Advisers and E-mails: Between a Rock and a Hard Place
Get a load of this question, posed recently in writing by SEC examiners to an advisory firm:
"Does the firm automatically retain all e-mails of all employees? If not, how does the firm ensure that it is complying with the recordkeeping requirements of Rule 204-2?"
The question starkly highlights the choice faced by investment advisers: Do we keep everything and risk preserving a smoking needle? Or do we try to sort out the required wheat from the discardable chaff?
The notion that an adviser should save all its e-mails flies in the face of conventional records management theory. As e-mail guru Randy Kahn put it in his book, "E-Mail Rules" (co-authored with Nancy Flynn): "Does your organization retain all your e-mail forever? Congratulations. Youíre a disaster waiting to happen."
Hereís why: If you save all e-mails, you will, by definition, save the ones that will be most incriminating to your company, even if you would have been fully within your rights to delete them.
And then thereís the cost issue. While electronic storage is relatively cheap, consider the volume of e-mails that will build up over the years. Over time, the cost of storage can become significant. And even after six years have passed, will you really feel comfortable deleting whole batches of e-mails if you donít know whether they contain performance backup or client contracts?
Not to mention the cost of sorting through the ocean of e-mails in response to regulatory requests or in response to litigation. On that score, hereís one data point to consider: IM Insightís heard that an advisory firm recently spent over $2 million in legal and IT costs to respond to an SEC e-mail production request.
Thatís two (t-w-o) million (m-i-l-l-i-o-n).
Unfortunately, thereís no good alternative to the "keep everything" approach. As a practical matter, the volume of e-mail produced by even just a few users is too great for one individual to go through and sort. Automated classification systems, in which a computer searches for word patterns and classifies e-mail accordingly, are far from perfect. although they can be used as an initial screen to winnow down the universe of e-mails for subsequent manual sorting.
Some records management specialists suggest that the only way to properly sort e-mails into required and non-required records is to allow end-users to classify their records. However, as Kirkpatrick & Lockhart partner Richard Marshall points out, that approach contains flaws as well. During last monthís Electronic Communications Compliance Roundtable, Marshall asserted that the person who either creates or receives the e-mail "cannot be the sole sorter." The risk, he said, is "either they do it in a way that is ignorant, they donít understand the record keeping requirements, or they do it for a malicious purpose." If the sorter has engaged in misconduct, "they have an incentive to conceal incriminating information so if you just leave it to them, then it becomes subject to abuse."
Hence, the "keep everything" approach.
"We continue to see different approaches to retention of e-mail, but I would say there is definitely a trend towards retaining all e-mail," said Investment Counsel Association of America associate general counsel Caroline Schaefer. When firms look at the "headache and time commitment" of devoting what they view to be sufficient resources to the deletion process, "many decide that it is easier in the long run to keep everything." However, Schaefer added, "most of them realize that this does not get you off the hook for down the line having to organize required information."
BTA CEO Thusith Mahanama confirmed the trend. "All of our clients, except one, are saving everything," he said. And, he added, "most attorneys" take that as a best practice, given the difficulties of categorizing e-mail. "Itís a matter of pure volume."
He also noted that e-mail communications are informal. "The subject of an e-mail can say ĎLunch,í but you can reply and discuss business, and vice-versa," he said. "From a technical perspective, it is practically impossible to sort out," he said. "The variations are just far too great to accurate identify required e-mail." In his view, "it is better to proactively be safe than sorry."
When it comes to e-mail retention, advisers face five basic choices. Hereís a list, based on a paper prepared by BTA:
1. Print out required e-mails and store them in the firmís paper records. If your firmís e-mail volume is small enough, this can be a simple, low-cost solution. Senior members of the SEC examination staff have said that they do not object to this approach, but cautioned that they would examine the process by which the firm ensures that required e-mails are, in fact, printed out and stored.
A Boston-area compliance officer reported that his firm decided to take this approach only after looking at outside e-mail solutions and finding the cost prohibitive. An electronic solution "would be ideal," he said. But "until they force a rule down our throats that requires electronic archiving," heíll stick with paper. "The turn off has been price," he explained. The solutions that he looked at were all in the range of $20,000 to $25,000 annually. "Thatís a lot of money for a small shop like ours," he said.
Howís it working? "Itís okay," said the compliance officer. "Itís not great." If SEC examiners "needed to do a comprehensive sweep of stuff," such as all e-mail communications during a month pertaining to soft dollars, "it would be a tough thing to pull together from file to file to file, pulling together all the sheets."
He said that employees in his firm have been trained on the firmís policy, which is to print only e-mails that the firm considers required records. Otherwise, people would print out "just about everything," he said. "I donít have that many file cabinets."
Each employee is responsible for understanding the requirements. "We got everyone together in a conference room" and went over what is required. "If they have questions, they know they should come to me." He added that employees are frequently reminded of their responsibility to print and retain e-mails that are required records, and that employees can refer to written guidelines on what types of e-mails must be maintained, which are set forth in the firmís procedures.
The compliance officer said that he has not formally tested whether employees are complying with e-mail retention requirements, but nonetheless had a sense that things were working properly. He noted that from time to time, documents backing up certain transactions have had to be retrieved. In those instances, he found that the required e-mails had been printed out and retained in the relevant paper files.
2. Back up your e-mail server on a nightly basis onto tape. At first blush, it sounds simple: thereís no software to buy and no outside vendor to pay. However, while itís easy to get the e-mails onto tape, firms have had a devil of time getting e-mails off of them. Thereís also the challenge of keeping track of what tape contains what e-mails, not to mention the risk that backup tapes will be overwritten or lost. Keep in mind e-mails deleted inter-day will not be captured on the tape. Moreover, if the firmís e-mail server crashes before the next backup, you could lose e-mails.
3. Save e-mails on your firmís server, perhaps by using the "journaling" feature in Microsoft Exchange Server. Under this approach, a copy of each e-mail sent and received by users on the firmís Exchange Server is captured and deposited in specified location, such as a mailbox on the firmís server. As the mailbox fills up with journaled messages, itíll need to be cleaned out, with the journaled messages transferred to another location, perhaps ultimately burned to CD.
A CCO at a Cleveland firm reports that her firm follows a variation of this approach. The firm set up a firm-wide filing system using folders on the firmís Microsoft Exchange server. "Everyone shares those folders," she said. When setting them up, she said that her firm looked to its paper files as a model, and "mimicked our electronic system to look like our paper system," she said. The e-mails deposited in the folders are stored for three years on the server, and then burned to CD on a year-to-year basis. In addition, she said, her firm writes the e-mails to back-up tapes, but "just as a precaution to losing our data."
She said that her firm held in-house training to educate employees about what e-mails to keep and "step by step" how to save the e-mails. However, she is still dealing with some people who do not understand what they have to save and how to do it. For those people, she said, the firm is considering whether "to have somebody come in from the outside" to provide additional training.
4. Use commercial software installed on your firmís system. This approach can make sense if you have in-house IT expertise and are willing to spend the money to buy the software and additional hardware (such as a new server). Your firmís IT staff will have to keep an eye on things and upgrade software and hardware over the years. Plus, youíll need to monitor your storage capacity as the volume of retained e-mails grows. Zantaz and Legato fit into this category.
5. Outsource. Under this approach, your firmís e-mails are whisked off to a host for safekeeping. Iron Mountain, ZipLip, Fortiva, Live Office AdvisorMail, and BTA fall within this category. These systems typically feature a web-based front-end for searching and review of e-mails. These systems are costly, but overall may be less expensive than hiring an IT staff and buying hardware and software to store e-mails yourself using commercial software.
The key advantage to this approach: you outsource most of the IT headaches. In addition, having all e-mail stored offsite leaves you with one less thing to worry about from a disaster recovery perspective. And sending the e-mails to the host for safekeeping minimizes the likelihood that employees will tamper with them
However, outsourced solutions are not without risks: if your host goes down, so does your access to your archived e-mails. Moreover, thereís the risk that your e-mails never make it to the host in the first place, and that the security of e-mails stored at the host may somehow be compromised.