The passing of the USA PATRIOT Act reinforces the reality that any paper or electronic data management program should garner top priority for corporate leadership and corporate governance.
The Patriot Act requires the Secretary of the Treasury to prescribe regulations “setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution.” Broker-dealers must develop and fully implement the customer identification program (CIP) by October 1, 2003.
The CIP must include procedures for making and maintaining a record of all information obtained. Retention of records: The broker-dealer must retain the records made under paragraph (b)(3)(i)(A) for five years after the account is closed and the records made under paragraphs (b)(3)(i)(B), (C) and (D) for five years after the record is made. In all other respects, the records must be maintained pursuant to the provisions of 17 CFR 240.17a-4.
Corporate Governance and Compliance: The following guidelines should be considered when developing and maintaining rules for record retention and reference archiving:
- Make electronic-data and paper-based document management a business initiative, supported by corporate leadership in the form of a corporate governance sub-committee.
- Maintain records of all types of hardware and software that are in use and the locations of all electronic data.
- Create a business records and document review, retention and destruction policy, which includes consideration of backup and archival procedures, up-to-date evidentiary standards, content integrity, document reproduction tests, online storage repositories, record custodians and a destroyed documents “log book.”
- Create an employee technology use program, including procedures for written communication protocols, data security, employee electronic data storage and employee termination/transfer.
- Clearly document your corporate data retention polices in a record procedures manual.
- Document all ways in which data can be transferred to or from the company.
- Regularly train employees on the company’s data-retention policies.
- Implement a litigation response team, comprised of outside counsel, compliance staff, corporate counsel, the human resources department, business line managers and IT staff, that can quickly update or amend document-destruction policies.
- Be aware of electronic “footprints” – delete does not always mean delete, and meta-data is a fertile source of information and evidence.
- Cease formal document destruction policies at the first notice of a regulatory investigation, suit or reasonable anticipation of suit. Note, the subject or topic of an investigation or suit may reside on any business records, data file or reference archive.
- Finally, make a practice of conducting routine audits of policies and procedures, compliance assessments and enforce violations.