Navigating the retention nightmare: Meeting competing obligations for data retention

June 17, 2021

This article was written by David Rabinowitz, Product manager, Compliance Solutions at Bloomberg.

As new data privacy laws, cybersecurity expectations, and unforeseen risks increasingly intersect (and potentially conflict) with long-standing financial services regulations, compliance professionals must navigate a nightmarish array of communications retention and surveillance obligations.

As regulators pay stricter attention to cybersecurity and data privacy risks, financial firms must understand and apply an expanding body of industry-specific and broader laws and guidance in the jurisdictions in which they operate.

Any financial services compliance program designed to capture and store business communications, with reasonably designed policies and procedures to oversee the content of those records, must address the accumulation of data privacy and cybersecurity obligations.  The challenge is significant, but not insurmountable; compliance leaders can seek help from solutions providers with proven expertise in delivering purpose-built products that cater specifically to the compliance needs of financial firms.

Regulatory Compliance for the New Normal

Register for the webinar

Retain, review, and supervise

Long-standing regulatory obligations require financial firms to retain and review ever-larger volumes of records—including unstructured records—that often contain personal information about employees and customers.

US Exchange Act Section 17(a) and SEC Rules 17a-3 and 17a-4, and FINRA Rules, including FINRA Rule4511, outline broker-dealers’ obligation to retain, index and provide access to records related to their business, including certain communications.  US Investment Advisers Act Rule 204-2 outlines similar requirements for buy-side firms that are registered with the SEC as investment advisers.  These provisions require specific retention requirements over specified time periods and are qualified by guidance from the SEC and FINRA on privacy and cybersecurity.  Recent high profile incidents and changes in data privacy and cybersecurity laws and expectations are driving an increase in attention to this area, including by financial regulators.

Regulators are also elevating expectations for firms to identify and mitigate misconduct, such as misleading communications with customers and market manipulation through supervision.  For instance, FINRA Rule 3110.06 requires a “Risk-based Review of Correspondence and Internal Communication” and recent guidance emphasizes the importance of monitoring new communications channels (accelerated by COVID-19 remote work).    Both FINRA and the SEC have brought a number of enforcement actions against regulated entities for failure to comply with recordkeeping requirements or cybersecurity and privacy requirements.

Attuned to the evolving data privacy and cybersecurity operating environment, financial regulators such as the SEC and FINRA are also increasingly focused on how firms supervise their suppliers of retention and oversight technology solutions.  In order to facilitate compliance with the requirements, satisfy examiners in the face of heightened scrutiny and mitigate risk of enforcement action and penalties associated with such actions, firms should strongly consider enlisting a vendor partner that understands the industry-specific impact of regulations, and has expertise and enhanced tools and technology to help firms meet the challenge.

Global data protection obligations are rapidly evolving

An array of existing and forthcoming global data privacy obligations creates a compliance challenge for global firms with clients, employees, offices, and data in multiple jurisdictions.  The need to accommodate new rights afforded to individuals raises new and costly operational challenges and in parallel, the potential for substantial penalties reinforces the need to find technology solutions to ensure compliance.

In effect since 2018, the European Union’s General Data Protection Regulation (GDPR) led the charge towards enhanced standards for personal data protection and processing, incident notification expectations, and perhaps most notably, fines as high as €20 million or 4% of an entity’s annual turnover during the preceding year, whichever is greater, for infringements.  The GDPR provides specific rights for individuals, including the right to know what of their personal data is being held by a data controller, have access to that data, and a right to erasure.

In the United States, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 and enhanced data protection standards in California, expanding the definition of personal information and providing GDPR-like rights to consumers.  Virginia is the second US state to offer similar rights to consumers by passing the Virginia Consumer Data Protection Act (VCDPA), which goes into effect on January 1, 2023, with other states planning to follow suit. Additionally, New York passed the SHIELD Act strengthening data security protections and the New York Department of Financial Services raised the bar for financial services companies regulated by New York State, imposing specific requirements around cybersecurity compliance.

Brazil’s new data privacy law took effect in the fall of 2020, including new expectations for data controllers and processors, as well as protections for individuals similar to those under the GDPR and CCPA with potential fines as high as R$50 million (approx. $9.4 million USD). Similarly, Hong Kong is considering changes to its data protection regime in areas like mandatory data breach notification, regulation of data processors, and a data retention policy requirement.

What’s lurking in your data?

Running a financial services firm involves sensitive data, which is regularly shared among employees and customers in the normal course of business. The contours of what constitutes sensitive data vary by global jurisdiction and regulator but usually include government identification numbers, user names and passwords, financial account numbers, other information related to the financial service relationship, and can even include employee performance review information.

Firms generally implement policies, procedures and training to help manage how sensitive data is used and transmitted, but unstructured electronic communications data still poses an elevated risk of playing host to uncatalogued sensitive data.

Onboarding employees requires sensitive information. Onboarding customers and complying with know-your-customer obligations also requires the transfer of sensitive information like copies of passports and other identification documents, and these records often end up in employee electronic communications, stored for years because of competing financial regulatory retention obligations. There is nothing nefarious about either of these business needs, but the electronic record audit trail will likely contain inherent risks.

Over the last several years, high profile entities succumbing to cybersecurity breaches combined with heightened regulatory expectations, bring the unstructured data puzzle into focus. Firms are paying more attention to cybersecurity and data privacy when searching for compliance solutions to meet their firm’s regulatory and internal obligations and when setting document retention policies.

Your vendor should be a trusted partner to help reach the right balance

  • Understand the obligations in the jurisdictions where you operate. Any vendor assessment must start by understanding the scope of business operations and the applicable obligations. This assessment will form the basis of any vendor selection or ongoing vendor diligence review process.
  • Tailor your retention strategy to meet financial regulatory requirements without over retaining. Firms should instruct their vendors to retain required information to meet regulatory requirements in the jurisdictions where they operate, to identify risks, and to fulfill their supervisory obligations, but not to retain data beyond the necessary.
  • Understand the counterparty strength of your vendor partners. Understand the level of maturity of your vendor providers, how your vendors store data (g., cloud storage), and your vendor’s cybersecurity and risk management infrastructure.
  • Seek vendors who are partners. Firms should work with vendors who understand their business and offer top-tier support aligned with the demanding nature of the financial services industry. Self-service general applicability solutions may not offer the level of support required to meet regulatory demands and respond to regulatory examination and inquiry requests down the road.
  • Seek vendors who know the industry. Firms should work with vendors who have taken the time to learn their business and design solutions to meet the unique industry requirements.
  • Seek vendors who understand compliance culture. RegTech continues to attract investment and innovation with many new entrants to the market in the recent past. Firms should understand the culture at their vendor partners and make sure it is aligned with their own tone and compliance culture.

How we can help

Bloomberg’s Vault offering is built by financial services professionals, for financial services customers, considering their unique business and regulatory needs across the product suite. As part of the Bloomberg Vault premium offering, financial services clients have access to an immutable and extendable archival solution across business-critical data types (communications, trade, voice).

Please request a demo if you would like to discuss the issues outlined in detail and to see how Bloomberg Vault can help.

Recommended for you

Request a Demo

Bloomberg quickly and accurately delivers business and financial information, news and insight around the world. Now, let us do that for you.