Compliance Regulations Overview

Resources

For information on creating and implementing a fully-compliant email policy, check out our white papers and datasheets.

	Product Information
	White Papers
	Contact for a Demo
	MessageSolution Compliance Articles

Regulatory Compliance Management with MessageSolution Platform

Key Industry Rulings and Federal Regulations Impacting Email and Instant Message:



	FRCP
	NASD 3010
	SEC 17a-4
	DoD 5015.2-STD
	HIPAA
	21 CFR Part 11
	Sarbanes Oxley
	NASD Notice 03-33 (July 2003)
	NYSE Info. Memo 03-07 (March 2003)

Expert Opinion

"MessageSolution Enterprise Email Archive and MessageSolution Enterprise File Archive have been designed from the ground up to be highly scalable solutions with a broad feature set aimed at a diverse set of requirements."

- Michael Osterman of Osterman Research

Compliance - Regulatory Overviews

Businesses today must be up-to-date and compliant with a wide range of state, federal, and international regulations. To help organizations better understand what is required, we have provided a list of the key regulations businesses should be concerned with, and a summary of what they entail:

■ FRCP
■ GDPR
■ HIPAA
■ SEC 17a (3,4)
■ NASD 2210
■ NASD 2711
■ NASD 3010
■ NASD 3110
■ Sarbanes-Oxley
■ Investment Advisors Act
■ IDA (The Investment Dealers Association of Canada)

Below we listed samples of international compliance and regulation-driven retention practices, some are not mandated by law but are used to develop Best Practices for email and electronic record retention to compliant with certain specific regulations.

Global

PCI DSS (Payment Card Industry Data Security Standard).

ISO 19779/27001 (International Standards Organization).

IT Security standard, ITIL (IT Infrastructure Library).

Framework for service delivery, CoBIT (Control Objectives for Information and Related Technology).

IT security standard, risk management in financial services, COSO (Committee of Sponsoring Organizations).

MessageSolution Data Redaction

North America

US: HIPAA (Health Insurance Portability and Accountability Act); SOX (Sarbanes-Oxley); GLBA (Graham Leach Bliley Act); FRCP (Federal Rules for Civil Procedure).

Canada: PIPEDA; Rule 30.02 Ontario Rules; Bill 198 Multilateral Instrument.

Europe

GDPR: The newly enacted law and the revised version of regulation on Personal Identifiable Information (PII) and Payment Card Industry Data Security Standard (PCI DSS), which will be officially effective in May 2018.

Euro-SOX: MiFID (Markets in Financial Instruments Directive); European Union Data Protection Directive 95/46; European Union Directive 2006/24/EC.

UK: Data Protection Act 1998; CPR (Civil Procedure Rules).

Germany: German Federal Data Protection Act; German Telecomms Data. Retention Act; Criminal Procedures Act.

Switzerland: Swiss Federal Data Protection (DPA); Basel II audit procedures; (SCO) Swiss Code of Obligations.

Asia-Pacific

Australia: Privacy Act; APRA (Australian Prudential Regulation Authority); CLERP 9.

China: Anti-Corruption Compliance.

Japan: J-SOX; JPIPA (Japanese Personal Information Protection Act).

India: Right to Information Act; Companies Act with more comprehensive audit procedures.

Singapore: Companies Act.

Latin America

Brazil: Azaredo Law; Bill #6891/02.

Mexico: Federal Freedom of Information Act; Ley Federal de Transparencia y Acceso a la Informacion Publica Gubernamental; Ley del Mercado de Valores.

FRCP
The Federal Rules of Civil Procedure (FRCP) are a set of guidelines set by the U.S. Supreme Court regulating court procedure for civil suits. FRCP often refers to revisions made in December of 2006 regarding electronic discovery, which became effective December 1, 2007. Electronic documents such as email, instant messages, or calendar files, and traditional documents stored electronically must be available for timely search and retrieval in the event of litigation proceedings. Discovery must be maintained in its original format. Accidental deletion, misplacement, or any inability to locate data before deadlines will result in court fines.

GDPR
The General Data Protection Regulation (GDPR) 2018, a revision of the General Data Protection act of 1995, was created to protect the personal data for all EU citizens & to create a more effective approach to the way private data is handled. GDPR targets personally identifiable information ensuring that Personally Identifiable information (PII) is protected and is available subject to records management and reporting. Changes involved in the GDPR include the right to a copy of personal data, the right to erase personal data, and the right to have data transmitted in a readable format.

HIPAA
The Health Insurance Portability and Accountability Act was implemented by the United States Congress in 1996 to regulate health care providers' management of protected health information (PHI), which includes medical records and payment histories. These regulations cover a broad range of administrative, technical and physical security measures. Regulated entities must maintain strict control over employees' computer access to electronic PHI (EPHI) and ensure that historical EPHI is stored in a format with which no employee can tamper. IT should maintain written records of all configuration settings and changes. Audits should be performed routinely, along with documented risk analysis and risk management programs.

SEC 17a(3,4)
A broker or dealer must preserve documents and records for three to six years, the first two years of which, they must be in an accessible place. All documents and records must be time-stamped, stored in a non-rewriteable/non-erasable format, organized and indexed, with a duplicate copy stored separately from the original. The indexes should be also duplicated and stored separately from the original, and they should be available for examination and preserved as long as the documents and records.

NASD 2210
All sales literature and correspondence made available to customers or the public (including email) must be a maintained for three years from the date of each use including the name of the person who prepared the literature and/or approved their use. Any communications (including email) that deal with the performance of past recommendations or actual transactions and completed worksheets should be stored at a place easily accessible to the sales office for the accounts or customers involved.

NASD 2711
All research reports, including any written or electronic communication that includes an analysis of equity securities of individual companies or industries, and that provides information reasonably sufficient upon which to base an investment decision, must be retained for three years following its publication.

NASD 3010
A system should be established and maintained to supervise activities of all registered representatives, including the use of e-mail and websites. Written procedures must be developed for the review of any written and electronic correspondence with the public relating to investment banking or securities business. If an electronic or manual pre-use review is not done, then appropriate supervisory procedures should be developed, as well as monitoring and testing the procedures, educating employees on the procedures and documenting the education of the employees. All correspondence relating to investment banking or securities business should be retained along with the names of the persons who prepared and reviewed the correspondence, and the retained records should be readily available to NASD. An annual review of a broker/dealer's business activities, supervisory system, customer accounts and office inspections is required.

NASD 3110
All books, accounts, records, memoranda and correspondence should be retained in the same format as stated in SEC Rule 17a-4 (i.e. non-rewriteable, non-erasable, and time-stamped). All e-mails and Internet communications which relate to the broker/dealer's business must be retained for at least three years, the first two years in an easily accessible place.

Sarbanes-Oxley Act
Requires public companies save all business records, including electronic records and messages, for not less than five years. In addition, public companies and registered public accounting firms must maintain audit work papers, documents that form the basis of an audit or review, and all information supporting conclusions for seven years. Given that, clearly email communications related to audit work papers and financial controls should be retained for at least seven years.

Investment Advisors Act
Investment advisers shall make and keep records in accordance with the Securities Exchange Act of 1934 as well as allow the Commission to examine such records as the Commission deems necessary or appropriate in the public interest or for the protection of investors. Investment advisers are also required to maintain and preserve books and records in an easily accessible location for at least five years from the end of the fiscal year during which the last entry was made, the first two years in an appropriate office of the investment advisers.

IDA 29.7(The Investment Dealers Association of Canada)
All client correspondence and related documents, including emails, must be retained for five years from the date of creation. In addition, all sales literature and related documents must be retained for two years from the date of creation. Archived sales literature and correspondence must be readily available for inspection by the Association at all times.

to top