Meeting the Compliance Requirements for Financial Services

The financial services industry has undergone significant changes in the past five years with respect to customer service and regulatory compliance. Financial institutions are faced with an increasing number of federal and state regulations that require a formalized process for managing and auditing all information considered core to their business operations. This management is often looked at as necessary in order to comply with the regulations and prevent legal or financial penalties.

Meeting compliance regulations has become a top priority for business executives in every industry. In the past, cost reductions and process improvements were the primary focus for industry executives. The new century has been ushered in with an onslaught of regulations aimed at dictating the way that organizations manage and report information critical to the operation of the business.

Compliance for Financial Services

The compliance requirements facing financial services organizations can be classified in three areas: financial, privacy and healthcare. The financial regulations are focused on better management and reporting of financial information, the privacy of their client's data and the disclosure of suspicious transactions. Specific financial services industry regulations were passed to "encourage" organizations to implement practices that ensure information is controlled and protected. Financial services organizations—including banks, credit unions, insurance companies and investment firms—must also be able to report on the financial state of the client funds they are managing. Recent legislation, such as the Patriot Act and Anti-Money Laundering, has mandated financial institutions to report any suspicious activities that may occur in a client account.

Privacy legislation has been enacted to protect the personal information of an individual that interacts with an organization. Financial institutions must be able to balance the requirements for privacy with the disclosure requirements mandated to protect against terrorism.

The healthcare regulations that affect a financial services organization pertain to the healthcare information of their employees (or their customers, when the organization is involved in providing healthcare insurance as part of their business services). New regulations have defined stringent requirements for managing and maintaining the privacy of an individual's medical information. These regulations govern both the insurance companies as well as the healthcare givers, including hospitals and physicians.

Most compliance regulations have very similar requirements associated with the management and control of content, and with an underlying theme that content is a primary means of communicating the workings and value of the company. What has in the past been an informal process must now become formalized to ensure that companies remain viable and insure a path to grow.

Specific compliance regulations facing the financial services industry include:

• Basel II—A European Union regulation that governs the capital risk for banks. The regulation establishes a new set of standards for minimum capital requirements for banking organizations. The regulation is defined by three "pillars" that establish minimum capital requirements, set review requirements of risk and define reporting for public disclosure.

• USA PATRIOT Act of 2001— The passage of this act is in response to the September 11th attack on the United States. This act is designed to combat corruption of US financial institutions for foreign money laundering purposes. The act creates new crimes, new penalties and new procedural efficiencies for use against domestic and international terrorists.

• Sarbanes-Oxley Act of 2002—This regulation is the SEC's response to the corporate scandals of the past few years. The act addresses the certification of a corporation's financial statements, the implementation and monitoring of financial controls and the retention of corporate records pertaining to the financial operation of the company.

• Gramm-Leach-Bliley—This act defines the privacy requirements for financial institutions. Companies are required to give consumers privacy notices that explain the institutions' information-sharing practices. Consumers have the right to opt out of—or say no to—having their information shared with certain third parties. This act prohibits financial institutions from disclosing their customers' account numbers to non-affiliated companies when it comes to telemarketing, direct mail marketing or other marketing through e-mail.

• SEC 17 a-4—This regulation defines the records retention period for all customer and financial information and the type of medium (non-rewritable and non-erasable) that can be used to manage the retained records. Another aspect of the regulation describes the need to be able to automatically verify the quality and accuracy of the recording process.

• HIPAA— This is a healthcare regulation that specifies the rules for the protection of health-related information for health plans, clearinghouses and health care providers. These rules include the permitted disclosure of information and the type of information that can be shared among healthcare providers and healthcare payers, i.e. insurance companies.

Turning Compliance into a Strategic Advantage

Content assets are the foundation upon which financial institutions build new business opportunities and competitive advantage. Leveraging the business value of content while simultaneously protecting that content with an applied records management strategy is not a new concept; however, the conventional means of addressing these tandem needs is changing.

In the past, many organizations chose to manage each stage of the content lifecycle independently, with disparate processes, systems, repositories and technologies. Today, with directives to increase efficiencies while simultaneously improving accountability, an integrated system for the management of the entire content lifecycle is crucial.

Financial institutions are today being driven by an increasing number of regulations that require a formalized process for managing content or information that is core to their business operations. The compliance regulations have created unique situations within organizations that require them to implement new business practices and technologies for which they may not have previously budgeted or planned. Organizations should be viewing this not as a requirement, but as an opportunity to improve the business processes by implementing core content management capabilities that will provide efficiencies in the business processes while enabling their organization to meet the new regulations.

What is a Content Compliance Architecture?

A content compliance architecture provides the essential functionality to manage content throughout its lifecycle, from inception to destruction. While in the past, it was only required that an organization manage content that was approved and flagged as a corporate asset or critical to the operation of the company, many of the new compliance regulations require that the company manage and retain content from its initial inception, including all draft iterations, through to final approval. These new requirements have forced organizations to implement electronic records management capabilities that are tied into each stage of the content lifecycle. There are four steps to managing content and meeting compliance requirements:

• Create/Capture—Information is generated in an organization in two ways: captured or created by internal authors. Captured documents can be in both electronic and physical form, and may include faxs, letters and correspondence, forms, evidence, e-mail and the like;

• Manage/Review—Not all content arrives finalized; indeed, much of it originates within the organization itself from myriad document creation applications. Workflow tools are often employed to progress content through a review and approval cycle that culminates in a final version, ready for publication and an applied retention schedule;

• Distribute/ Publish—While some workers create and contribute content, many more have compelling needs to access the knowledge inside documents and records. Traditional printing and distribution processes are giving way to automated access methods, including publishing to intranets, portals, and public Web sites; and

• Store/Preserve—Past strategies had file plan classification and retention periods applied to records when they were declared as final, but increasingly retention schedules are associated from the moment of the future record's inception—as soon as the file is first saved—or as soon as the file is first received by the organization. Such forethought minimizes inappropriate record retention, or lack thereof, and can speed responses to discovery orders and other investigative inquiries. An integral function of preservation that should not be overlooked is storage management, the ability to store content in the most appropriate medium to meet the retention requirements.

Where Do You Start?

Building a compliance architecture is not as simple as implementing a set of technologies that instantaneously allow a company to meet all of their compliance requirements. Creating the necessary compliance capabilities to meet a company's objectives requires a combination of people, process and technology. The quickest way to failure is to try and implement new technologies into an existing business process. This typically results in inefficiencies that cause users delays in accomplishing their jobs. Compliance should be viewed as a series of business processes and user responsibilities that when followed will enable the organization to meet their responsibilities. Once the processes and roles have been defined or optimized, technology can be applied to enable the efficient execution of the processes and provide the accountability, management and security of the content associated with the operations. It is often not necessary to implement all the desired technology all at once. A phase-in plan usually leads to a successful implementation, allowing for better acceptance by the users. Building a compliance architecture should be done in steps, adding pieces to the puzzle as the organization acceptance is gained. The best place to start is with the management of the final, approved content. This content will need to be managed and retained for a period specified by the compliance regulation. This initial phase can be accomplished by implementing document management, records management and storage management. Once this phase has been implemented successfully, the organization can add additional content management components that will enable better interaction and management of the content during the initial creation, review and approval processes.

---

Alan Weintraub, a senior director focusing on business solutions, is the former research director of integrated document management and digital asset management for Gartner. He has more than 20 years of experience in the information systems profession. As a consultant, Weintraub designed and implemented document management and imaging systems for Fortune 100 companies.

Therese Harris is responsible for Solutions Marketing at Hummingbird Ltd. Harris has 10+ years experience in the software industry focused on communication, content, and collaboration technologies and has had diverse experiences including international sales, research and strategy, and alliance relations.

Hummingbird Ltd. is a leading global provider of enterprise software solutions, employing over 1,450 people in 40 offices worldwide. Hummingbird Enterprise™ 2004 is a state-of-the-art integrated enterprise content management platform that enables organizations to securely access and manage business information such as documents, records, e-mail or financial data. Please visit: Hummingbird.