julia kirby, senior manager deloitte & touche, llp regulatory consulting group april 11, 2006

At the Crossroads – Privacy and Information Security

20th Annual National Training ConferenceFiduciary and Investment Risk Management Association Inc. ™

Julia Kirby, Senior ManagerDeloitte & Touche, LLPRegulatory Consulting GroupApril 11, 2006

Copyright © 2006 Deloitte Development LLC. All rights reserved. 22

Agenda

The purpose of this presentation is to briefly describe regulatory developments related to privacy and information security. Deloitte & Touche LLP is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte & Touche LLP shall not be responsible for any loss sustained by any person who relies on this presentation. For complete regulatory requirements, please refer to the text of the rules themselves.

Overview

Driving Forces

The Challenges

Critical Success Factors

Questions and Answers


Overview – At the CrossroadsOverview – At the Crossroads


The Balancing Act – Privacy & Information Security

Customer privacy

Information security

Convenience of electronic services

Ethical behavior

Local/state laws

Federal regulations

Regulatory agency guidelines

Investigations and litigation

Expectations Compliance

Financial institutions must balance growing expectations while complying with the current legal environment.


A Tool to Help Along the Way

Records management is a risk-focused tool that can help manage expectations and maintain compliance.

FactorFactor How Records Management Can HelpHow Records Management Can Help

ExpectationsExpectations

ComplianceCompliance

Centrally-managed security facilitates changes in procedures and technology

Records management provides consistent standards for managing customer and corporate information

Conforming to records management policy guidelines promotes ethical corporate behavior throughout the organization

Centrally-managed security facilitates changes in procedures and technology

Records management provides consistent standards for managing customer and corporate information

Conforming to records management policy guidelines promotes ethical corporate behavior throughout the organization

Retention is no longer sufficient - retention, retrieval, destruction, and security are now considered in regulatory examinations

Legal environment is constantly changing – a flexible framework is needed to adapt to new retention periods and record types

Records management aids document discovery in investigations and lawsuits

Retention is no longer sufficient - retention, retrieval, destruction, and security are now considered in regulatory examinations

Legal environment is constantly changing – a flexible framework is needed to adapt to new retention periods and record types

Records management aids document discovery in investigations and lawsuits


Objective

The goal of records management is to control and mitigate an organization’s exposure to risk.

LitigationReputation

Compliance– Retention Requirements– Customer Privacy

– Sufficient vs. Excessive Recordkeeping

– Government Investigations

– Regulatory Sanctions

– Media Headlines

RISK


Compliance Risk

Recent compliance failures have placed greater public scrutiny on corporate records management practices.

CompanyCompany FailureFailure FineFineSanctioning Body

Sanctioning Body

Banc of America

Securities

Banc of America

Securities

Violations of “the recordkeeping and access requirements of various securities laws” (March 2002)

Violations of “the recordkeeping and access requirements of various securities laws” (March 2002)

$10 million

$10 millionSECSEC

J.P. MorganJ.P. Morgan“Failed to preserve for three years…all electronic mail communications” (February 2005)

“Failed to preserve for three years…all electronic mail communications” (February 2005)

$2.1 million$2.1

millionNASD, NYSE,

SECNASD, NYSE,

SEC

Brokerage Firms (4)

Brokerage Firms (4)

Violations of “recordkeeping requirements concerning business-related internal e-mail communications” (August 2004)

Violations of “recordkeeping requirements concerning business-related internal e-mail communications” (August 2004)

$3.1 million$3.1

millionSECSEC

Brokerage Firms (5)

Brokerage Firms (5)

Violations of “record-keeping requirements concerning e-mail communications” (December 2002)

Violations of “record-keeping requirements concerning e-mail communications” (December 2002)

$8.25 million$8.25 millionSECSEC


Litigation Risk

The risk of incurring litigation or failing to meet legal responsibilities can also have financial impact for an organization.

CompanyCompany EventEvent Monetary Impact ($)Monetary Impact ($)

UBS Warburg LLC

UBS Warburg LLC

In Zubulake v. UBS Warburg LLC, UBS was ordered to search and retrieve relevant e-mails from its archives (July 2004)

In Zubulake v. UBS Warburg LLC, UBS was ordered to search and retrieve relevant e-mails from its archives (July 2004)

$300,000$300,000

Merrill LynchMerrill LynchConflicts of interest “revealed in internal e-mail communications” during an investigation by Elliot Spitzer (May 2002)

Conflicts of interest “revealed in internal e-mail communications” during an investigation by Elliot Spitzer (May 2002)

$100 million$100 million

Bear, Stearns & Co., Inc.

Bear, Stearns & Co., Inc.

Failed to respond in a timely and effective manner to a subpoena by the State of Illinois Securities Department (June 2005)

Failed to respond in a timely and effective manner to a subpoena by the State of Illinois Securities Department (June 2005)

$10,000$10,000

PAZ Securities,

Inc.

PAZ Securities,

Inc.

Failed to effectively respond to NASD subpoena of various records (October 2005)Failed to effectively respond to NASD subpoena of various records (October 2005)

Expelled from NASD

Expelled from NASD


Reputational Risk

Investigations and/or negative media headlines can result in dramatic changes in the market value of a company.

CompanyCompany EventEvent Change in Market Value

Change in Market ValueTimeframeTimeframe

Merrill LynchMerrill Lynch Announcement of investigation by NY AG Elliot Spitzer (April 2002)Announcement of investigation by NY AG Elliot Spitzer (April 2002) $11 billion$11 billion1 month1 month

AIGAIG

Investigation by NY AG Elliot Spitzer and the SEC led to the resignation of AIG's CEO and Chairman Hank Greenberg (January 2006)

Investigation by NY AG Elliot Spitzer and the SEC led to the resignation of AIG's CEO and Chairman Hank Greenberg (January 2006)

$59 billion$59 billion11 months11 months

Insurance Firms (4)Insurance Firms (4)

NY AG Elliot Spitzer files civil complaint against Marsh & McLennan, ACE, The Hartford, Munich American Risk Partners (October 2004)

NY AG Elliot Spitzer files civil complaint against Marsh & McLennan, ACE, The Hartford, Munich American Risk Partners (October 2004)

$26 billion$26 billion4 trading days4 trading days


Driving ForcesDriving Forces


The growing importance of records management has led to changes in the marketplace, government, and industry.

Driving Forces in Records Management

ForceForce ImpactImpact

Consumer Needs

Consumer Needs

Convenience and cost are forcing new information delivery strategies that paper-based systems cannot deliverConvenience and cost are forcing new information delivery strategies that paper-based systems cannot deliver

TechnologyTechnology Increasing reliability and decreasing costs lead to limitless applications of technologyIncreasing reliability and decreasing costs lead to limitless applications of technology

MarketMarket Traditional records management firms are hungry for new revenues and view electronic services as a logical next stepTraditional records management firms are hungry for new revenues and view electronic services as a logical next step

Records Retention

Costs

Records Retention

Costs

Unit prices of traditional vs. electronic records retention (at scale) are incomparableUnit prices of traditional vs. electronic records retention (at scale) are incomparable

RegulationRegulation Government and industry are aligned to implement laws that encourage the elimination or reduction of paperGovernment and industry are aligned to implement laws that encourage the elimination or reduction of paper

Legal Discovery

Legal Discovery

Electronic discovery is becoming more common as electronic records management increasesElectronic discovery is becoming more common as electronic records management increases


Vast and Complex Environment

The universe of retention requirements applicable to an organization’s activities has grown to several thousand and is continually evolving.

Court DecisionsCourt Decisions

Universe of Record Retention Requirements

for International Financial Institutions*

State LawState Law

Internal Revenue

Code

Internal Revenue

Code

Bank RecordsFederal Laws

Federal Laws

Federal Regulations

Federal Regulations

Foreign Jurisdictions

Foreign Jurisdictions

Banking RegulationsBanking Regulations

International Supervisory

Body Requirements

International Supervisory

Body Requirements

Securities Laws

Securities Laws

Evolving Technology

Evolving Technology

*These are provided as an example. Seek counsel’s advice regarding requirements applicable to your organization.


Implementation IssuesImplementation Issues


Implementation Issues

Each of the major components of records management presents different implementation issues.

Key Components

Policy

Retention Schedule

Governance Structure

E-Mail/Electronic Management

Warehouse

Processes/ Procedures

Records Management ProgramRecords Management Program


Policy

IssueIssue

ApprovalApproval

TrainingTraining

ConsistencyConsistency

EnforcementEnforcement

DescriptionDescription

Approval may be required from all business units, a lengthy process which can significantly delay implementationApproval may be required from all business units, a lengthy process which can significantly delay implementation

Logistical obstacles must be overcome in training all employees and new hiresLogistical obstacles must be overcome in training all employees and new hires

Records management must be consistent with existing bank policies, i.e. ethics, data security, e-mailRecords management must be consistent with existing bank policies, i.e. ethics, data security, e-mail

Enforcement of the policy must be incorporated into the self-assessment or audit processesEnforcement of the policy must be incorporated into the self-assessment or audit processes

A comprehensive policy is critical to communicating and implementing a records management program.


Retention Schedule

IssueIssue

ScopeScope

Ease of UseEase of Use

ComplexityComplexity

MaintenanceMaintenance


Applicable requirements are dependent upon the structure of the organization, i.e. bank holding company, financial company, non-bank subsidiaries

Applicable requirements are dependent upon the structure of the organization, i.e. bank holding company, financial company, non-bank subsidiaries

Business users must be able to easily lookup a record and determine its retention periodBusiness users must be able to easily lookup a record and determine its retention period

Requirements originate from a number of sources, i.e. legal statutes (federal, state, local), regulatory guidance, industry guidelines, foreign jurisdictions

Requirements originate from a number of sources, i.e. legal statutes (federal, state, local), regulatory guidance, industry guidelines, foreign jurisdictions

Organizations must be able to easily update the retention schedule to account for new requirementsOrganizations must be able to easily update the retention schedule to account for new requirements

The retention schedule must capture all applicable requirements while remaining user-friendly for the business units.


Governance

IssueIssue

ResourcesResources

CommunicationCommunication

AccountabilityAccountability

Management Support

Management Support


Records management responsibilities must be added without overburdening existing rolesRecords management responsibilities must be added without overburdening existing roles

Communication is key to establishing a culture where records management is emphasizedCommunication is key to establishing a culture where records management is emphasized

Every employee impacts records management, from the CEO to the new hireEvery employee impacts records management, from the CEO to the new hire

Consistent commitment from the top facilitates compliance throughout the organizationConsistent commitment from the top facilitates compliance throughout the organization

Commitment and communication are vital to successful program governance.


Processes/Procedures

IssueIssue

RetrievalRetrieval

SecuritySecurity

StorageStorage

DestructionDestruction


Legal and regulatory inquiries demand that records be retrieved in a timely manner by content, date, or creatorLegal and regulatory inquiries demand that records be retrieved in a timely manner by content, date, or creator

Retrieval, storage, and destruction processes must be invulnerable to unauthorized access of dataRetrieval, storage, and destruction processes must be invulnerable to unauthorized access of data

Storage of off-site items must be documented and transported consistentlyStorage of off-site items must be documented and transported consistently

Complicated destruction procedures are needed to offset advances in forensic recovery analysisComplicated destruction procedures are needed to offset advances in forensic recovery analysis

Secure processes are required to ensure effective storage, retrieval, and destruction of bank records.


Warehouse

IssueIssue

LoggingLogging

ContractContract

Vendor Reputation

Vendor Reputation

Business ContinuityBusiness

Continuity


A consistent logging procedure is necessary to ensure storage, retrieval and destructionA consistent logging procedure is necessary to ensure storage, retrieval and destruction

Third-party vendor requirements must be appliedThird-party vendor requirements must be applied

The reputation of the vendor will directly correlate with the reputational risk to the bankThe reputation of the vendor will directly correlate with the reputational risk to the bank

Warehouses must be integrated with business continuity plans to recover from disasterWarehouses must be integrated with business continuity plans to recover from disaster

Third-party warehousing has far reaching consequences beyond records management.


E-Mail and Electronic Records

IssueIssue

System Functionality

System Functionality

MisconceptionsMisconceptions

VolumeVolume

Desktop ArchivingDesktop Archiving


Management of electronic records is dependent on system search, backup, and restoration capabilitiesManagement of electronic records is dependent on system search, backup, and restoration capabilities

All e-mails are business records, regardless of the contentAll e-mails are business records, regardless of the content

System storage capacity is finite and average industry volume is excessiveSystem storage capacity is finite and average industry volume is excessive

E-mail records on personal workstations are accessible as part of a legal or regulatory inquiryE-mail records on personal workstations are accessible as part of a legal or regulatory inquiry

Effective e-mail management mandates changes in systems as well as corporate behavior.


Critical Success FactorsCritical Success Factors


Initial Approach

Assess existing:

- Documentation types

- Retention processes

- Security procedures

- Staffing commitment

- Storage opportunities and capabilities

Assess existing:

- Documentation types

- Retention processes

- Security procedures

- Staffing commitment

- Storage opportunities and capabilities

Forming a team requires:

- Cross-functional leadership

- Commitment from senior management

- Defined roles and responsibilities

Forming a team requires:

- Cross-functional leadership

- Commitment from senior management

- Defined roles and responsibilities

3.Organize a

Team

3.Organize a

Team

4. Develop a

Vision

4. Develop a

Vision

1. Review Policies and Procedures

1. Review Policies and Procedures

2. Identify Existing

Records

2. Identify Existing

Records

Evaluating the current state and envisioning the ideal state are the first steps to be taken.

Conduct an inventory of existing records to determine:

- Record types

- Storage media

- Security classification

- Record location

- Volume

Conduct an inventory of existing records to determine:

- Record types

- Storage media

- Security classification

- Record location

- Volume

A records management program must consider:

- Corporate culture

- Infrastructure

- Timing

A records management program must consider:

- Corporate culture

- Infrastructure

- Timing



– True organizational commitment and effort

– Training and communication

– Effective warehouse management

– System solutions

– Understanding of support infrastructure

– Access to legal and regulatory expertise

– Focus on practical and implementable policy

PracticalityPracticality

InfrastructureInfrastructure

Long-Term Vision

Long-Term VisionExpertiseExpertise

CommitmentCommitment

– Anticipate long-term needs and trends



Questions and AnswersQuestions and Answers


Contact information:Julia KirbyDeloitte & Touche LLP555 12th Street N.W., Suite 500Washington, D.C. [email protected]

julia kirby, senior manager deloitte & touche, llp regulatory consulting group april 11, 2006

Documents

deloitte development

deloitte touche llp

litigation risk

factorhow records management

wayrecords management

goal of records management

risk of incurring litigation

riskfocused tool