Banks, brokerages dogged by e-mail regulations

Computerworld - NEW YORK -- IT managers in the financial services industry are finding it increasingly difficult to comply with a swath of regulations that force banks and brokerages to store and be able to easily access e-mail and instant messaging (IM) exchanges with customers.
The Securities and Exchange Commission, the New York Stock Exchange and the National Association of Securities Dealers have all recently imposed regulations about the type of information broker/dealers can share with clients via e-mail or IM -- as well as how long those messages must be stored so they can be retrieved for regulatory audits. Those regulations have created "a poisonous atmosphere" in the securities industry, said Stephen J. Shine, senior vice president and senior counsel at Prudential Equity Group LLC in Newark, N.J.
It's also a potentially costly problem for firms that don't comply. The most notable enforcement actions were taken in December 2002, when the SEC fined five broker/dealers a total of $8.25 million for failing to preserve e-mail correspondence with clients for the requisite three years and/or failing to keep the e-mails in an accessible place for at least two years (see story).
Shine was one of the speakers at a financial services e-mail, IM and collaboration conference held here today by the Information Management Network, a New York-based organizer of finance and investment conferences.
Brokerages frequently automate and test backup and recovery of e-mail and IM, but those efforts are probably not done "consistently enough to meet regulatory requirements," said Andy W. Welch, a senior manager in KPMG LLP's risk advisory practice in Short Hills, N.J.
One of the key challenges securities firms face is being able to retrieve and present customer e-mail correspondence to regulators within 24 hours, as required under some regulations. "Regardless of how sophisticated your e-mail retrieval system is, you won't be able to comply by tomorrow," said Shine.
He recommended several steps securities firms should take to "intervene" with regulators, such as asking for adequate time to review e-mail correspondence using word searches, to determine whether any of the requested correspondence might impinge upon attorney/client privilege.
Regulators at the Federal Deposit Insurance Co. in Washington, which insures deposits at 9,116 U.S. banks, are also concerned about the potential network vulnerabilities created when bank employees use IM and how hackers might be able to infiltrate a bank's network to steal customer identities. Attempts by banks to secure IM exchanges using a firewall so far have proved to be "very difficult," said Kathryn M. Weatherby, an examination specialist in the FDIC's