Email Archiving in Regulated Industries: Financial Sector
This blog has often featured articles about local and international regulations that have an impact on how companies and organizations handle their email traffic. Austria, for example, has its Federal Fiscal Code (Bundesabgabenordnung – BAO), Commercial Code (Unternehmensgesetzbuch – UGB) and VAT Act (Umsatzsteuergesetz – UStG). In Switzerland, there is the Code of Obligations (Obligationenrecht – OR), while in Germany, the “Principles for the proper management and storage of books, records and documents in electronic form, as well as data access” (or GoBD for short) set out requirements governing the handling of commercially significant emails. Accordingly, certain emails must be archived in a tamper-proof manner. Besides these national decrees, laws and administrative regulations, the European General Data Protection Regulation (EU-GDPR) also has implications with regard to how emails are to be managed in commercial organizations. The regulations listed above apply to companies in all industries.
However, there are also industry-specific regulations that may not apply worldwide but only nationally. For example, US healthcare companies are subject to U.S. Health Insurance Portability and Accountability Act (HIPAA). All US healthcare companies must therefore adhere to strict rules designed to protect the confidentiality and integrity of patient information.
Compliance Requirements in the Financial Sector
Other provisions exist worldwide that stipulate, among other things, that records of business transactions must be kept and these also affect the management and archiving of emails. In the USA, for example, the Financial Industry Regulatory Authority (FINRA) supervises transactions in the investment banking sector and requires that providers of securities trading services retain emails for a certain period of time (see FINRA Rule 3110.09). The financial sector in the EU is another industry that is now heavily regulated. In 2018, the second version of the pan-European Markets in Financial Instruments Directive (MiFID II) came into force requiring EU member states to implement record-keeping obligations for companies operating in the financial sector (e.g. investment firms, financial consultants, and credit institutions). Article 16 of MiFID II reads as follows:
“Records shall include the recording of telephone conversations or electronic communications relating to, at least, transactions concluded when dealing on own account and the provision of client order services that relate to the reception, transmission and execution of client orders.” It continues: “Such telephone conversations and electronic communications shall also include those that are intended to result in transactions concluded when dealing on own account or in the provision of client order services that relate to the reception, transmission and execution of client orders, even if those conversations or communications do not result in the conclusion of such transactions or in the provision of client order services.”
In practice it means that investment firms must keep records in a medium that allows the storage of information and allows that information to be accessible for future reference.
- The information should be readily accessible and one should be able to reconstitute each key stage of the processing of each transaction
- All versioning should be easily determined – any corrections or other amendments, and the contents of the records prior to such corrections or amendments, should be easily ascertained
- It should not be possible for the records to be manipulated or altered
- There should be methods for the efficient exploitation of the records when the data needs to be analyzed given the volume and the nature of the data
It is evident, therefore, that investment firms, financial consultants and credit institutions need to keep a close eye on how they manage and archive the electronic communications medium if they wish to comply with MiFID II.
Email Archiving With MailStore Server in Banks
Banks are implementing these requirements by using e.g. MailStore Server as an aid to legally compliant email archiving. Indeed, individual branches of public-sector lending institutions in Germany have been using MailStore Server for many years. In Eastern Europe, banks and financial institutions are increasingly opting for our software. So MailStore Server is frequently the medium of choice when it comes to email archiving in the financial sector. Our software provides features that assists companies and organizations in the financial industry to meet compliance requirements. These include in particular:
- Auditability: To enable the activities of MailStore administrators and users to be logged, MailStore Server uses its own audit log or the Windows event log to record specific events such as the movement of emails or folders. This enables a corporate compliance officer, for example, to monitor compliance with legal and operational regulations, while an external auditor can be assigned his/her own special user role for control purposes.
- Encryption: The email archives themselves, the access to them as well as the communication between MailStore Server and email system are encrypted. MailStore Server applies AES256 encryption to e-mail, attachments, and audit logs. This ensures that the archived data can not be tempered with afterwards. At the communication level between MailStore Server and email system, TLS encryption is used.
- Controlling and limiting privileges: By configuring user roles in MailStore Server, it is possible to stipulate who has access to an archive and the emails it contains. In addition, user logins/logouts and all archive accesses are logged so that it is possible to trace who has accessed emails and when this occurred.
Do you want to learn more about the compliance features in MailStore Server?
Find out more about MailStore Server: You are welcome to attend our free webinars.