Tough e-mail archiving laws coming soon to Canada – and how to prepare

Multi-million dollar fines, criminal indictments, and exorbitant e-discovery costs…

Canadian financial services firms – including securities dealers and portfolio managers – could incur these in the not to distant future if they violate pending legislation proposed by the Canadian Securities Administrators (CSA).

CSA is a forum for the 13 securities regulators of Canada’s provinces and territories to co-ordinate and harmonize regulation of Canadian capital markets.

By year’s end, Canadian financial services firms will be subject to tough, new e-mail storage and retrieval rules defined in National Instrument 31-103 (NI 31-103).

Among other requirements, NI 31-103 mandates that registered firms keep their records – including electronic messages – in a durable form that can be “promptly” provided to regulators if a record is requested within two years of its creation.

After two years, requested records must be delivered in a “reasonable period of time.” In fact, NI 31-103 requires firms to keep some records for seven years after the departure of a client.

NI 31-103 confirms the importance of e-mail as a formal communications medium and adds another regulatory layer of protection for financial services firms and their clients.

It reinforces the trust that underpins Canada’s financial system and provides a means for resolving disputes. Clearly, compliance is in everyone’s best interests, but how, exactly, do companies comply with NI 31-103?

Compliance and technology

Some firms have already raised concerns about overwhelming costs of physical storage and difficulties in developing a suitable e-mail archival and retrieval system.

Others are operating under the impression that backup copies of their e-mail servers will meet the record keeping requirements. Both groups are mistaken.

E-mail archiving doesn’t have to be expensive or difficult – powerful, easy to use solutions can cost less than $50 per user – but it can’t be done with backup technologies.

Simply put, backup tapes don’t archive all e-mail messages.

If a user sends an e-mail to a co-worker and minutes later, both users delete all traces of that e-mail, the backup tape will not capture that e-mail. Backup tapes don’t maintain copies of e-mails exchanged between backups or retain copies of e-mails deleted by users after the backup is replaced with a newer one.

Worse, backup tapes impede e-mail retrieval. With no search capability, backup tapes require IT staff to manually search for requested e-mails. In addition to the high costs of the related e-discovery, the integrity of the e-mails retrieved can not be confirmed.

Similar to the user-deleted e-mail above, if a user receives an e-mail and subsequently edits and re-saves it, overwriting the original, a backup tape would not have a copy of the original.

An e-mail archive, on the other hand, stores, indexes, retrieves, and monitors all inbound, outbound, and internal e-mail messages and file attachments in real time.

It can ensure that e-mail and attachments have not been altered. An e-mail archive would retain a copy of the user-deleted e-mail as well as the original and modified versions of the user-edited e-mail.

And an e-mail archive’s index expedites e-mail retrieval as IT staff – and in some cases, end users – can search on parameters such as sender, recipient, subject line, date sent, and text in the message header, body, or attachment.

E-mail archiving policies

Implementing a real e-mail archive solution may be one of the first steps Canadian financial services firms take to comply with NI 31-103, but it won’t be the only step. Beyond deploying technology, each firm must establish its policies for e-mail use and retention. The tips below offer guidance toward that end.

• Involve the company. Policy for how e-mail will be used and retained should be developed with input from across the organization – IT, legal, HR, compliance, customer relations, and administrative departments. Make sure international divisions of the company are included, too.

Create one policy for retention of e-mails and another for company-wide usage of e-mail. While separate, the policies should be developed side by side. Both should be reviewed and updated annually.

• Communicate your usage policy. All employees should be notified, not just through e-mail, but through face-to-face training and discussion in department meetings. Be specific and detailed.

Everyone in the company should understand both appropriate and inappropriate use of e-mail, and that violating usage guidelines is a punishable offence. Employees should also know that copies of everything they send are being archived (this knowledge alone often results in fewer instances of inappropriate messaging).

• Start archiving now. Don’t delay archiving in the absence of a retention policy. Ideally, the policy comes first and dictates the parameters of the archive setup. But for many companies, a policy can take months to develop and gain consensus.

Don’t risk a damaging noncompliance situation or costly e-discovery process in the meantime. A flexible in-house archiving solution can easily be adapted as policy takes shape.

Ultimately, the e-mail record keeping requirements introduced by NI 31-103 will help protect investors, improve market efficiencies, and reduce risk. By implementing an e-mail archiving system, Canadian financial services firms can help protect their clients while also protecting themselves.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.