Compliance - Regulatory Overviews
Businesses and Governmental Agencies today must be
up-to-date and compliant with a wide range of state, federal, and
international regulations. Below we have listed a number of
these and for some of the more complex, have linked to the appropriate
agency web site where you can gather further information.
Basel II
Banks must create internal processes to control, supervise and enforce risk
management practices, including those involving internal communications.
California Privacy Law
SB1386
Businesses are required to notify California residents if personal
information stored on computer systems has been breached. This regulation
applies to any organization that conducts business with California
residents. A company is exempt from the notification requirement of
California SB 1386 if the personal information is stored in encrypted
format.
FDIC Advisory:
Information Technology Risk Mgmt Program
Requires encryption of electronic customer information while in transit or
in storage.
FRCP - Federal Rules of
Civil Procedure
The Federal Rules of Civil Procedure (FRCP) are a set of guidelines set by
the U.S. Supreme Court regulating court procedure for civil suits. FRCP
often refers to revisions made in December of 2006 regarding electronic
discovery, which became effective December 1, 2007. Electronic documents
such as email, instant messages, or calendar files, and traditional
documents stored electronically must be available for timely search and
retrieval in the event of litigation proceedings. Discovery must be
maintained in its original format. Accidental deletion, misplacement, or any
inability to locate data before deadlines will result in court fines.
Gramm-Leach
Bliley Act
Financial institutions must ensure the security of non-public personal
information; as such, they are required to maintain and store these
communications in compliance with the SEC's Rule
240.17a-4 and NASD's rules 3010 and
3110 (all emails be preserved for a period of not
less than six years, with the first two years in an easily accessible
place.)
HIPAA
The Health Insurance Portability and Accountability Act was implemented by
the United States Congress in 1996 to regulate health care providers’
management of protected health information (PHI), which includes medical
records and payment histories. These regulations cover a broad range of
administrative, technical and physical security measures. Regulated entities
must maintain strict control over employees’ computer access to electronic
PHI (EPHI) and ensure that historical EPHI is stored in a format with which
no employee can tamper. IT should maintain written records of all
configuration settings and changes. Audits should be performed routinely,
along with documented risk analysis and risk management programs.
IDA 29.7 (The Investment
Dealers Association of Canada)
All client correspondence and related documents, including emails, must be
retained for five years from the date of creation. In addition, all sales
literature and related documents must be retained for two years from the
date of creation. Archived sales literature and correspondence must be
readily available for inspection by the Association at all times.
Investment Advisors
Act
Investment advisers shall make and keep records in accordance with the
Securities Exchange Act of 1934 as well as allow the Commission to examine
such records as the Commission deems necessary or appropriate in the public
interest or for the protection of investors. Investment advisers are also
required to maintain and preserve books and records in an easily accessible
location for at least five years from the end of the fiscal year during
which the last entry was made, the first two years in an appropriate office
of the investment advisers.
NASD 2210
All sales literature and correspondence made available to customers or the
public (including email) must be a maintained for three years from the date
of each use including the name of the person who prepared the literature
and/or approved their use. Any communications (including email) that deal
with the performance of past recommendations or actual transactions and
completed worksheets should be stored at a place easily accessible to the
sales office for the accounts or customers involved.
NASD 2711
All research reports, including any written or electronic communication that
includes an analysis of equity securities of individual companies or
industries, and that provides information reasonably sufficient upon which
to base an investment decision, must be retained for three years following
its publication.
NASD 3010
A system should be established and maintained to supervise activities of all
registered representatives, including the use of e-mail and websites.
Written procedures must be developed for the review of any written and
electronic correspondence with the public relating to investment banking or
securities business. If an electronic or manual pre-use review is not done,
then appropriate supervisory procedures should be developed, as well as
monitoring and testing the procedures, educating employees on the procedures
and documenting the education of the employees. All correspondence relating
to investment banking or securities business should be retained along with
the names of the persons who prepared and reviewed the correspondence, and
the retained records should be readily available to NASD. An annual review
of a broker/dealer’s business activities, supervisory system, customer
accounts and office inspections is required. Click here for additional
information on NASD 3010, 3012 and 3013.
NASD 3012
Member firms must (i) have supervisory control procedures that test and
verify that the members’ supervisory procedures are reasonably designed to
achieve compliance with applicable securities laws and regulations and NASD
rules, and (ii) where necessary, amend or create additional supervisory
procedures. Click here for additional information on NASD 3010, 3012 and
3013.
NASD 3013
The CEO of each member firm must certify that they have a process to adopt
compliance policies and supervisory procedures reasonably designed to
achieve compliance with applicable securities laws and regulations and NASD
rules. Click here for additional information on NASD 3010, 3012 and 3013.
NASD 3110
All books, accounts, records, memoranda and correspondence should be
retained in the same format as stated in SEC Rule 17a-4 (i.e.
non-rewriteable, non-erasable, and time-stamped). All e-mails and Internet
communications which relate to the broker/dealer’s business must be retained
for at least three years, the first two years in an easily accessible place.
OCC Advisory:
Electronic record Keeping
Banks should implement an electronic record retention system to allow
litigation, audits, bank supervision, and compliance with laws &
regulations. Systems should also prevent external access by third parties,
and provide back-up, internal controls, record destruction, and record
retention.
Sarbanes-Oxley Act
Requires public companies save all business records, including electronic
records and messages, for no less than five years. All relevant
audit-related documentation (including email records) must be retained for
seven years. Section 404 also requires companies to report on the
effectiveness of internal controls over financial reporting. Since internal
control decisions and data are discussed, transported and stored in
corporate email systems, ensuring that email data cannot be accessed or
tampered with is considered critical to the reliability of financial
reporting.
SEC 17a(3,4)
A broker or dealer must preserve documents and records for three to six
years, the first two years of which, they must be in an accessible place.
All documents and records must be time-stamped, stored in a
non-rewriteable/non-erasable format, organized and indexed, with a duplicate
copy stored separately from the original. The indexes should be also
duplicated and stored separately from the original, and they should be
available for examination and preserved as long as the documents and
records.
Texas Public Information Act
The
Texas Public Information Act (TPIA or the Act) gives the public the right to request access to
government information. The Public Information Act applies to information of every governmental
body.
