I am interested in your experience with US SEC (17a-4) and CFTC (1.31) guidelines relating to record keeping, for companies using EV to journal data for regulatory purposes.
CFTC 1.31 requires:
(A) Preserves the records exclusively in a non-rewritable, non-erasable format;
(B) Verifies automatically the quality and accuracy of the storage media recording process;
(C) Serializes the original and, if applicable, duplicate units of storage media and creates a time-date record for the required period of retention for the information placed on such electronic storage media; and
(D) Permits the immediate downloading of indexes and records preserved on the electronic storage media onto paper, microfilm, microfiche or other medium acceptable under this paragraph upon the request of representatives of the Commission or the Department of Justice.
(A) Preserve the records exclusively in a non-rewriteable, non-erasable format;
(B) Verify automatically the quality and accuracy of the storage media recording process;
(C) Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and
(D) Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.
The regulations use the wording "all records" or "all books and records"
I am wondering how you meet these requirements in your environment. The WORM requirement seems pretty straighforward when using a Centera in Compliance Plus mode, but how do you guarantee that "all" records have successfully made it into the Centera via EV? How do you do end to end reconciliation of various channels like journaled email, Bloomberg, social media, Reuters, Salesforce Chatter, etc. ?
We have used the Centera in the past and some places I've been used a NetApp in the compliance mode to meet the WORM requirement. Exchange Journaling is generally accepted, although without some modifications you can miss some direct SMTP traffice. The new SMTP archiving captures all the data. For all the non-email data there are 3rd party tools to assist in capturing IM traffic and archiving it to meet those requirements as well. Social media is a bit more problematic, but the 3rd party tools assist in capturing all that as well. I strongly recommend that you meet with your Legal/Compliance team and engage an eDiscovery/Compliance consultant to ensure you identify and quantify the requirements, then develop a plan to support those requirements.
Thanks. What I'm most interested in is what strategies people are using around data reconciliation, i.e. how can you prove that "all records" have been captured - how can you reconcile between source and target?
e.g. are people doing comparisons of what has been journaled vs. what is in EV? If so, how? Or for 3rd party tools such as Merge1 and Vantage that archive Bloomberg and Yahoo respectively, how are you doing comparisons of what has been journaled (or sent directly to EV) vs. what is in EV?