There is no specific FFIEC regulatory mandate for archiving, just retention1. However, there are three reasons why you might want to consider archiving, which I will address shortly. First though, the issue of retention. The key to complying with legal and regulatory guidelines regarding retention is to consider all electronic information (including email) exactly the same as paper documents for the purposes of retention and destruction in your policies and procedures. Make sure your retention periods are the same regardless of the physical or electronic nature of the information. Of course if you’re archiving email, the challenge is in being able to separate the financial emails, from the loan documentation emails, from the customer communication emails, from the jokes. All could have different (or non-existent) retention requirements, but there is no technology available to automatically classify each message by data type. Lacking that, most banks simply opt to archive all email communication regardless of the nature of the message. Simply put, there are 3 potential approaches to data retention: Save everything, save selectively, and save nothing. Given the current technical limitations, the least risky of the 3 is to save everything.
Now, retention vs. archiving: Think of an archive as a non-alterable backup. Some archive solutions also add a search feature, but the key is that the data cannot be deleted or modified in any way. So why consider archiving instead of simple retention? Three reasons:
First, a public company is subject to SOX regulation as well as GLBA. SOX is much more stringent in its retention requirements in the sense that the data must not only be retained, but the Bank must reasonably assure the integrity (non-alterability) and availability (search ability) of the data as well. This can be done in several ways, but archiving is the most common.
Second, does your institution still have TARP funds? If so, there could be retention implications in 3 areas:
• Accountability and transparency mandates
• Specific or implied record-keeping requirements
• Heightened public scrutiny
Taken in order, the accountability and transparency mandates were established via the Recovery Accountability and Transparency Board, which will coordinate and conduct oversight of recovery spending to ensure taxpayer dollars are not wasted, abused, or used fraudulently. The over-arching record requirement of this act is the broad, discretionary powers given to the inspectors general to review and examine any records related to covered funds as cited in Sec. 1515 of the act. Again, archiving is not required, but it is the best solution to assure data integrity and availability.
Third, the Federal Rules for Civil Procedures, which govern the conduct of all civil actions brought in Federal district courts (and most state courts), require the disclosure of any “electronically stored information” during the discovery process. The only exception to this is if the “electronically stored information is lost as a result of the routine, good-faith operation of an electronic information system”, OR if the data were destroyed in accordance with the institutions’ reasonable and customary data retention and destruction policy.
1The Operations Handbook mentions data retention only with regard to digital imaging systems. The Handbook was written in 2004, when electronic documents were much less ubiquitous.