Email and IM Prep for Your Next Regulatory Audit

Email and IM Prep for your
Next Regulatory Audit
Being the target of an SEC audit can be a stressful experience, even for investment firms with impeccable track records. Do you have the systems and resources in place to avoid potential negative outcomes, such as a deficiency letter or sanction?
When you have an examination, you must be able to demonstrate compliance with all of your firm's electronic communications, including your messaging applications. A few straightforward, proactive strategies will set the stage for a successful examination, audit, inquiry, or discovery - minimizing stress, decreasing the amount of time spent, and limiting your organization's exposure as much as possible.
1. Be prepared to show a search performed against your email and instant message archive.
Most NASD and SEC examinations include a request to show how email and instant messages (IMs) are surveyed as well as who is reviewing them, what percent are being reviewed, if there is a lexicon being used, and how often surveillance is being performed. A web-based demonstration to show how the review is set up and a few reports showing frequency and configuration usually suffices. 2. Make sure you can produce requested information in a timely fashion.
One of the biggest problems many companies have is their inability to demonstrate quick access to archived data. If archived data is on a tape and must be restored prior to access or if it spans several CDs/DVDs, it can take a long time for requested data to be accessed. This may not seem like a big problem, but an examination or inquiry is usually stressful, with several other requests being made simultaneously across multiple departments. If one request takes a lot of time, it may be put on the back burner and eventually become a "failure to comply" situation.
3. Make sure you have the resources, either internal staff or consultants, to help with data production requests and to show the examiner or auditor how you meet surveillance and archive requirements.
If you have 50 or more requests in an examination, it helps to have several people working in conjunction with each other to meet every audit point. Very few compliance teams from smaller firms have the manpower to handle all aspects of an examination or inquiry without help. If you use consultants or managed services companies, make sure they have experienced staff available that can help you during a stressful examination period.
4. Be prepared to produce specific emails and instant messages which are over two years old, with certain words in the subject or message body, sent to or from an employee or external address.
If data has been stored on tapes or CD/DVDs, it is difficult to locate specific messages. Having legacy data as well as new data available which is online and indexed (easily searchable using a search-engine type interface) makes this process quick, easy and stress-free while minimizing any exposure you might face by over-producing. Freeing staff from such tasks as data restoration and search using rudimentary tools will save your firm time and money. 5. Make sure you can "pass" SEC 17a-4 in its entirety by being able to provide information on your designated third-party (D3P) download provider.
Do you know that all data required to be stored under SEC 17a-3 must be stored to comply with SEC 17a-4? Among the requirements are two copies on non-erasable, non-rewriteable media AND a designated third party download provider who has access to this data and can download it. Many firms are finding out the hard way that the SEC is serious about compliance on this point.
6. Be certain that your data is stored on non-eraseable, non-rewriteable or write-once-read-many (WORM) media.
Even if you are not required to comply with SEC 17a-4, the safest way to store your data is on non-erasable, non-rewriteable media with a second copy in a separate data center. With the Investment Advisors Act of 1940, the new Federal Rules of Civil Procedure, and other industry best practices, it really makes sense to leverage this technology to protect and store your critical information.
7. Ensure that all emails are stored with a full accounting of who they were sent to, including both Bcc recipients as well as all members of any distribution list, at the time the message was sent.
Several messaging systems and archive systems do not main... [download for more]