Rules & Regulations.
Businesses today must be up-to-date and compliant with a wide range of state, federal, and international regulations. To help you better understand what is required of your organization, Fortiva has provided a list of the key regulations and advisories businesses should be concerned with, and a summary of what they entail.
To find out how Fortiva can help your organization to comply with the regulations below, please contact us.
Federal Rules of Civil Procedure
Recent amendments made to the Federal Rules of Civil Procedure (FRCP) require all companies to retain all their corporate correspondence (including electronic online records) and make them available to the court in case of a lawsuit, without the court having to ask for them specifically.
The Federal Rules of Civil Procedure (FRCP) govern the conduct of all civil actions brought in the U.S. Federal district courts. Because state law is separate, these exact rules do not apply to suits brought in state courts. However many states have similar rules modeled on these provisions. As such, all companies who may have a case in federal court (and quite possibly in state courts as well) have to comply with the FRCP.
The 2006 amendments have also been approved and recommended in the Sedona Principles, which are widely cited rules crafted by top lawyers, judges, consultants and academics to govern issues concerning electronic discovery, antitrust law, intellectual property rights, and complex litigation. These amendments will become effective on December 1, 2006.
Close >
Amendments and their Implications >
The following amendments made to the FRCP impact the process of e-discovery and reinforce the need for an electronic archive.
Rule 26: General Provisions Governing Discovery; Duty of Disclosure
(b) Discovery Scope and Limits
This rule states that every organization has "a duty to disclose all potentially relevant sources of information" to the courts as soon as they "reasonably anticipate" litigation unless these sources are "not reasonably accessible because of undue burden or cost."
Thus, every organization should have in place appropriate technologies which allow them to state the types of documents they have in their records and justify that a relevant piece of evidence is "not reasonably accessible". This makes it necessary for organizations to be able to effectively search their data and assess the costs of retrieving certain pieces of information.
(f) Meeting of Parties; Planning for Discovery
This rule requires all parties to meet before the trial, or at least 21 days before a scheduled conference, to discuss the nature and basis of their claims in an attempt to speed the possibilities of a prompt settlement. During this pre-trial conference, parties must arrange for the disclosures required by Rule 26 (a)(1) and "develop a proposed discovery plan" which must state the subject, form, and timing of all disclosures made/to be made.
This requires parties to be fully aware of the types of records they can make available in the trial and the location of these records in order to prepare a "discovery plan". Being thoroughly prepared for the pre-trial session is the key to possibly resolving the case before it reaches the court.
Rule 34: Production of Documents and Things and Entry Upon Land for Inspection and Other Purposes
(a) Scope
This rule states that "any party" can request relevant records (those discussed in Rule 26) of an organization for inspection if they suspect any violations committed by the organization in question.
Electronically stored data is one of the types of records which can be requested for inspection by opposing parties. As such, organizations must be able to easily search through their e-records and retrieve the requested information. In addition, the ability and right to search through an organization's e-records should be transferable so that the opposing parties may be able to inspect these documents as well.
(b) Procedure
The party in question is responsible for making the requested information available to all parties within 30 days of the e-discovery request. This is a part of the pre-trial discovery process which requires the responding party to provide a "proposed plan for discovery" and produce all requested information, including electronically stored data, in a form that is "reasonably useable".
The organization in question should have in place a quick and easy search function which will allow them to search through their electronic-data archives and respond to the e-discovery request on time. They should also be able to produce the e-records in a form that is readable and useable by the other parties.
Rule 37: Failure to Make Disclosures or Cooperate in Discovery; Sanctions
(f) Electronically Stored Information
This rule creates a "safe harbor" protecting a party from sanctions arising from its deliberate deletion of electronic information that is critical to the legal case in question as long as this information was deleted "as a result of routine, good faith operation of an electronic information system".
Organizations should have adequate policies and practices in place to prove to the courts that the deletion of certain records complied with their corporate policy and as such, the deletion was done in good faith.
Close >
Case Law Examples: The Impact of FRCP on Businesses >
Since the Federal Rules of Civil Procedure (FRCP) were amended in December, 2006, over 50 court opinions on electronic discovery have been issued. While these rulings vary in their impact, they all point to the fact that businesses (IT in particular) need to be prepared to produce any emails (regardless of format) that were not disposed of according to a written policy. The following is a list of cases that illustrate the risks of ignoring FRCP.
Deadlines Must Be Met; Cost Is Not A Valid Excuse
Best Buy v. Developers Diversified Realty (February 1, 2007) - Ordered to produce information within 28 days, regardless of cost
In this case, the defendants (Diversified) argued that the emails and other electronic documents that were requested by Best Buy were not “reasonably accessible” (they existed only on archived, electronic backup tapes). Diversified cited a cost of $125,000 to recover the information. The judge did not accept the argument and ordered that the information be produced within 28 days, including IT time and legal preparation.
Williams v. Taser International (June 4, 2007) - Ordered to conduct specific searches and produce results in 30 days, regardless of cost
In this case, neither party could agree on what data should be produced for discovery. In an effort to move the case forward, the judge ruled that the defendant, Taser, must run twenty-one (21) specific searches to identify a collection of "presumptively responsive documents." Taser had thirty (30) days from entry of the Order to produce all such documents in a “searchable, electronic form”.
Relying On End Users For Policy Enforcement Is Not Sufficient
Intel vs AMD (April 2007) - Ordered to search back-up tapes to find user-deleted email, resulting in millions of dollars in expenses
In this case, Intel claimed that it put a clear retention policy in place once it learned of AMD’s legal intentions. Employees, however, didn’t always follow the instructions. Intel was compelled to search back-up tapes to produce past email messages. In April 2007, the Wall Street Journal reported that Intel “spent $3.3-million to process computer tapes to help recover missing emails and expects to spend ‘many millions of dollars’ in the effort.”
United Medical Supply v. United States - Sanctioned for allowing deletion of email by depending on employees to follow policy
In this case, the government was sanctioned for allowing email to be deleted. There was no centralized email archive, so the government depended upon employees to follow policies for keeping email. A government attorney properly notified those involved to hold email according to the policy, however, some emails were still deleted. The court ultimately ordered the government to reimburse United Medical Supply for some of their discovery costs and barred them from cross-examining United Medical Supply’s expert witness on various aspects at trial.
Failure To Enforce Litigation Hold Can Have Serious Consequences
-
Doe v. Norwalk Community College (July 16, 2007) - Failure to conduct legal hold results in adverse jury instruction, legal fees awarded
In this case, the court specifically cited the defendant’s failure to “put a litigation hold in place.” The court said that Doe was entitled to an adverse instruction to the jury regarding destroyed evidence. In addition, the court awarded some legal fees and the reimbursement of expert fees.
These amendments were developed to make court proceedings more time-efficient. In order to meet the requirements of these amendments, organizations need to develop a sound email policy which can be implemented and enforced with an effective email archiving solution.
Fortiva provides a fully managed email archiving solution which securely retains all corporate email records according to customer-defined retention policies. In addition, Fortiva gives organizations on-demand access to valuable correspondence which may prove their innocence in a potential lawsuit. Organizations must be equipped to submit to e-discovery requests within the specified time frame. Fortiva's instant search and retrieval function allows firms to quickly and easily search through their electronic archive to find required data fast. Fortiva is the only email archiving solution that backs up their search performance with a guarantee.
Close >
For a detailed copy of the FRCP, 2006, visit the link below.
http://www.law.cornell.edu/rules/frcp/Rule26.htm
Download a complete text of the amendments:
http://www.uscourts.gov/rules/Reports/ST09-2005.pdf
E-Discovery Survival Guide for Corporate Counsel
Click here to download.
Key Questions to Prepare Your Business for FRCP
Click here to download.
Close >
Sarbanes-Oxley
Requires public companies save all business records, including electronic records and messages, for no less than five years. All relevant audit-related documentation (including email records) must be retained for seven years. Section 404 also requires companies to report on the effectiveness of internal controls over financial reporting. Since internal control decisions and data are discussed, transported and stored in corporate email systems, ensuring that email data cannot be accessed or tampered with is considered critical to the reliability of financial reporting.
Back to top >
SEC 17a (3,4)
A broker or dealer must preserve documents and records for three to six years, the first two years of which, they must be in an accessible place. All documents and records must be time-stamped, stored in a non-rewriteable/non-erasable format, organized and indexed, with a duplicate copy stored separately from the original. The indexes should be also duplicated and stored separately from the original, and they should be available for examination and preserved as long as the documents and records.
Back to top >
NASD Supervision (3010, 3012, 3013)
Because Rules 3010 and 3012 and 3013 all address an NASD member firm's supervisory policies and procedures, there has been some confusion regarding the differences between the three rules. According to the NASD interpretive guidance on these rule changes, the relationship between the three rules is as follows:
Although Rules 3010, 3012, and 3013 are closely related, their obligations are complementary, not duplicative, in nature. The three rules essentially come together to form an overarching regulatory scheme for the supervision of member firms.
- First, Rule 3013 requires the CEO of each member to certify that they have a process to adopt compliance policies and supervisory procedures reasonably designed to achieve compliance with applicable securities laws and regulations and NASD rules.
- Rule 3010 requires the establishment of a supervisory system for the firm's business activities, including the adoption of polices and procedures reasonably designed to achieve compliance with applicable securities laws and regulations and NASD rules. The establishment of the supervisory system required to be adopted in Rule 3010 should result from the processes that are the subject of the certification of Rule 3013.
- Finally, Rule 3012 requires firms to (i) have supervisory control procedures that test and verify that the members' supervisory procedures are reasonably designed to achieve compliance with applicable securities laws and regulations and NASD rules, and (ii) where necessary, amend or create additional supervisory procedures.
In sum, NASD's new regulatory supervisory scheme consists of process, supervision, adoption of policies and procedures, and testing and amendment of such policies and procedures.
Close >
Under Rule 3013, your CEO is certifying that processes are in place; the rule does not require that the adequacy of such processes be certified. However, it is important to remember that the Rule 3012 Report is due two months later, by January 31, 2006. This report requires your firm to detail supervisory control processes and procedures (outlined in Rule 3010) AND to report on the effectiveness of those procedures. As a result, it is recommended that firms take action now to ensure they are adequately meeting supervision requirements.
Things to consider when reviewing your firm’s compliance with Rule 3013.
The following three processes must be in place to meet the requirements of Rule 3013:
The process in place to establish, maintain and review policies and procedures reasonably designed to achieve compliance with all applicable rules & regulations
Things to consider:
- Guidelines for written supervisory policies are outlined in Rule 3010, which “requires the establishment of a supervisory system for the firm’s business activities, including the adoption of polices and procedures reasonably designed to achieve compliance with applicable securities laws and regulations and NASD rules.” Rule 3010 specifically requires supervisory processes be put in place to monitor email correspondence.
- Your firm should designate a person or group to be responsible for maintaining copies of all versions of written policies and procedures, including compliance manuals, written supervisory procedures and compliance or supervisory bulletins or memos. This is also a requirement of Rule 3012.
- Your firm will require a formal mechanism to review written compliance supervisory procedures on a regular basis. One way to accomplish this is to designate a person or group in each business area of the firm to be responsible for reviewing the current policies and procedures at least once annually (or on an as-needed basis in light of important business or regulatory changes).
- After every policy change, a copy of the updated policies and procedures should be distributed to relevant parties and the previous version should be formally archived.
The process in place to modify such policies and procedures as business, regulatory and legislative changes and events dictate
Things to consider:
- A person or group in your our firm should be responsible for tracking the following: new and amended legislation by the NASD or SEC, industry developments and trends, results of examinations, issues arising from litigation, arbitration and complaints, and changes to the firm's practices. Any changes should be reported during regular reviews of supervisory procedures (required by process #1, above).
- The person or group responsible for supervision policies and procedures should ensure that, where required, policies are updated/edited after each review of supervisory procedures.
- When a change is made to the supervisory policies, employees should be made aware of those changes and, where required, additional training should be provided.
The process in place to test the effectiveness of such policies and procedures on a periodic basis, the timing and extent of which is reasonably designed to ensure continuing compliance with all applicable rules
Things to consider:
- Testing the 'maintenance' of policies and procedures should involve a check of all archived versions. These copies should be kept in a secure manner, and should be backed-up.
- Testing the processes to 'review' written supervisory procedures (WSPs) can be accomplished by compiling a list of regulatory and major business changes that occurred since the last testing period (this list should be maintained by the person identified in process #2 who is responsible for tracking industry changes).
- For each regulatory or business change, there should be evidence of a review against current policies OR a new version of the WSPs.
- Testing the processes to 'modify' WSPs takes the 'review' process one step further, by ensuring that WSPs were appropriately modified when required. This will require a more in-depth look at regulatory/business changes and comparing them with the corresponding change to WSPs. It should also involve a check to show evidence that the updated WSPs were implemented.
- Testing the 'effectiveness' of WSPs can be accomplished by compiling and reviewing results from a series of indicators, including regulatory audit findings, WSP testing results, complaints received, internal review findings, and internal disciplinary actions.
- Every review, change, or test of WSPs should be documented in writing and archived.
Close >
To meet NASD supervision requirements, broker-dealer firms must ensure that all email is supervised. For many organizations, email represents one of the biggest challenges - and risks - they face. With email volume continually increasing, the challenge is not getting any smaller.
Fortiva offers a complete solution for email archiving that includes the most comprehensive automated supervision available for your messaging archives. With Fortiva in place, you can easily meet NASD requirements, while reducing your firm's exposure to risk.
NASD Requirement [Rule 3010 & 3013]
How Fortiva helps you meet it
A system should be established and maintained to supervise activities of all registered representatives, including the use of e-mail.
Fortiva was designed to allow broker-dealers to easily implement supervision procedures to meet NASD requirements including:
- Conducting random sampling
- Automatically reviewing messages that violate policies
- Assigning different reviews to monitor specific mailboxes
- Assigning different reviewers for specific policies
Written procedures must be developed for the review of any written and electronic correspondence with the public relating to investment banking or securities business.
Fortiva Policy allows firms to specify and automatically implement acceptable use, retention and supervision policies with an easy-to-use browser interface. Fortiva also automatically retains a historical record of every policy implemented.
If an electronic or manual pre-use review is not done, then appropriate supervisory procedures should be developed, as well as monitoring and testing the procedures, educating employees on the procedures and documenting the education of the employees.
With Fortiva Supervision in place, email messages that meet supervision policy requirements are automatically put in a queue for review. Fortiva also provides reports that show the number of messages have been selected and supervised, making it easy to illustrate your firm's adherence to supervision rules.
A written copy of supervision policies can be easily printed and distributed in pdf form for use in employee training programs. Fortiva also has a 'sign-off' version that asks employees to confirm they have received a copy of the policy and that they understand its requirements.
All correspondence relating to investment banking or securities business should be retained along with the names of the persons who prepared and reviewed the correspondence, and the retained records should be readily available to NASD.
Fortiva keeps an original copy of all correspondence that is sent or received via email, including all metadata such as the name of the sender, receivers, (including blind copy recipients) and the date sent . To fulfill strict inspection requirements, Fortiva's advanced search and discovery features also allow you to easily search and retrieve required files in a matter of minutes.
An annual review of a broker/dealer's business activities, supervisory system, customer accounts and office inspections is required.
Fortiva's reporting features make it easy to provide comprehensive evidence of your firm's adherence to supervisory controls for email.
NASD Rule 3013 requires the CEO of every NASD-regulated firm to send a letter to the Association certifying compliance with the regulation. This sample letter includes the required components and can be used as a template to get you started.
To: NASD Examining Authority
From: NASD Member
Re: CEO's Annual Certification as Required by NASD rule 3013
I hereby certify our Company has designated a Chief Compliance Officer (COO) and that:
- We have processes in place to establish, maintain and review policies and procedures reasonably designed to achieve compliance with applicable NASD rules, MSRB rules and federal securities laws and regulations;
- Modify such policies and procedures as business, regulatory and legislative changes and events dictate; and
- Test the effectiveness of such policies and procedures on a periodic basis, the timing of which is reasonably designed to ensure continuing compliance with NASD rules, MSRB rules and federal securities laws and regulations.
Furthermore, I certify that these processes are evidenced in a report that has been reviewed by the CEO and submitted to the Member's board of directors and audit committee and that we have, over the past 12 months, conducted a minimum of one meeting between the CEO and COO to (1) discuss and review the matters that are the subject of the certification; (2) discuss and review the Member's compliance effort as of the date of such meetings; and (3) identify and address significant compliance problems and plans for emerging business areas.
Yours truly,
CEO
Links to NASD rules and interpretive materials:
NASD Rule 3010
NASD Rule 3012
NASD Rule 3013
NASD Interpretive Materials for Rule 3013
NASD Guidance Notice Regarding Supervisory Controls (Including Rule 3010, 3012 and 3013)
NASD 2210
All sales literature and correspondence made available to customers or the public (including email) must be a maintained for three years from the date of each use including the name of the person who prepared the literature and/or approved their use. Any communications (including email) that deal with the performance of past recommendations or actual transactions and completed worksheets should be stored at a place easily accessible to the sales office for the accounts or customers involved.
Back to top >
NASD 2711
All research reports, including any written or electronic communication that includes an analysis of equity securities of individual companies or industries, and that provides information reasonably sufficient upon which to base an investment decision, must be retained for three years following its publication.
Back to top >
NASD 3110
All books, accounts, records, memoranda and correspondence should be retained in the same format as stated in SEC Rule 17a-4 (i.e. non-rewriteable, non-erasable, and time-stamped). All e-mails and Internet communications which relate to the broker/dealer’s business must be retained for at least three years, the first two years in an easily accessible place.
Back to top >
Investment Advisors Act
Investment advisers shall make and keep records in accordance with the Securities Exchange Act of 1934 as well as allow the Commission to examine such records as the Commission deems necessary or appropriate in the public interest or for the protection of investors. Investment advisers are also required to maintain and preserve books and records in an easily accessible location for at least five years from the end of the fiscal year during which the last entry was made, the first two years in an appropriate office of the investment advisers.
Back to top >
IDA 29.7(The Investment Dealers Association of Canada)
All client correspondence and related documents, including emails, must be retained for five years from the date of creation. In addition, all sales literature and related documents must be retained for two years from the date of creation. Archived sales literature and correspondence must be readily available for inspection by the Association at all times.
Back to top >
OCC Advisory: Electronic record Keeping
Banks should implement an electronic record retention system to allow litigation, audits, bank supervision, and compliance with laws & regulations. Systems should also prevent external access by third parties, and provide back-up, internal controls, record destruction, and record retention.
Back to top >
FDIC Advisory: Information Technology Risk Mgmt Program
Requires encryption of electronic customer information while in transit or in storage.
Back to top >
Basel II
Banks must create internal processes to control, supervise and enforce risk management practices, including those involving internal communications.
Back to top >
Gramm-Leach Bliley Act
Financial institutions must ensure the security of non-public personal information; this includes any record containing private information about a customer of a financial institution whether in paper, electronic or other form (including email). Penalties for violating GLBA consist of fines up to $500,000 and up to 10 years in jail.
Back to top >
California Privacy Law SB1386
Businesses are required to notify California residents if personal information stored on computer systems has been breached. This regulation applies to any organization that conducts business with California residents. A company is exempt from the notification requirement of California SB 1386 if the personal information is stored in encrypted format.
Back to top >