Compliance Guru • FFIEC Guidance
  • Ask the Guru
  • The Guru Speaks
  • About
  • Ask the Guru
  • The Guru Speaks
  • About
By Tom Hinkel In From the Field

Archiving vs. retention of email and other electronic data

There is no specific FFIEC regulatory mandate for archiving, just retention1.  However, there are three reasons why you might want to consider archiving, which I will address shortly.  First though, the issue of retention.  The key to complying with legal and regulatory guidelines regarding retention is to consider all electronic information (including email) exactly the same as paper documents for the purposes of retention and destruction in your policies and procedures.  Make sure your retention periods are the same regardless of the physical or electronic nature of the information.  Of course if you’re archiving email, the challenge is in being able to separate the financial emails, from the loan documentation emails, from the customer communication emails, from the jokes.  All could have different (or non-existent) retention requirements, but there is no technology available to automatically classify each message by data type.  Lacking that, most banks simply opt to archive all email communication regardless of the nature of the message.  Simply put, there are 3 potential approaches to data retention:  Save everything, save selectively, and save nothing.  Given the current technical limitations, the least risky of the 3 is to save everything.

Now, retention vs. archiving: Think of an archive as a non-alterable backup.  Some archive solutions also add a search feature, but the key is that the data cannot be deleted or modified in any way.  So why consider archiving instead of simple retention?  Three reasons:

First, a public company is subject to SOX regulation as well as GLBA.  SOX is much more stringent in its retention requirements in the sense that the data must not only be retained, but the Bank must reasonably assure the integrity (non-alterability) and availability (search ability) of the data as well.  This can be done in several ways, but archiving is the most common.

Second, does your institution still have TARP funds?  If so, there could be retention implications in 3 areas:

•             Accountability and transparency mandates

•             Specific or implied record-keeping requirements

•             Heightened public scrutiny

Taken in order, the accountability and transparency mandates were established via the Recovery Accountability and Transparency Board, which will coordinate and conduct oversight of recovery spending to ensure taxpayer dollars are not wasted, abused, or used fraudulently.  The over-arching record requirement of this act is the broad, discretionary powers given to the inspectors general to review and examine any records related to covered funds as cited in Sec. 1515 of the act.  Again, archiving is not required, but it is the best solution to assure data integrity and availability.

Third, the Federal Rules for Civil Procedures, which govern the conduct of all civil actions brought in Federal district courts (and most state courts), require the disclosure of any “electronically stored information” during the discovery process.  The only exception to this is if the “electronically stored information is lost as a result of the routine, good-faith operation of an electronic information system”,  OR if the data were destroyed in accordance with the institutions’ reasonable and customary data retention and destruction policy.

1The Operations Handbook mentions data retention only with regard to digital imaging systems.  The Handbook was written in 2004, when electronic documents were much less ubiquitous.

Print Friendly, PDF & Email

Share this:

  • Facebook
  • LinkedIn
  • Twitter
  • Print
archiving email SOX

Article by Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Related Articles

  • Auditor rotation - pro and con

2 replies added

Leave your comment Cancel Reply

You must be logged in to post a comment.

Join Our Community

Browse Posts

  • Ask the Guru
  • Ask the ISO
  • From the Field
  • Hot Topics
  • Reading Between the Lines
  • Resources

Copyright © Compliance Guru®.
All Rights Reserved.

Powered by Safe Systems. Privacy Policy

Stay up to date with these pandemic resources for community banking.See COVID-19 Resources
+