Records and Information Management in the Banking Industry Ensuring your Records and Data are ready for the post-bailout world Part 1 John C. Montaña, J.D. The PelliGroup
What is a record retention schedule? What is a record retention schedule? It’s a list of records or record types, followed by dome indication of how long they should be kept There may be additional information, such as media types, locations, etc
How does it work? Why do we need one? How does it work? Why do we need one? A retention schedule is a policy document. Personnel are supposed to use it as guidance when destroying records In electronic records systems, a retention schedule may be used as a template A retention schedule provides guidance to ensure the orderly disposition of records and data
Records retention is a heavily regulated area: Banking Commissioner OSHA EEOC SEC DoL IRS FDIC EPA Etc., etc. State analogues of the above
Other Standards and Authority Industry Associations ANSI (American National Standards Institute) AIIM (Association for Information and Imaging Management) ARMA (Association of Records Managers and Administrators)
Jurisdictional and Preemption Issues: Potential concurrent state and federal jurisdiction Potential concurrent jurisdiction by different agencies Different regulatory regimes for different business processes Cross-border issues of regulation
Issues with statutory and regulatory language Vague or outdated statutory language Poor match between records contemplated by law and those actually found No or few implementing regulations when the statute calls for them Unreasonable retention requirements Verbatim state adoption of federal requirements – What if federal requirements change? Conflicting or inconsistent requirements
Some Basic Rules
Records retention must be “in the normal course of business” Destruction must be done in good faith Mens rea is important –the goal cannot be to deprive other known parties of information
Retention activities must conform to controlling law e.g., destruction prior to expiration of statutory retention period is presumptively bad faith destruction
Retention Periods When There is No Law Factors: – Business judgment – Risk management – Cost – Administrative efficiency – Statutes of limitation inform., but do not control the discussion
Legal Holds Disposition activities must halt upon notice of actual or impending litigation Records responsive to litigation must be preserved That does NOT mean that all disposition activities must cease until the litigation is concluded The hold must be effectively communicated to stakeholders, and attorneys must exercise due diligence in follow-up The hold should be released at the conclusion of the matter
Some Basic Tools
Policies and Procedures Employees and technology implement rules No rules means no consistency No consistency means problems Problems mean costs
Indexing and Data Structures Indexing and Data Structures In order to manage a record, you must be able to accurately identify it Indexing, data structures and metadata are the key to identifying records Many repositories are poorly indexed, or not indexed at all; metadata is poorly chosen or left to default Keyword searching or auto-classification is only partially effective
Records Management Success Written Policy Low-level Nuts & Bolts – Indices – Data Structures – Metadata – Training Know the Failure Points
Common Failure Points Poor understanding of what the organization actually needs No implementation strategy No enforcement mechanism Inadequate resources Poor employee training Blind reliance on technology solutions Poor technology implementations
Problems with Technology Solutions Buy first, vet later Poor policy and procedural structure Poor implementation – Lack of structured indexing – Lack of consistent file names – Poor metadata selection
When Considering a Technology Solution Buy software LAST! Before that: – Develop policies and procedures – Develop indices, data structures and metadata standards – Develop a FULL functional spec – Make sure the software can implement the above
The Number 1 Reason for Failed Technology Solutions is Poor Configuration No hard-coded indices or data structures Poor or no metadata capture Badly configured user interface Poorly thought-out workflow expectations (e.g., too many buttons to click) Usually Because Software Purchase was Step 1
The Problem with People People manage electronic data very poorly – Poor file names – Poor data structures – Aversion to management – Aversion to purging – Disgruntled employees
Culture Organizational culture may foster bad records and information management – My records are “mine” – I/my department makes its own rules – We don’t tell our people what to do – We don’t carry a big stick
How to Change Things What’s in it for me? – Personnel need to see a tangible benefit Breaking bad habits – Takes time, takes nagging Good new habits are quickly lost if not reinforced Get a big stick – No penalties means no reason to change
Compliance Make compliance easy If compliance is annoying or interferes with work, people will actively defeat the plan Plan on: – Intensive initial training to break old habits – Ongoing lower-level reinforcement
Where’s Your Data? Outside the U.S.? In the hands of third party service providers? – Financial or HR service providers – Commercial storage facilities or data vaults – Outside counsel – The Google cloud It’s all discoverable!
Records Management Responsibility is Non-Delegable You are responsible for failings of service providers – Retention – Availability – Privacy and confidentiality – Discovery
They Should be Able to: Apply your retention periods Enforce your privacy and confidentiality obligations Safeguard your records and data Give you back your records and data, and its metadata, back to you at the end of the relationship
You should: – Include appropriate language in contracts – Inspect policies and procedures – Inspect facilities – Audit compliance – For electronic systems (e.g., external vaulting or backup), have your IT folks vet the provider’s technology
Questions ?