Microsoft Teams, Zoom, Webex, Slack, and other collaboration platforms have become business-critical applications, supporting both internal and external communication, content sharing, and much more. This blog post highlights the industry-specific regulations for records management and archival.
Section One: Financial Regulations
FINRA Rules 3110, 3120, 4511, and 11-39 (Social Media)
The Financial Industry Regulatory Authority (FINRA) in the United States levies strict archiving and supervision rules on financial services firms, which are designed to protect markets against insider trading and misconduct.
Rules 3110 (Supervision) and 3120 (Supervisory Control System) requires the creation of a supervision system for reviewing “incoming and outgoing written (including electronic) correspondence and internal communications relating to the member’s investment banking or securities business.” The archiving system needs to capture all communications in their original form, with capabilities to enable supervision. Data must be retained for eight years on indelible media—per Rule 4511—with immediate access to all communications during the first two years of data retention. Firms are required to keep a duplicate copy of all communications at an offsite location during the eight-year retention timeframe. Rule 11-39 imposes an obligation to preserve social media communications when the content is business communication.
This question of the original form and data immutability is incredibly important with respect to archiving Microsoft Teams. MS Teams’ native capabilities are unable to archive end-user edits to messages, a feature that is frequently used.
SEC Rules 204 and 206
The SEC imposes archiving and data protection requirements on investment advisors, hedge funds, and private equity firms. Under Rule 204(2), various records must be retained for five years and preserved using immutable storage. These records, which may include files and messages shared, and calls placed via Microsoft Teams, must be arranged and indexed to support search, retrieval, and access. Rule 206(4)-(7) requires the creation of a supervisory system to protect the privacy of client records, monitor disclosures by advisors, and preserve records from unauthorized changes, among other requirements.
SEC Rule 17-a4
The Securities and Exchange Commission (SEC) in the United States imposes archiving and data protection requirements on financial services firms. Rule 17- a4 requires the orderly preservation of electronic records in a way that prevents editing or deletion. The efficacy of the media recording process must be verified, and a duplicate copy of records must be stored separately from the original content. Content must be retained for between three and six years, depending on the type of record.
This rule dates back to 1934, yet is the primary reason why many organizations archive email, a technology that did not exist until the 1970s. We have arrived at another generational shift in the ways people communicate, and Teams is now becoming part of the discussion, in a similar manner that email did so many years ago.
MiFID II
In Europe, the Markets in Financial Instruments Directive II (MiFID II) imposes elevated and harmonized requirements on record-keeping for transactions and communications in the financial services industry. All communications from brokers and financial consultants must be recorded and archived in tamper-proof storage, a requirement that explicitly includes phone and video calls.
FinVermV
Germany’s Finanzanlagenvermittlungsverordnung—applies to banks, liability umbrellas, some asset managers, financial investment brokers, and some financial investment advisors. Beginning in August 2020, these and other covered entities must record certain communications to clients regarding financial investments, including communications by phone. Immutable storage is required for up to 10 years, with accessibility at all times from the business premises. Transcripts of voice calls must be produced and analyzed for mandatory compliance statements, fraud detection, and categorization. FinVermV transfers the protections afforded to consumers in MiFID II into Germany’s regulatory framework.
While the SEC and FINRA reign supreme here in the United States, organizations abroad will be subject to their own requirements, which will include any technologies used to place phone calls or communicate with clients – technologies which include Microsoft Teams.
Section Two: Public Records Law
Meetings and Emails
There are many different types of content that fall within the realm of ‘public records,’ no matter what local setting or jurisdiction you may find yourself in. Microsoft Teams, in particular, is interesting for public records because it creates an environment where all of these different content types converge. While emails have always contained attachments and things like meeting minutes, actual meetings now take place via Teams and Zoom – with the ability to share additional messages and files within. This creates a “three in one” scenario where records officers have the ability to search and produce a variety of content that is responsive to a request in just one click, potentially saving hours upon hours of work – provided that they archive the content first.
Similar to the role of compliance archiving in protecting consumers from market manipulation, the preservation of all content concerning government work and the public interest – including that conducted via Microsoft Teams – is critical to maintaining the public trust and is such the law of the land.
Section Three: SOX and FERC
SOX
The United States’ Sarbanes-Oxley Act introduced elevated recording and reporting standards for public company boards, their executives, and public accounting firms. Under SOX, these covered entities must retain records of financial transactions and related communications for seven years, in a manner that is protected from modification or unauthorized access, yet available on-demand for review by the SEC.
Consequently, any entity subject to SOX who is planning an enterprise-wide deployment of Microsoft Teams (thus covering financial processes) needs to demonstrate compliance with SOX’s archiving and data protection provisions.
FERC
In the energy market, the Federal Energy Regulatory Commission (FERC) imposes record retention and protection requirements for various types of documents and communications. One example is that service contracts must be retained for four years, and the minutes of several types of corporate meetings have to be retained for five years – we wonder how many of those meetings have taken place via Teams, Zoom, or WebEx in the past year when remote work has become the defacto standard?
How do I gain control of this data sprawl?
These applications have enabled enterprises to operate efficiently and securely in the midst of a global pandemic. As the dynamics of office work may forever be changed, we need to embrace these platforms while ensuring proper governance and management of the data.
PremCloud Connect will capture and transform your chat, file sharing, and audio communication from all of these platforms into formats that can be archived into platforms such as EAS for long-term preservation and retention management. The contents of these platforms will b discoverable within EAS, giving your compliance and legal team members a single platform to perform federated search and discovery.
To learn more, contact [email protected]