Records and Records and Information Management Information Management in the Banking in the Banking Industry Industry Ensuring your Records and Data are ready Ensuring your Records and Data are ready for the post-bailout world for the post-bailout world Part 1 John C. Montaña, J.D. The PelliGroup
Records and Information Management in the Banking Industry Ensuring your Records and Data are ready for the post-bailout world. Part 1 John C. Monta ña, J.D. The PelliGroup. What is a record retention schedule?. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Records and Information Records and Information Management in the Banking Management in the Banking
IndustryIndustry
Ensuring your Records and Data are ready for the Ensuring your Records and Data are ready for the post-bailout worldpost-bailout world
Part 1
John C. Montaña, J.D.The PelliGroup
What is a record retention What is a record retention schedule?schedule?
It’s a list of records or record types, followed by dome indication of how long they should be kept
There may be additional information, such as media types, locations, etc
How does it work? Why do How does it work? Why do we need one?we need one?
A retention schedule is a policy document. Personnel are supposed to use it as guidance when destroying records
In electronic records systems, a retention schedule may be used as a template
A retention schedule provides guidance to ensure the orderly disposition of records and data
Records retention is a heavily Records retention is a heavily regulated area:regulated area:
Banking Commissioner OSHA EEOC SEC DoL IRS FDIC EPA Etc., etc. State analogues of the above
Other Standards and Other Standards and AuthorityAuthority
Industry Associations ANSI (American National Standards Institute) AIIM (Association for Information and Imaging
Management) ARMA (Association of Records Managers
and Administrators)
Jurisdictional and Jurisdictional and Preemption Issues:Preemption Issues:
Potential concurrent state and federal jurisdiction Potential concurrent jurisdiction by different agencies Different regulatory regimes for different business
processes Cross-border issues of regulation
Issues with statutory and Issues with statutory and regulatory languageregulatory language
Vague or outdated statutory language Poor match between records contemplated by law
and those actually found No or few implementing regulations when the statute
calls for them Unreasonable retention requirements Verbatim state adoption of federal requirements
– What if federal requirements change?
Conflicting or inconsistent requirements
Some Basic RulesSome Basic Rules
Records retention must be Records retention must be “in the normal course of “in the normal course of
business”business”
Destruction must be done in good faith
Mens rea is important –the goal cannot be to deprive other known parties of information
Retention activities must Retention activities must conform to controlling lawconform to controlling law
e.g., destruction prior to expiration of statutory retention period is presumptively bad faith destruction
Retention Periods When There is Retention Periods When There is No LawNo Law
Factors:– Business judgment– Risk management– Cost– Administrative efficiency– Statutes of limitation inform., but do not
control the discussion
Legal HoldsLegal Holds
Disposition activities must halt upon notice of actual or impending litigation
Records responsive to litigation must be preserved That does NOT mean that all disposition activities
must cease until the litigation is concluded The hold must be effectively communicated to
stakeholders, and attorneys must exercise due diligence in follow-up
The hold should be released at the conclusion of the matter
Some Basic ToolsSome Basic Tools
Policies and ProceduresPolicies and Procedures
Employees and technology implement rules
No rules means no consistencyNo consistency means problemsProblems mean costs
Indexing and Data Indexing and Data StructuresStructures
In order to manage a record, you must be able to accurately identify it
Indexing, data structures and metadata are the key to identifying records
Many repositories are poorly indexed, or not indexed at all; metadata is poorly chosen or left to default
Keyword searching or auto-classification is only partially effective
Records Management Records Management SuccessSuccess
Written PolicyLow-level Nuts & Bolts
– Indices– Data Structures– Metadata– Training
Know the Failure Points
Common Failure PointsCommon Failure Points
Poor understanding of what the organization actually needs
No implementation strategyNo enforcement mechanismInadequate resourcesPoor employee trainingBlind reliance on technology solutionsPoor technology implementations
Problems with Technology Problems with Technology SolutionsSolutions
Buy first, vet laterPoor policy and procedural structurePoor implementation
– Lack of structured indexing– Lack of consistent file names– Poor metadata selection
When Considering a When Considering a Technology SolutionTechnology Solution
Buy software LAST!Before that:
– Develop policies and procedures– Develop indices, data structures and
metadata standards– Develop a FULL functional spec– Make sure the software can implement the
above
The Number 1 Reason for The Number 1 Reason for Failed Technology Solutions Failed Technology Solutions
is Poor Configurationis Poor Configuration No hard-coded indices or data structures Poor or no metadata capture Badly configured user interface Poorly thought-out workflow expectations (e.g., too
many buttons to click)
Usually Because Software Purchase was Step 1
The Problem with PeopleThe Problem with People
People manage electronic data very poorly– Poor file names– Poor data structures– Aversion to management– Aversion to purging– Disgruntled employees
CultureCulture
Organizational culture may foster bad records and information management– My records are “mine”– I/my department makes its own rules– We don’t tell our people what to do– We don’t carry a big stick
How to Change Things How to Change Things
What’s in it for me?– Personnel need to see a tangible benefit
Breaking bad habits– Takes time, takes nagging
Good new habits are quickly lost if not reinforced
Get a big stick– No penalties means no reason to change
ComplianceCompliance
Make compliance easyIf compliance is annoying or interferes
with work, people will actively defeat the plan
Plan on:– Intensive initial training to break old habits– Ongoing lower-level reinforcement
Where’s Your Data?Where’s Your Data?
Outside the U.S.?In the hands of third party service
providers?– Financial or HR service providers– Commercial storage facilities or data vaults– Outside counsel– The Google cloud
It’s all discoverable!
Records Management Records Management Responsibility is Non-DelegableResponsibility is Non-Delegable
You are responsible for failings of service providers– Retention– Availability– Privacy and confidentiality– Discovery
They Should be Able to:They Should be Able to:
Apply your retention periodsEnforce your privacy and confidentiality
obligationsSafeguard your records and dataGive you back your records and data,
and its metadata, back to you at the end of the relationship
You should:You should:
– Include appropriate language in contracts– Inspect policies and procedures– Inspect facilities– Audit compliance– For electronic systems (e.g., external
vaulting or backup), have your IT folks vet the provider’s technology