Compliance, e-mail archival - How the latest MiFID directives have encouraged companies to rethink their strategies for e-mail management

As any company involved in the financial marketplace was only too well aware, 1 November 2007 marked the deadline for the 12 000 firms operating in the financial services markets in the UK to demonstrate compliance with the directives of the European Commission's Financial Services Action Plan.

The preceding months had witnessed frantic activity as companies strived to ensure the Markets in Financial Instrument Directive (MiFID) guidelines were met and, as the deadline passed, the general feeling was one of confidence that the new measures adopted were in place.

Early in 2008, just how well those measures will stand up to scrutiny will be put to the test, as the FSA sets about a comprehensive review of how the industry is complying with the directives. It will also give those involved the opportunity to take stock of whether the overall effect on their business has been a positive or negative one.

The underlying principles of the directive were intended to create a single European market for investment services: to update how investment banks do business by improving record keeping and encouraging 'best execution' for trades among other things. One of the most challenging concerns for many banks, from a technology standpoint, was compliance with Article 51, which required organisations to keep details of trades for five years.

Since the de facto business communications medium today is e-mail communications (Gartner estimates that 97% of business based communications is via e-mail), this equated to a serious rethink on the management of e-mail across the business.

Since e-mails have become the electronic substitute of legal business documentation, e-mail records were required to be retained for five years.

Unless approached intelligently, this process could result in increased storage infrastructure and high costs, particularly when we consider that the Radicati Group estimates that a typical corporate e-mail account receives about 18MB of data per day and that this number is expected to grow to over 28MB by 2011 as both the volume and size of e-mails explode.

For those companies operating on a pan-European basis, the risks were potentially even higher, unless they could find a way to create a central repository for all e-mail communications that offered efficiency and cost gains over the typical fragmented e-mail management strategy that existed in most organisations.

For many companies it represented the opportunity to overhaul the way the company approached e-mail management and retention and put in place a system to provide the organisation with better governance of e-mail communications.

Underpinning the need for reform of the guidelines was the need to ensure the following:

* Data permanence - data must be kept in its original state and not changed or deleted;
* Data security - records should be kept secure against theft or misappropriation; and
* Auditability - Information must be easily accessible by authorised personnel only.

To meet these challenges, a stringent e-mail archival policy was needed to ensure e-mail records could be stored and indexed in a cost-effective manner and stored in a read-only format.

According to Radicati, however, in 2007 only 14% of corporate e-mails were archived and Osterman Research states that 46% of companies were still predominantly using tape backups to 'archive' their e-mails.

However, back-up systems were traditionally intended for storing live data in the event of system failure or disaster; never as a longer-term archival solution. The cost of finding electronic records over the course of a five-year period - frequently a time-consuming, manually intensive process using a back-up solution alone, was not a viable one

Moving beyond the challenge of anticipating e-mail capacity requirements over a five-year period, other issues relating to security and accessibility also come into play.

The need to ensure e-mails are both secure and tamper proof can itself prove challenging. For this to be possible the solution chosen would need to provide full forensic trails of all policy changes and all searches would need to be recorded.

It also dictates that strict checks and balances were in place to regulate viewing of different types of content. Another complicating aspect is the fact that an e-mail is not only concerned with the content of the document but also the delivery or acknowledgement of receipt; 'cc' or 'bcc' and the ability to monitor the time and date of delivery.

Other potential loopholes exist, such as the fact that traditional e-mail archives capture e-mail post-receipt, after delivery has been made to the e-mail server. But, what about if the e-mail server was to fail before that archive snapshot was taken?

The ability to prove that an e-mail communication is delivered also requires that not only the e-mail contents, but also the record of delivery, needs to be stored and accessible over a five-year period.

To complicate the picture even more, what if the e-mail gets quarantined and never reaches the intended recipient? These issues and more are even more difficult to resolve when a company is running a set of fragmented e-mail systems and services where the gateway, archival, policy and security/spam gateway are separate entities.

And yet, deploying a cohesive unified e-mail management system can have benefits that stretch beyond that of pure compliance. Other benefits include litigation support, storage management and knowledge management.

In these other areas where clear directives about the number of years that records need to be maintained are often absent, it can be hard to decide on the length of period of record retention.

Most companies at some time in their history are exposed to or implicated in lawsuits and may be called on to produce documentary evidence in the course of the legal discovery process. High profile cases in the US have resulted in hefty fines for major corporations like Deutsche Bank Securities, Goldman Sachs & Co, Morgan Stanley and Solomon Smith Barney, which were all fined $1.65 million each for failing to produce e-mails requested in the course of an investigation.

For many companies handling e-mail storage, archival, security and continuity in a fragmented, multi-solution manner, the task of maintaining hardware and software and upgrading these solutions across the enterprise, while attempting to predict and budget for future e-mail storage capacity, is a difficult exercise.

The typical challenges of scalability and the complexity of the resultant systems can be expensive and resource-intensive to manage. Data volumes are frequently growing too fast to store and secure within budget, time and technology constraints.

When compliance deadlines are pressing the speed and predictability of an online Web-based solution, such as that offered by Mimecast, becomes more apparent. Management consultants McKinsey predicts that software as a service deployments are growing at a rate three times greater than traditional software packages, and that in the next three to four years storage and storage management alongside security will become two key growth areas for SaaS.

"As the FSA embarks on its new year review of how well the industry has adapted its business to comply with the MiFID directives, it will be interesting to see whether the measures put in place will stand up to scrutiny and what actions, if any, the governing body will take for those that fail to make the grade, commented Garth Wittles, Managing Director of Mimecast SA.

"Nonetheless, one thing is clear; e-mail will continue to dominate the business communications landscape for some time to come, and determining the optimum way to maintain, manage and secure this vital information will be key to the future business success of any organisation."

For further information, please contact Mimecast RSA: tel 0861 114 063, fax 011 258-5339, e-mail info@mimecast.co.za.