Save All

Investment firms have a choice when it comes to compliance: Save every single e-mail and instant message or face the wrath of regulators. Can the CIO and the CCO see eye-to-eye in these take-no-prisoners times?

Archiving e-mail is now a mandated liability. Firms have to save every electronic missive, no matter how mundane or innocent, in the event of an investigation for alleged wrongdoing. As with any far-reaching regulation that is fueled by politically ambitious investigators and angry watchdog groups, confusion can ensue. To make sense of the guidelines and how IT plays a role in storing and retrieving all e-mails and instant messages (IMs), Waters assembled a panel of industry experts to discuss the challenges of archiving and retrieving e-mails. Our panel consisted of Joseph Steffan, director of technology compliance for Lehman Brothers; Brian Babineau, an analyst with the Enterprise Strategy Group; and Paul Johns, vice president of global marketing for Orchestria, the compliance solutions firm.

Waters: In a recent Waters cover story, a chief technology officer said he likes working with the chief compliance officer, but he doesn’t understand the technology. Also, the CCO doesn’t know what has to be stored because he’s waiting for legal to tell him the guidelines. Are CIOs still waiting for certain rules to make the light of day?

Brian Babineau, Enterprise Strategy Group: I think it’s getting better. The good news is the CIO and the CCO talk with each other; the bad news is that they don’t get along.

But we’ve made significant steps to move that barrier between IT and the general counsel’s office. A lot of those discussions, however, are around budgetary concerns. What most people say on the IT side is that it’s not about technology; it’s about process. All too often, IT people find solutions quickly and ineffectively. The reactive measures of IT plus the lack of understanding of processes have created a rift where the compliance officers tend to have a better understanding of what the policies of this procedure should be and outline those so that technology people can buy the right stuff at the right time.

Waters: Joe, how is it working with the technology side inside Lehman Brothers? Are they telling you that you don’t know what it’s like?

Joseph Steffan, Lehman Brothers: We’re both telling each other that, but the reason I was pulled out of the technology law group and brought into compliance was because we recognized that we needed to develop a language that could translate technology concepts into compliance language and vice versa. We now have a very effective, inter-disciplinary process that involves technology, information security, legal and compliance, and a number of important subject matter areas like records management. We meet routinely, and we have developed a common language.

Some firms may have been dealing with an adversarial mindset between the departments, but the magnitude of liability that has developed for these violations has dramatically changed those conversations. When there is a well-communicated compliance requirement now, IT says, ‘No problem, whatever you need.’ Let’s face it; most complex technology projects fail. The most important thing is to have clear objectives upfront, and assigned responsibilities to ensure that those objectives are met. In the past, some regulatory issues weren’t clear, and we used to debate questions like whether an instant message was a written communication within the meaning of the regulations. Those debates are over today, so we have some improved clarity to scope these projects.

Waters: Paul, is there disagreement between the CIO and the CCO?

Paul Johns, Orchestria: We’ve seen big changes in the last year. About 12 months ago, the sales cycles were very long because, frankly, you started out connecting people internally that probably didn’t spend any time talking to each other. What we’ve seen over the last 12 months is the problem has begun to earn the budget. In the past, the IT staffers had the money, and the compliance people had the problem, and they just didn’t understand each other’s worlds. What amazes me is when we talk at events where we are surrounded by IT people, and they still make a case about building the world’s best archive. But that’s really my job. When you sit with the compliance people, they have an entirely different perspective.

Waters: CIOs and CTOs have told us that if you add the label ‘compliance’ to a purchase order, it will get the attention of the CFO and CEO, and they’ll sign off on any new purchase. Is this true?

Steffan: Absolutely, those things that have critical compliance implications get attention now, and there’s an increasingly effective way to communicate that.

But what I have tried to educate my peers about on the legal and compliance side of our business is that you can’t identify compliance concerns and simply mandate that a technology solution be implemented over night. That is completely unrealistic. You have to go through a process of understanding the problem, finding the right technology, and figuring out how to solve that problem in a disciplined, systematic way.

Johns: Many analysts have called this space the new Y2K but without an end date. So there is this notion that we have to do something, whereas in most technology areas, there’s a business justification and there’s a process that you think about. You ask, ‘Is this really important to our business?’

Babineau: On the budgeting question, technology is actually starting to be accused of crying wolf too many times. They say, ‘We need to buy this’ and they need to go to [a chief compliance officer] to get the sign-off, even though it may not be anything applicable to the compliance infrastructure. The problem is often they’ve gone to the well too many times.

Watching the Mail

Waters: Is your firm monitoring a random sample of e-mail every day?

Steffan: We decided to form a surveillance group that sits within compliance to do nothing but look at messages across our infrastructure, and we made a fundamental decision that when you increase the scale of review that much, you can no longer rely on random sampling. It was a weak methodology to begin with, and intelligent pattern matching kinds of systems give us the ability to produce a smaller set of more relevant results.

We have a group of people who look at messages all day long, and we use Orchestria to filter down to those messages that appear relevant to those subject matter areas we’re watching.

Waters: How many e-mails do they look at each day?

Steffan: When we formed this group, the strategy was to figure out what we’re going to do in terms of supervision. Everyone thought, ‘These people are going to go insane.’ But they’re not looking at static data all day long; they’re looking at interesting stuff and they’re very enthusiastic about the job and the importance of the job. The value of the job is apparent to them and to the department, and it’s increasingly apparent to the firm. We had a policy violation recently involving external distribution of an internal-use-only document. Orchestria captured that violation and the violator was out the door the next day. The fact that out of about 1.5 million messages a day we caught that one sends a very powerful message to the organization. Although we’re obviously not happy about the violation, this was a real demonstration of how technology is improving the ability of compliance to do its job. We’re continuing our review of message blocking options, understanding that automated blocking of employee activities raises some important operational risk issues of its own, and needs to be implemented very carefully.

Waters: Does it amaze you that even now, there are people who think that when they delete a message in their Microsoft Outlook e-mail programs it’s gone forever?

Steffan: There was some initial naiveté, which quickly dissipated when people started seeing employee terminations for messaging policy violations. The president of our firm did a Webcast specifically on the topic of ‘think about what you’re doing,’ and electronic messaging awareness. People are increasingly aware of the fact that we’re doing surveillance. This surveillance is effective, and their colleagues who are doing the wrong things are being shown the door.

Waters: What about storing voice messages and phone conversations?

Babineau: We actually had a vendor in our offices last week that has phones with disk drives on them and voice over IP (VoIP) most definitely will be the next big trigger. Those networks will be deployed within two to three years.

Steffan: We have very limited obligations under US regulations to record conversations, and we will, for the foreseeable future, limit our storage of voice communications to those that are required by regulation or supported by strong operational needs.

In my mind, the business justification for the storage of voice communications as an operational convenience is extremely weak. The operational, litigation and regulatory exposure is high because this type of data is naturally difficult to categorize in terms of content. If you have 5,000 hours of phone messages saved to your e-mail system because you turned on a feature that allows people to attach their phone messages as .WAV files, those are communications within your possession. They are amenable to subpoena. How do you respond to a subpoena that says you must produce all information relevant to this topic? You’ve got to have someone sit down and listen to 5,000 hours of phone messages. That’s an unacceptable risk and all of the peers I’ve spoken to have successfully resisted technology that translates voice into e-mail messages or e-mail attachments. I’m taking a firm position that that’s not going to change for the foreseeable future.

Johns: The problem is where does it end? Once you’ve figured out how to apply a policy in principle, if you can figure out what’s going on in a voice communication, you could apply that same communication, and what we are asked for is a very rich thread of information. From an investigation standpoint, I know what e-mail you sent, if you sent something to a printer, whether you were in the same room a day later, what phone calls you made—but not today. We’ve not been asked for this and for the reasons that Joe’s just mentioned. I think we’re still trying to grapple with text-based communications. I’m seeing some signs of voice storage in the very early stages, but if it’s in the next year, I’ll be amazed.

The Compliance Edge

Waters: Can compliance deliver a competitive advantage?

Johns: There are two types of firms. There are firms that have been in the headlines and don’t want to get there again, and they’re now taking massive steps with huge publicity and spending a lot of money to say ‘Look, these are the steps we’ve taken’ in full-page ads. There are other firms that have avoided the headlines and are now using that for competitive advantages. It’s appearing in sales collateral and annual statements. I do believe that the firms that have not been hit now are building a wall of fire around them, saying, ‘So far we’ve avoided the headlines. Now let’s do everything possible to publicize the fact that we have never been hit.’ Here’s the danger: Qantas did this very same thing about the fact that they had never had a plane go down. The problem is when that you build a strategy based on that, you had better hope that the press does not hit you.

Steffan: I think it’s a dangerous strategy to try and use one’s being out of the headlines for competitive advantage because there’s a lot of ‘there but for the grace of God go I.’ Thankfully, we have been one of those firms that has managed to stay ahead of the power curve somewhat better than some of our peers, but I have no intention of taking credit for that or resting on those laurels. Part of why Lehman may have had a little more success is because we’re somewhat smaller and we’re able to move a little more quickly in the technology space. I’ve had this conversation with my peers at all the major houses, and we agree very strongly that compliance should not be viewed as a competitive advantage because compliance is something that informs public perception of the industry as a whole, and if one firm is gloating about their successes to the detriment of another firm, you’re playing off of something that makes the industry as a whole look bad.

Waters: How do you deal with new ubiquitous technologies like BlackBerrys?

Steffan: The starting point for the answer is there’s no exception to the archiving and supervision requirement, so you’ve got to capture everything as a starting point. Now, there are some exceptions that I think can be justified in this context. We do not allow PIN-to-PIN messaging for business purposes. We do allow a limited number of IT people who need to have access to PIN-to-PIN in the event of a disaster recovery scenario use it, because if our network goes down, we need an alternate network to support that messaging.

Waters: Do the regulators understand the limits of technology? Do they even care?

Johns: I have seen a massive shift this year versus last year. I absolutely did believe that regulators for the first time are really trying to understand what is technically possible. I think there is now this notion that there is a huge burden that’s been placed on the financial industry, and if a technology can be used to reduce that burden, the regulators actually do want to understand that. I’ve seen some softening from the regulators in terms of ‘show me what’s possible, show me what can be done, and then let’s understand how we might be able to engage with you with that kind of new understanding.’

Steffan: I think there is a realization that a technology solution to problems this complex cannot simply be mandated. The regulators implicitly have an interest in effective solutions, and I think as the cost and burden of these systems becomes apparent, the regulators are willing to engage in the discussion about what is feasible technologically and what is effective. That’s why we have been successful in talking to the regulators about the need and benefits of moving from an old approach like random sampling to a new approach like intelligence surveillance. It not only helps us produce a more cost-effective solution; it also helps us produce a more regulatory effective solution, and that’s a win-win.