Banks, brokerages dogged by e-mail regulations

IT managers in the financial services industry are finding it difficult to comply with e-mail regulations.

IT managers in the financial services industry are finding it increasingly difficult to comply with regulations that force banks and brokerages to store and be able to easily access e-mail and instant messaging (IM) exchanges with customers.

The US Securities and Exchange Commission, the New York Stock Exchange and the National Association of Securities Dealers have all recently imposed regulations about the type of information broker/dealers can share with clients via e-mail or IM - as well as how long those messages must be stored so they can be retrieved for audit.

Those regulations have created "a poisonous atmosphere" in the securities industry, said Stephen J Shine, senior vice president and senior counsel at Prudential Equity Group. 

It is also a potentially costly problem for firms that do not comply. The most notable enforcement actions were taken in December 2002, when the SEC fined five broker/dealers $8.25m (£4.6m) for failing to preserve e-mail correspondence with clients for the requisite three years and/or failing to keep the e-mails in an accessible place for at least two years. 

Shine was one of the speakers at a conference held in New York this week by the Information Management Network, a New York-based organiser of finance and investment conferences. 

Brokerages frequently automate and test backup and recovery of e-mail and IM, but those efforts are probably not done "consistently enough to meet regulatory requirements", said Andy Welch, a senior manager for KPMG. 

One of the key challenges that securities firms face is being able to retrieve and present customer e-mail correspondence to regulators within 24 hours, as required under some regulations.

"Regardless of how sophisticated your e-mail retrieval system is, you won't be able to comply by tomorrow," said Shine. 

He recommended several steps securities firms should take to "intervene" with regulators, such as asking for adequate time to review e-mail correspondence using word searches, to determine whether any of the requested correspondence might impinge upon attorney/client privilege. 

Regulators at the Federal Deposit Insurance Company (FDIC), which insures deposits at more than 9,000 US banks, are also concerned about the potential network vulnerabilities created when bank employees use IM.

Attempts by banks to secure IM exchanges using a firewall have so far proved difficult, said Kathryn Weatherby, an examination specialist in the FDIC's division of supervision and consumer protection. 

To help reduce those security threats, Weatherby recommends that banks set guidelines for employee use of IM. 

To help meet the growing regulatory demands, New York-based Lehman Brothers tied an existing compliance system it had been using for e-mail correspondence into its IM system, said Navin Rajapakse, vice president of global architecture and strategy. 

Even with such possible solutions, there remains a big challenge in meeting the IM-related regulatory requirements of the Gramm-Leach-Bliley Act and the USA Patriot Act.

That challenge "is addressing C-level awareness of the risks posed by IM, since most executives don't use it", said Bruce Sussman, vice president of internal audit at NYCE, an automated teller machine and point-of-sale debit network.

Thomas Hoffman writes for Computerworld

Read more on IT risk management