Financial Services Firms Pioneer Compliant StorageIn the third part of our series on compliance and storage issues, we look at the financial services industry's experience with electronic records and what that could mean for other industries.
SEC Rule 17a-4 has been guiding the record retention practices of financial firms since the Securities Exchange Act of 1934 first brought the issue of compliant storage to Wall Street. Long industry experience, and the SEC's amendments and clarifications on electronic storage, have made 17a-4 among the best understood regulations from an IT implementation perspective. The requirements are relatively clear, but meeting those requirements in the face of spiraling e-mail volumes and under the scrutiny of more aggressive regulators makes 17a-4 compliance a fresh challenge.
Rule 17a-4 has the most direct impact on storage management, but there are a variety of related regulations with which companies involved in securities trading must comply. Among other provisions, 17a-4 mandates how records must be stored. It requires non-erasable, non-rewritable media, specifies retention periods which vary by record type, and calls for "easily accessible" storage (generally understood to mean that records must be located within 24-48 hours). 17a-4 is also where the SEC dictates that relevant communications be retained, the source of the requirement for e-mail archiving.
Related SEC Rule 17a-3 specifies the reports and records that must be generated by broker-dealers and stored under 17a-4. In addition, NYSE and NASD have record creation and retention rules of their own (NYSE 440 and NASD 3110) that echo the requirements of 17a-3 and 17a-4, and additional supervision rules (NYSE 342 and NASD 3010) that require monitoring of electronic communications. NYSE and NASD have further stated that instant messages are considered covered communication, and that these must also be monitored and stored.
As The Worm Turns
The SEC has updated 17a-4 over the years, evolving the rule to meet the realities of changing business technologies. Most recently, in May 2003, the commission issued an interpretation that essentially recognized magnetic WORM (write once, read many) disk as satisfying the non-erasable, non-rewritable requirements of 17a-4.
Peter Gerr, senior analyst at Enterprise Strategy Group, calls the ruling the "most interesting development" in the financial industry's shift from optical to magnetic WORM media. Gerr, who co-authored a 2003 ESG research study on compliance, finds the movement to WORM disk one of the major trends since that study's release.
"If anything," says Gerr, "we may have underestimated the pace with which financial services would adopt disk-based WORM."
As with Sarbanes-Oxley (substitute 17a-4's "easily accessible" for SOX's "rapid and current" here), the need to find records quickly to satisfy auditors or litigators is the driving force in the migration from optical to magnetic.
Mike Gundling, Ilumin's senior vice president of product management and marketing, says that discovery requests have increased at the same time that the volume of messages has increased, making the technology even more valuable.
In 1997, says Gundling, "if [firms] were doing six discoveries a year, they were willing to accept the costs" of recovering messages from offline optical platters. "They were getting charged $4 per MB to restore messages, to search them. Today we have firms that are doing three to five discovery requests a week." With SATA WORM disk archives, says Gundling, customers can "keep more online and eliminate those extensive costs related to reactive discovery."
And, of course, the extensive costs of non-compliance have also gone up. The days of inconsequential fines are over, asserts Gundling, saying, "The fines have gone from four and five digits to seven and eight digits."
Booming Storage Requirements
Broker-dealers are required to generate, and to archive, a number of reports and logs on a daily basis. They must also maintain bank statements, bills receivable, and other financial records.
According to Peter Mojica, vice president for product management at AXS-One, the volume of this "traditional books and records data" can be huge, up to 50-100 GB per day for some firms.
But even these numbers are bettered by the capacity demanded by e-mail, which must be archived under 17a-4. Mojica cites as examples two customers, one with 40,000 mailboxes archiving 1 TB per week (200 GB per business day), and one with 15,000 mailboxes archiving 350 GB per day. Both storage figures are staggering, but the smaller firm actually requires the greater capacity because it has chosen to archive all e-mails rather than to selectively store messages based on content and other information.
E-mail archives are growing not only because of the volume of traffic, but also because of the increased use of rich attachments, a point made by both Gundling and Mojica. Mojica says that some firms "use [e-mail] as a shared file system," and concludes that as far as compliant e-mail storage goes, "those numbers are going to just get bigger and bigger."
NASD and NYSE specifically mention instant messaging, and member firms are required to supervise and retain those records as well. Companies differ in their approach to IM archiving, according to Gundling. "Some firms are not allowing the use of IM," he says. Next to e-mail, IM represents "a much smaller storage footprint," says Gundling, but he adds that among Ilumin's customers, compliant IM usage is going up both in terms of numbers of users and in volume of messages sent.
For the customers of AXS-One, too, IM archival storage is dwarfed by e-mail storage. "Those numbers are relatively small," says Mojica, and the content is generally only text. "The use of attachments in IM is not as pervasive as people might think."
Long-term voice mail storage is an area where the regulations are less clear and another area where individual firms diverge. According to Gerr, "Some, not many, but some, have decided to expand their data protection and data retention policies to include voice-mail." But he also explains the opposing, less-is-more philosophy: "For many broker dealers, they don't want to take the risk that their voice mail records will be taken into evidence or be audited."
'Storage Is Becoming A Liability'
Broker-dealers have long experience with 17a-4, but compliance implementations have changed over the years, due both to technology changes and to increasing regulatory pressure.
According to Mojica, adherence to retention policy was not viewed as critical as recently as a few years ago. Financial firms writing books and records to optical media "implemented these systems mostly without the concept of retention," he says. "They just kept everything forever, because they used the data for historical research purposes." But now, keeping records for too long is viewed as a liability because of its potential use as evidence.
Maintaining control over the data in these growing archives is a critical concern for financial services firms. And the first part of control is record location. Gerr says, "It's one thing to create a multi-hundred terabyte or multi-petabyte online or nearline archive of data stored on disk. Once you create that archive, however, even if it's indexed, you need a search tool to be able to find the data that you're looking for."
Mojica sees the same trend, but from a perspective of increased risk. "Storage is becoming a liability," he says. "The more storage you have, the more risk you have, unless you can quickly discern the information that's in the store, and that applies both to normal storage and to backup."
Mojica includes backup as well as nearline archives in this equation, because, he says, "all of this stuff is discoverable."
"There's going to be a bigger convergence," says Mojica, "where storage vendors are going to be integrating more software-type features, like search and indexing, as part of the storage layer, so that we can manage that more effectively." EMC's recent announcement of search software for Centera, and Sun's unveiling of its Honeycomb project, point in that direction.
For those outside of financial services, it's likely that 17a-4 will serve as a precedent for newer record management regulations in other industries, according to Gerr. That might be good news for storage professionals in other industries, who will be working from a well-established blueprint and who can draw on the extensive experience of those regulated by 17a-4.
For more storage features, visit Enterprise Storage Forum Special Reports