Tough e-mail archiving laws coming soon to Canada – and how to prepare

Multi-million dollar fines, criminal indictments, and exorbitant e-discovery costs…

Canadian financial services firms – including securities dealers and portfolio managers – could incur these in the not to distant future if they violate pending legislation proposed by the Canadian Securities Administrators (CSA).

CSA is a forum for the 13 securities regulators of Canada’s provinces and territories to co-ordinate and harmonize regulation of Canadian capital markets.

By year’s end, Canadian financial services firms will be subject to tough, new e-mail storage and retrieval rules defined in National Instrument 31-103 (NI 31-103).

Among other requirements, NI 31-103 mandates that registered firms keep their records – including electronic messages – in a durable form that can be “promptly” provided to regulators if a record is requested within two years of its creation.

After two years, requested records must be delivered in a “reasonable period of time.” In fact, NI 31-103 requires firms to keep some records for seven years after the departure of a client.

NI 31-103 confirms the importance of e-mail as a formal communications medium and adds another regulatory layer of protection for financial services firms and their clients.

It reinforces the trust that underpins Canada’s financial system and provides a means for resolving disputes. Clearly, compliance is in everyone’s best interests, but how, exactly, do companies comply with NI 31-103?

Compliance and technology

Some firms have already raised concerns about overwhelming costs of physical storage and difficulties in developing a suitable e-mail archival and retrieval system.

Others are operating under the impression that backup copies of their e-mail servers will meet the record keeping requirements. Both groups are mistaken.

E-mail archiving doesn’t have to be expensive or difficult – powerful, easy to use solutions can cost less than $50 per user – but it can’t be done with backup technologies.

Simply put, backup tapes don’t archive all e-mail messages.

If a user sends an e-mail to a co-worker and minutes later, both users delete all traces of that e-mail, the backup tape will not capture that e-mail. Backup tapes don’t maintain copies of e-mails exchanged between backups or retain copies of e-mails deleted by users after the backup is replaced with a newer one.

Worse, backup tapes impede e-mail retrieval. With no search capability, backup tapes require IT staff to manually search for requested e-mails. In addition to the high costs of the related e-discovery, the integrity of the e-mails retrieved can not be confirmed.

Similar to the user-deleted e-mail above, if a user receives an e-mail and subsequently edits and re-saves it, overwriting the original, a backup tape would not have a copy of the original.

An e-mail archive, on the other hand, stores, indexes, retrieves, and monitors all inbound, outbound, and internal e-mail messages and file attachments in real time.

It can ensure that e-mail and attachments have not been altered. An e-mail archive would retain a copy of the user-deleted e-mail as well as the original and modified versions of the user-edited e-mail.

And an e-mail archive’s index expedites e-mail retrieval as IT staff – and in some cases, end users – can search on parameters such as sender, recipient, subject line, date sent, and text in the message header, body, or attachment.

E-mail archiving policies

Implementing a real e-mail archive solution may be one of the first steps Canadian financial services firms take to comply with NI 31-103, but it won’t be the only step. Beyond deploying technology, each firm must establish its policies for e-mail use and retention. The tips below offer guidance toward that end.

• Involve the company. Policy for how e-mail will be used and retained should be developed with input from across the organization – IT, legal, HR, compliance, customer relations, and administrative departments. Make sure international divisions of the company are included, too.

Create one policy for retention of e-mails and another for company-wide usage of e-mail. While separate, the policies should be developed side by side. Both should be reviewed and updated annually.

• Communicate your usage policy. All employees should be notified, not just through e-mail, but through face-to-face training and discussion in department meetings. Be specific and detailed.

Everyone in the company should understand both appropriate and inappropriate use of e-mail, and that violating usage guidelines is a punishable offence. Employees should also know that copies of everything they send are being archived (this knowledge alone often results in fewer instances of inappropriate messaging).

• Start archiving now. Don’t delay archiving in the absence of a retention policy. Ideally, the policy comes first and dictates the parameters of the archive setup. But for many companies, a policy can take months to develop and gain consensus.

Don’t risk a damaging noncompliance situation or costly e-discovery process in the meantime. A flexible in-house archiving solution can easily be adapted as policy takes shape.

Ultimately, the e-mail record keeping requirements introduced by NI 31-103 will help protect investors, improve market efficiencies, and reduce risk. By implementing an e-mail archiving system, Canadian financial services firms can help protect their clients while also protecting themselves.

Share on LinkedIn Share with Google+