The financial events of the past two years have many financial services companies anticipating increased regulation of the industry in coming years. While new regulations may not apply directly to records management practices or the security of customer data, additional regulation of any kind within the industry will affect the cost of operations.
Also, the banking sector is still absorbing the ramifications of legislation recently enacted, such as the Emergency Economic Stabilization Act of 2008 and the American Recovery and Reinvestment Act of 2009.
Regulators can be expected to continue to scrutinize the ways in which financial institutions identify, assess and manage risks because the financial crisis exposed the shortcomings of many risk management practices. Financial institutions are under pressure internally and from stockholders to ensure that their risk and control functions become more robust.
Although it is not clear what specific new regulations may emerge, again, any mandates for increased compliance, reporting or security will likely increase overall operations costs for financial services companies.
Any new regulations, coupled with profitability challenges within the industry that have resulted from the financial crisis, will force banks to identify greater cost efficiencies throughout their operations, including regulatory-compliant storage and management of records, customer information and other data.
LESSONS FROMAN ACQUISITION
The financial industry has always been characterized by a great deal of merger and acquisition activity, and the financial crisis has brought about another wave of acquisitions, as many banks have failed. A financial services client of ours that weathered the financial crisis and was fortunate to be able to acquire a leading regional bank serves as an excellent illustration of some of the challenges that an acquisition in this sector can bring about.
The newly combined firm provides retail, business, mortgage, cash management and investment services to more than 6 million consumers across 14 states at more than 2,500 branches. And while the parent bank was fully compliant with the Gramm-Leach-Bliley Act of 1999, the Sarbanes-Oxley Act of 2002 and newer regulations, including the Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule and Federal Rules of Civil Procedure (FRCP) Rule 26(b), it had to audit and ensure that the acquired bank also was compliant. Significantly, it also had to integrate all processes into a single enterprise–wide compliance strategy.
The parent bank’s records management and compliance processes had been developed and perfected throughout many years. Moreover, the bank’s compliance processes and established best practices took into consideration its technology infrastructure and investments and the nuances of its corporate culture.
The acquisition created an entirely new set of challenges for records management and compliance officers. The acquired bank, its infrastructure, processes, people and branches needed to be seamlessly integrated with the parent bank, and, in some cases, brought up to the same rigorous compliance standards. The parent bank was now fully liable for the acquired bank’s compliance, or lack thereof.
The acquisition created a major records management and compliance challenge because of the inconsistencies in the two respective banks’ records management standards, policies, controls and procedures. Auditing and integration of the banks’ compliance processes necessarily diverted management attention and resources from competing priorities.
Additionally, the integration took place during a recession and a time of instability in the industry with intense pressure on corporate profitability and the need to keep operating costs as low as possible throughout the bank.
MEETING THE CHALLENGES
As a records management partner to the parent bank, we became intimately involved in helping to address issues and challenges as they related to records management requirements. A few of these key records management and integration challenges included:
• Communicating, monitoring and enforcing records management policies and procedures throughout the acquired bank and at all branches;
• Weaknesses in systems and processes around proper retention schedules for records, locating and producing requested records in a timely manner and placing holds on documents that are, or can reasonably be expected to be, part of a legal or regulatory inquiry;
• Weaknesses in the safeguarding and protection of information and records from hackers or unauthorized insiders;
• Ensuring that regularly scheduled audits are performed on systems and data to ensure data integrity, change control and user access security;
• Reviewing voice mail and e-mail retention practices to ensure that all necessary media are being retained and that the appropriate operating systems needed for restoration and retrieval are maintained; and
• Auditing the document destruction policy for breaches and educating new employees about the company’s document destruction procedures.
For a records manager who has spent the better part of a decade developing policies and records management systems and applications to ensure enterprise compliance, the requirement to do it all again after an acquisition and audit every existing process to make sure it is meeting compliance objectives feels like going back to square one with all of the same uncertainty and challenges.
ADDITIONAL CHALLENGES
In addition to the challenge of integration after an acquisition, the records manager is still responsible for managing policies and processes around more recent regulations, some of which may still be in development or are being tested and refined against the day-to-day operations challenges. Ready or not, they must be applied and integrated with the acquired bank.
In 2006, the U.S. Supreme Court published amendments to the FRCP that give courts the power to demand all types of electronically stored information (ESI), irrespective of data type (e-mails, documents, database records, data stored on PDAs and other devices, backup tapes, videotapes, audio recordings, call center recordings, instant and text messages, access-control logs and unstructured data in any format), as evidence in civil litigation regardless of the cost to the organizations that are required to provide it. To fully comply with the FRCP, financial institutions must store, manage and recover all relevant ESI—structured and unstructured—with equal capability and auditability.
It is estimated that more than 90 percent of the records being created today are electronic, and the financial industry is a litigation-intensive sector. Compliance with ESI regulations is a challenging task in light of the extensive volume and wide variety of ESI, which includes millions of database records.
The FACTA Disposal Rule, which took effect July 1, 2005, stipulates that all consumer information must be securely destroyed before disposal. Although FACTA affects most U.S. businesses, financial institutions are affected more so because of the high volume of consumer information they handle, which includes credit and loan applications, bank and credit card statements, voided checks and other records containing names, Social Security numbers, addresses, dates of birth and other private information. Because the FACTA Disposal Rule is newer, not all financial institutions are equally compliant.
In addition to the challenge of meeting all regulatory requirements, most banks also are actively dealing with the challenges of hybrid records environments. Records managers find themselves moving back and forth between multiple records management systems to locate files, establish audit trails, place litigation holds and ensure uniform retention and destruction of various business information.
The use of multiple systems, applications and processes has created the need for additional staff, training and software systems, among other things. These additional resources increase operational costs.
As fallout from the severe economic recession continues, records managers throughout the financial industry will continue to experience challenges that they thought they had left behind.