retention periods. WORM optical media (write once, read many) is commonly used in compliance with SEC 17a-4 and related regulation.
As you can see, FINRA record retention rules for email archiving are quite strict. In the end, it’s best for the member firm and regulator to have these records available.
As the trend of companies utilizing hosted solutions (most popularly known as programs in the “cloud”) continues to grow, the inevitable question arises for IT admins: on-site or hosted?
The number of email archiving vendors for both on-site and cloud solutions are numerous. There are a few things to consider when weighing one option against another:
- Control of your data. An on-site solution means that your data is in the same building as you. Sitting on a server that you can physically touch, log into, etc. Hosted vendors, on the other hand, are in control of your data. It is stored on their systems. This means if there’s a problem, it’s up to the hosted vendor to solve it.
- Scalability. Are you ready to upgrade/purchase more hardware/go through the headache of tearing down and installing new hardware every couple of years? Hosted vendors do this for you and is a seamless process.
- Price. Ultimately, it comes to the price. Is it more affordable to host your email server in-house or to have a cloud vendor handle it for you?
For companies regulated by the SEC and FINRA, email archiving is not only worth it – it’s required. Many regulations require the retention of electronic messages. Companies like Smarsh offer email archiving for regulatory compliance that is aimed at companies that must adhere to strict retention policies.
But is email archiving worth it for companies that aren’t regulated by FINRA and the SEC?
Here are a few reasons why:
- If confronted with a subpoena or summons to court, you will be able to easily produce any data that is required by a judge. This can be a lifesaver and allow you to get your data in a matter of hours instead of weeks.
- Email archiving offers something called “stubbing” that essentially allows for easier retrieval of messages and less stress on a server. Many different email archiving companies offer great prices for a lot of even unlimited storage.
- If you end up working with a vendor “in the cloud” or that offers software-as-a-service solutions (which is essentially the same thing), you don’t need to perform any maintenance on hardware. This means: no updates, no chance of making an error and losing your data, etc. It offers peace of mind.
- A record of data. At it’s essence, email provides a lasting history of communication within a company. If that information is stored securely with a long retention period, you can pull an email from any time!
When looking at email archiving for financial regulatory compliance, you need to look a little deeper than just storage and retrieval. Here are some features to look for to make sure you are compliant with the latest laws and regulations:
- You are probably aware of the storage requirements by SEC 17a-4, but what about an auditing system in place? With the email archiving solution you have in place, is there an auditing trail set up to prove that random searches have been made?
- SEC 17a-4 also requires a third-party downloader to be able to produce the records on your behalf if you are unable or unwilling to do so. Some email archiving companies will not be your third-party downloader, leaving you high and dry if FINRA auditors come knockin’ and you aren’t home.
- Archiving makes sense for incoming mail, but what about outgoing messages? NASD 3010 requires that supervisors have the ability to review outgoing email messages for noncompliant language.
There are many companies out there that do offer email archiving service. But the question is: is your company regulated by FINRA, the SEC or a government agency? Is your current email archiving solution compliant with their regulations? When evaluating your current (or future) email archiving vendor, be sure to ask the right questions.
Most small to medium sized business are using either an email host or webmail(comparison of webmail providers) for their email. From the outside, they both appear the same. Hosted email is accessed through a web interface or browser over the internet and for all intents and purposes looks just like webmail. Webmail is accessed via a web browser, is hosted in the cloud and looks and feels just like a hosted email service, so what’s the difference?
The majority of small to medium businesses simply don’t have the resources necessary to support a dedicated IT infrastructure. Even though email is an essential communications tool, it demands a lot in order for it to work, which is why email hosting and webmail are so popular.
Email hosting is built around the cloud computing model. It has all the technology that an in-house solution would, without the maintenance overheads and huge investment. Most email providers will still use Exchange server, and provide an Outlook client for customers to use. From a users perspective, there is no difference to the experience than if the servers were hosted in the next room instead of miles away in a hosted environment. From a business perspective, the provider has the overhead of the infrastructure, support teams, network and everything else involved in running such an enterprise. They own the equipment and the customer licenses the use of it from them, mostly on a per seat basis. Essentially the service the business receives is exactly the same as if they hosted it themselves, at a fraction of the price.
Webmail uses exactly the same technology, and most often infrastructure, but options can be limited by the medium. This email hosting option is accessed through a web browser and is available from anywhere at any time. Webmail options like Hotmail or Gmail offer a lot of functionality for no money, but they don’t project a professional image when used in business. The prevalence of spam that originates from these email addresses has lessened their value significantly in any commercial enterprise. Therefore there is a compromise if a small business wants to use a webmail solution for their mail.
Email hosting(list of providers at DMOZ) offers more in the way of security, sophistication and email backups, at a cost. Webmail is most often free, available anytime, anywhere but at the cost of functionality and image. If a business uses features like calendar or contact sharing, collaboration or other tools then webmail is going to fall short. If the needs are more modest, and brand image isn’t the most important thing then webmail is ideal. However, image is everything in business. Even if the company is a sole trader operating out of their spare room, they must project the image of a smooth running, professional outfit, and webmail doesn’t do that. For the relatively low cost of using email hosting, the difference in appearance it offers is worth every cent.
The Health Insurance Portability Accountability Act (more info) was one of the most high profile laws to ever see the light of day in the United States. Originally passed in 1996 with a view to protecting the medical records, or Personal Health Information (PHI) of the general public from unauthorized access. One of the most important parts of act was the HIPAA email rules, which specified several steps organizations needed to take in order to be able to transfer patient records via email.
For the purposes of the legislation all medical records are referred to as the aforementioned Personal Health Information or PHI for short. There are a significant amount of policies and rules regarding how PHI is used, transmitted and stored. PHI information can include such things as test results, lab results, doctors notes, billing information or health insurance documents to name a few. The HIPAA email rules address the transmission of these kinds of records, who they can be sent to, how they are sent and how the information is dealt with afterwards.
There is still quite a bit of confusion about what HIPAA entails even almost 15 years after first being enacted. This confusion has led to a sometimes overly cautious attitude towards patient records with providers taking extraordinary measures to ensure they don’t fall foul of the law. Considering the idea was to secure data and allow for the free and fast transmission between permissible organizations, HIPAA email rules often slows down the sharing of these records. Companies know there are significant penalties for failure to comply, and can take a long time to share the data.
In some respects, HIPAA works reasonably well. It protects patient information, yet stays out the way during urgent situations, such as if a patient needs a relative to collect a prescription, or when a school needs to access a child’s vaccination records. It also allows law enforcement to access the data in relation to investigations and assistance it provides during the lifetime of the patient.
On the other hand, it does create quite an administrative overhead for doctors, hospitals and insurance. Not only does the information have to be handled delicately and be kept secure. Under the HIPAA email rules, keeping records, storing emails and how they are shared is complicated and takes a lot of administering. It isn’t just about the people handling the data, it’s about the infrastructure, the networks and the systems involved in its transmission. Email containing PHI has to be encrypted, protected, indexed, stored securely and be able to be retrieved at a moment’s notice.
Make no mistake about it, overall the HIPAA is a good thing. Like many laws, it is overcomplicated and needs a very highly skilled lawyer to understand it completely. It throws up as many challenges as it seeks to address, is cumbersome in its enforcement and expensive to comply with. Despite this, it does go a long way to protecting patient confidentiality and all of our medical records.image credit: smarsh
The landscape for SEC and FINRA compliance has changed.
Financial firms have been under the scrutiny of FINRA and the SEC for quite some time. Email archiving was born from the necessity of compliance with laws like the Federal Rules of Civil Procedure, SEC’s 17a-4 and FINRA’s Rule 3010, among others. The use of archiving over backup tapes provides flexibility, advantages that are not related to just being compliant, as well as an overall cost benefit in many cases.
This blog is looking more towards the future instead of at the past. And the future is social networking.
FINRA has recognized this and recently announced Regulatory Notice 10-06, guidance on blogs and social networking websites. As the use and integration of social media evolves, FINRA no doubt noticed that investment advisors and others were using social media to market their services. The problem is that there are certain considerations that need to be made for marketing messages; and this is where FINRA 10-06 is relevant.
Some of the highlights of FINRA Regulatory Notice 10-06:
- Rules apply to firms and personnel using sites for business purposes (not where the site is accessed, but defined by the content of the message).
- Social media websites have interactive and static content. Why is this distinction important? Because static content must be pre-approved by a principal; static content includes wall posts on Facebook and profile information.
- FINRA is prepared to bring disciplinary action for violation of rules and securities laws.
So while having an email archiving solution in place is important, the swiftness of integrating social media archiving into your company’s policy is vital. Having a system of monitoring and archiving social media in the case of pending litigation is also important, as a recent lawsuit over a LinkedIn message proves.
No matter what type of policy you have in place for social media at the workplace, the ability to capture messages (that you may not even think are occurring!) can be beneficial for litigation (as seen above) or for compliance with FINRA Regulatory Notice 10-06.