Part 1 John C. Monta ña, J.D. The PelliGroup

Records and Information Records and Information Management in the Banking Management in the Banking

IndustryIndustry

Ensuring your Records and Data are ready for the Ensuring your Records and Data are ready for the post-bailout worldpost-bailout world

Part 1

John C. Montaña, J.D.The PelliGroup

What is a record retention What is a record retention schedule?schedule?

It’s a list of records or record types, followed by dome indication of how long they should be kept

There may be additional information, such as media types, locations, etc

How does it work? Why do How does it work? Why do we need one?we need one?

A retention schedule is a policy document. Personnel are supposed to use it as guidance when destroying records

In electronic records systems, a retention schedule may be used as a template

A retention schedule provides guidance to ensure the orderly disposition of records and data

Records retention is a heavily Records retention is a heavily regulated area:regulated area:

Banking Commissioner OSHA EEOC SEC DoL IRS FDIC EPA Etc., etc. State analogues of the above

Other Standards and Other Standards and AuthorityAuthority

Industry Associations ANSI (American National Standards Institute) AIIM (Association for Information and Imaging

Management) ARMA (Association of Records Managers

and Administrators)

Jurisdictional and Jurisdictional and Preemption Issues:Preemption Issues:

Potential concurrent state and federal jurisdiction Potential concurrent jurisdiction by different agencies Different regulatory regimes for different business

processes Cross-border issues of regulation

Issues with statutory and Issues with statutory and regulatory languageregulatory language

Vague or outdated statutory language Poor match between records contemplated by law

and those actually found No or few implementing regulations when the statute

calls for them Unreasonable retention requirements Verbatim state adoption of federal requirements

– What if federal requirements change?

Conflicting or inconsistent requirements

Some Basic RulesSome Basic Rules

Records retention must be Records retention must be “in the normal course of “in the normal course of

business”business”

Destruction must be done in good faith

Mens rea is important –the goal cannot be to deprive other known parties of information

Retention activities must Retention activities must conform to controlling lawconform to controlling law

e.g., destruction prior to expiration of statutory retention period is presumptively bad faith destruction

Retention Periods When There is Retention Periods When There is No LawNo Law

Factors:– Business judgment– Risk management– Cost– Administrative efficiency– Statutes of limitation inform., but do not

control the discussion

Legal HoldsLegal Holds

Disposition activities must halt upon notice of actual or impending litigation

Records responsive to litigation must be preserved That does NOT mean that all disposition activities

must cease until the litigation is concluded The hold must be effectively communicated to

stakeholders, and attorneys must exercise due diligence in follow-up

The hold should be released at the conclusion of the matter

Some Basic ToolsSome Basic Tools

Policies and ProceduresPolicies and Procedures

Employees and technology implement rules

No rules means no consistencyNo consistency means problemsProblems mean costs

Indexing and Data Indexing and Data StructuresStructures

In order to manage a record, you must be able to accurately identify it

Indexing, data structures and metadata are the key to identifying records

Many repositories are poorly indexed, or not indexed at all; metadata is poorly chosen or left to default

Keyword searching or auto-classification is only partially effective

Records Management Records Management SuccessSuccess

Written PolicyLow-level Nuts & Bolts

– Indices– Data Structures– Metadata– Training

Know the Failure Points

Common Failure PointsCommon Failure Points

Poor understanding of what the organization actually needs

No implementation strategyNo enforcement mechanismInadequate resourcesPoor employee trainingBlind reliance on technology solutionsPoor technology implementations

Problems with Technology Problems with Technology SolutionsSolutions

Buy first, vet laterPoor policy and procedural structurePoor implementation

– Lack of structured indexing– Lack of consistent file names– Poor metadata selection

When Considering a When Considering a Technology SolutionTechnology Solution

Buy software LAST!Before that:

– Develop policies and procedures– Develop indices, data structures and

metadata standards– Develop a FULL functional spec– Make sure the software can implement the

above

The Number 1 Reason for The Number 1 Reason for Failed Technology Solutions Failed Technology Solutions

is Poor Configurationis Poor Configuration No hard-coded indices or data structures Poor or no metadata capture Badly configured user interface Poorly thought-out workflow expectations (e.g., too

many buttons to click)

Usually Because Software Purchase was Step 1

The Problem with PeopleThe Problem with People

People manage electronic data very poorly– Poor file names– Poor data structures– Aversion to management– Aversion to purging– Disgruntled employees

CultureCulture

Organizational culture may foster bad records and information management– My records are “mine”– I/my department makes its own rules– We don’t tell our people what to do– We don’t carry a big stick

How to Change Things How to Change Things

What’s in it for me?– Personnel need to see a tangible benefit

Breaking bad habits– Takes time, takes nagging

Good new habits are quickly lost if not reinforced

Get a big stick– No penalties means no reason to change

ComplianceCompliance

Make compliance easyIf compliance is annoying or interferes

with work, people will actively defeat the plan

Plan on:– Intensive initial training to break old habits– Ongoing lower-level reinforcement

Where’s Your Data?Where’s Your Data?

Outside the U.S.?In the hands of third party service

providers?– Financial or HR service providers– Commercial storage facilities or data vaults– Outside counsel– The Google cloud

It’s all discoverable!

Records Management Records Management Responsibility is Non-DelegableResponsibility is Non-Delegable

You are responsible for failings of service providers– Retention– Availability– Privacy and confidentiality– Discovery

They Should be Able to:They Should be Able to:

Apply your retention periodsEnforce your privacy and confidentiality

obligationsSafeguard your records and dataGive you back your records and data,

and its metadata, back to you at the end of the relationship

You should:You should:

– Include appropriate language in contracts– Inspect policies and procedures– Inspect facilities– Audit compliance– For electronic systems (e.g., external

vaulting or backup), have your IT folks vet the provider’s technology

QuestionsQuestions

??