Looking after it all – Records Management & e-Discovery Paul Johnston – Senior Manager, Group Records Management, NAB 15 April 2011
Outline of Topics
Meeting the legal requirements
Storage, recall and security requirements
Building an effective risk framework to protect your records
Records Management Culture at NAB
Management Response to RM Risk YES, we really must do something about this!
Meeting the Legal requirements
Since 2005 there have been over 260 million individual records that have been lost – with many of these records containing sensitive business data or individuals’ personal identification information. Cost to companies to reproduce a record is approximately $200*
Risks and Costs include:
Regulatory fines (i.e. Austrac, APRA, ASIC, FSA, MAS, Basel II etc.)
External third party legal fees
External auditor costs
Technology costs - capture, retrieval and restoration
Loss of customers
* Source – Quantum March 2010 newsletter
Paying the Penalties
Recent overseas penalties for AML/CTF breaches have included:
in the US:
in September 2006 a settlement agreement in the amount of US$7.5 million between Bank of America Corporation ( BAC ) and the Manhattan District Attorney stemming from BAC's deficiencies in handling foreign money service business clients and AML controls; and
in December 2005 ABN AMRO agreed to pay US$80 million in fines and penalties for various defects, including AML internal controls and failures to identify, analyse, and report suspicious activity;
in the UK:
in 2005 the FSA imposed financial penalties of £175,000 on Investment Services UK Limited and £30,000 on its managing director; and
in 2004 it imposed fines of £1,250,000 and £375,000 on the Bank of Scotland and Bank of Ireland respectively.
in September 2004 the Japanese financial authorities ordered Citibank NA Japan to suspend its private banking operations for a number of violations including some relating to anti-money laundering.
Note - Austrac penalties - Businesses that breach the laws can be fined $11 million, while individuals within the company could receive penalties of up to $2.2 million.
Planning for e-Discovery
When does the e-Discovery clock start ticking?
The duty to preserve relevant documentation may commence upon:
initiation of a lawsuit by or against the institution
institution is put on notice by a party that litigation is or may be imminent or
institution has knowledge of facts that indicate litigation is reasonably anticipated
Planning for e-Discovery
Identify a centralised Coordinator for all special preservation requests
Regular discussions with your Litigation team
Legal and Coordinator must be the first to know of any potential litigation
Organise meetings with business key stakeholders (i.e. IT, forensics)
Prepare an action plan (i.e. steps you are taking to identify, preserve, collect and restore.) Also document all your communications including actions!
Understand what records are impacted (customer, corporate, employees and what regions are impacted?
Understand how far back you have to go?
Think about creating a virtual team to support e-discovery
Maintain legal professional privilege in all your communications relating to the case
Challenges of e-Discovery
Knowing where the information is stored
NAB is a global organisation (across 5 countries)
Different database systems (current)
Historical database systems (legacy)
Documents incorrectly classified due to lack of knowledge of policy
Have records already been destroyed pursuant with the records retention policy requirements? (this may reduce the high costs on discovery)
Mergers and acquisitions – multiple systems
The time required to identify records across all systems
What resources do you have at your disposal? (the virtual search team)
Storage gone wrong
Challenges of capture and storage
People need to be made aware of the requirements to capture records in either:
or both (though look to prevent duplication)
Burden of storing physical records due to environmental and sustainability reasons
Victorian Evidence Act 2008 and admissibility of computer-generated records
Challenges of identifying records Records kept to compensate Records needed, but not located ‘ Needle in the haystack ’ In the past when the Bank needed to preserve records, it would place a blanket embargo to compensate for the way in which records were captured. This has changed
Challenges of identifying records
Configuration of computers workstations and file servers
Removable media (diskettes, fobs, tapes, etc.)
Temporary files and fragments
Audit trails and log files
Computers and laptops
Backup tapes and facilities
“ Deleted” files
Non-textual electronic devices
NAB Records Management Program 09/10 Records Management Risk Framework Policy/ Framework Regulator Liaison & Regulatory Change Governance and Reporting Training and Communication Monitoring & Testing Advisory Records Management Centre of Excellence
Building the right Culture at NAB
Training staff at day 1 to reduce our future e-discovery costs
Induction course includes records management
E-learning training module on records management (mandatory)
Assurance and monitoring (do staff really follow the policy?)
Risk sign-off required on a wide range of aspects, projects etc. impacting the records management lifecycle
NAB Records Management Program 2010
Compliance with Group Policy
Mitigate records management risks
Improve Processes and Controls to provide an improved level of service
Reduce our Environmental impact
Improve and Sustain awareness of records management culture
Litigation Hold (Special Preservation Procedures)
Develop on our current records management framework
Post-Implementation Compliance and Auditing
Records Management overview
NAB focuses on six key phases that make up the records management lifecycle
Each Phase has a set of internal principles which we adhere to
All impact how we comply with e-Discovery requirements
It’s not just here
Understand your business to help reduce your discovery costs.
Number of technology systems used to capture records
What and why third parties hold records for you?
Test your controls around e-discovery (i.e. time to produce documents v’s tight request deadlines)
Can you identify only those records that are required (why recover everything if not required)?
The increased volume of Technology storage devices (map out what you use and where)
Work with - IT, Forensics, Legal, Risk teams and third party legal teams to understand what they require and in what format (native, PDF, TIFF etc..)
Controls around ‘temporary’ storage
Mandate electronic channel into third party offsite storage
Do your staff understand what is expected of them in the records management lifecycle?
Conclusion BE PROACTIVE AND NOT REACTIVE
The materials, ideas, opinions and information expressed are the personal views of the presenter. In no event shall National Australia Bank Limited or its related entities be liable for any damages whatsoever resulting from any action arising in connection with the use of this information or its publication, including any action for infringement or copyright or defamation.
Questions Paul Johnston National Australia Bank Email: [email_address] Phone: 0458 346 208