Businesses today must be up-to-date and compliant with a wide range of state, federal, and international regulations. To help organizations better understand what is required, we have provided a list of the key regulations businesses should be concerned with, and a summary of what they entail:
■ SEC 17a (3,4)
■ NASD 2210
■ NASD 2711
■ NASD 3010
■ NASD 3110
■ Investment Advisors Act
■ IDA (The Investment Dealers Association
Below we listed samples of international compliance and regulation-driven retention practices, some are not mandated by law but are used to develop Best Practices for email and electronic record retention to compliant with certain specific regulations.
MessageSolution Data Redaction
PCI DSS (Payment Card Industry Data Security Standard).
ISO 19779/27001 (International Standards Organization).
IT Security standard, ITIL (IT Infrastructure Library).
Framework for service delivery, CoBIT (Control Objectives for Information and Related Technology).
IT security standard, risk management in financial services,
COSO (Committee of Sponsoring Organizations).
US: HIPAA (Health Insurance Portability and Accountability Act); SOX (Sarbanes-Oxley); GLBA (Graham Leach Bliley Act); FRCP (Federal Rules for Civil Procedure).
Canada: PIPEDA; Rule 30.02 Ontario Rules; Bill 198 Multilateral Instrument.
GDPR: The newly enacted law and the revised version of regulation on Personal Identifiable Information (PII) and Payment Card Industry Data Security Standard (PCI DSS), which will be officially effective in May 2018.
Euro-SOX: MiFID (Markets in Financial Instruments Directive); European Union Data Protection Directive 95/46; European Union Directive 2006/24/EC.
UK: Data Protection Act 1998; CPR (Civil Procedure Rules).
Germany: German Federal Data Protection Act; German Telecomms Data. Retention Act; Criminal Procedures Act.
Switzerland: Swiss Federal Data Protection (DPA); Basel II audit procedures; (SCO) Swiss Code of Obligations.
Australia: Privacy Act; APRA (Australian Prudential Regulation Authority); CLERP 9.
China: Anti-Corruption Compliance.
Japan: J-SOX; JPIPA (Japanese Personal Information Protection Act).
India: Right to Information Act; Companies Act with more comprehensive audit procedures.
Singapore: Companies Act.
Brazil: Azaredo Law; Bill #6891/02.
Mexico: Federal Freedom of Information Act; Ley Federal de Transparencia y Acceso a la Informacion Publica Gubernamental; Ley del Mercado de Valores.
The Federal Rules of Civil Procedure (FRCP) are a set of guidelines set by the U.S. Supreme Court regulating court procedure for civil suits. FRCP often refers to revisions made in December of 2006 regarding electronic discovery, which became effective December 1, 2007. Electronic documents such as email, instant messages, or calendar files, and traditional documents stored electronically must be available for timely search and retrieval in the event of litigation proceedings. Discovery must be maintained in its original format. Accidental deletion, misplacement, or any inability to locate data before deadlines will result in court fines.
The General Data Protection Regulation (GDPR) 2018, a revision of the General Data Protection act of 1995, was created to protect the personal data for all EU citizens & to create a more effective approach to the way private data is handled. GDPR targets personally identifiable information ensuring that Personally Identifiable information (PII) is protected and is available subject to records management and reporting. Changes involved in the GDPR include the right to a copy of personal data, the right to erase personal data, and the right to have data transmitted in a readable format.
The Health Insurance Portability and Accountability Act was implemented by the United States Congress in 1996 to regulate health care providers’ management of protected health information (PHI), which includes medical records and payment histories. These regulations cover a broad range of administrative, technical and physical security measures. Regulated entities must maintain strict control over employees’ computer access to electronic PHI (EPHI) and ensure that historical EPHI is stored in a format with which no employee can tamper. IT should maintain written records of all configuration settings and changes. Audits should be performed routinely, along with documented risk analysis and risk management programs.
A broker or dealer must preserve documents and records
for three to six years, the first two years of which, they
must be in an accessible place. All documents and records
must be time-stamped, stored in a non-rewriteable/non-erasable
format, organized and indexed, with a duplicate copy stored
separately from the original. The indexes should be also duplicated
and stored separately from the original, and they should be
available for examination and preserved as long as the documents
All sales literature and correspondence
made available to customers or the public (including email)
must be a maintained for three years from the date of each
use including the name of the person who prepared the literature
and/or approved their use. Any communications (including email)
that deal with the performance of past recommendations or
actual transactions and completed worksheets should be stored
at a place easily accessible to the sales office for the accounts
or customers involved.
All research reports, including
any written or electronic communication that includes an analysis
of equity securities of individual companies or industries,
and that provides information reasonably sufficient upon which
to base an investment decision, must be retained for three
years following its publication.
A system should be established
and maintained to supervise activities of all registered representatives,
including the use of e-mail and websites. Written procedures
must be developed for the review of any written and electronic
correspondence with the public relating to investment banking
or securities business. If an electronic or manual pre-use
review is not done, then appropriate supervisory procedures
should be developed, as well as monitoring and testing the
procedures, educating employees on the procedures and documenting
the education of the employees. All correspondence relating
to investment banking or securities business should be retained
along with the names of the persons who prepared and reviewed
the correspondence, and the retained records should be readily
available to NASD. An annual review of a broker/dealer's
business activities, supervisory system, customer accounts
and office inspections is required.
All books, accounts, records,
memoranda and correspondence should be retained in the same
format as stated in SEC Rule 17a-4 (i.e. non-rewriteable,
non-erasable, and time-stamped). All e-mails and Internet
communications which relate to the broker/dealer's business
must be retained for at least three years, the first two years
in an easily accessible place.
Requires public companies save
all business records, including electronic records and messages,
for not less than five years. In addition, public companies
and registered public accounting firms must maintain audit
work papers, documents that form the basis of an audit or
review, and all information supporting conclusions for seven
years. Given that, clearly email communications related to
audit work papers and financial controls should be retained
for at least seven years.
Investment Advisors Act
Investment advisers shall make
and keep records in accordance with the Securities Exchange
Act of 1934 as well as allow the Commission to examine such
records as the Commission deems necessary or appropriate in
the public interest or for the protection of investors. Investment
advisers are also required to maintain and preserve books
and records in an easily accessible location for at least
five years from the end of the fiscal year during which the
last entry was made, the first two years in an appropriate
office of the investment advisers.
IDA 29.7(The Investment
Dealers Association of Canada)
All client correspondence and
related documents, including emails, must be retained for
five years from the date of creation. In addition, all sales
literature and related documents must be retained for two
years from the date of creation. Archived sales literature
and correspondence must be readily available for inspection
by the Association at all times.