Paul Johnson


Published on

  • Be the first to comment

  • Be the first to like this

Paul Johnson

  1. 1. Looking after it all – Records Management & e-Discovery Paul Johnston – Senior Manager, Group Records Management, NAB 15 April 2011
  2. 2. Outline of Topics <ul><li>Meeting the legal requirements </li></ul><ul><li>Storage, recall and security requirements </li></ul><ul><li>Building an effective risk framework to protect your records </li></ul><ul><li>Records Management Culture at NAB </li></ul>
  3. 3. Management Response to RM Risk YES, we really must do something about this!
  4. 4. Meeting the Legal requirements <ul><li>Since 2005 there have been over 260 million individual records that have been lost – with many of these records containing sensitive business data or individuals’ personal identification information. Cost to companies to reproduce a record is approximately $200* </li></ul><ul><li>Risks and Costs include: </li></ul><ul><li>Regulatory fines (i.e. Austrac, APRA, ASIC, FSA, MAS, Basel II etc.) </li></ul><ul><li>Reputational damage </li></ul><ul><li>Courts </li></ul><ul><li>External third party legal fees </li></ul><ul><li>External auditor costs </li></ul><ul><li>Technology costs - capture, retrieval and restoration </li></ul><ul><li>People costs </li></ul><ul><li>Loss of customers </li></ul><ul><li>* Source – Quantum March 2010 newsletter </li></ul>
  5. 5. Paying the Penalties <ul><li>Recent overseas penalties for AML/CTF breaches have included: </li></ul><ul><ul><li>in the US: </li></ul></ul><ul><ul><ul><li>in September 2006 a settlement agreement in the amount of US$7.5 million between Bank of America Corporation ( BAC ) and the Manhattan District Attorney stemming from BAC's deficiencies in handling foreign money service business clients and AML controls; and </li></ul></ul></ul><ul><ul><ul><li>in December 2005 ABN AMRO agreed to pay US$80 million in fines and penalties for various defects, including AML internal controls and failures to identify, analyse, and report suspicious activity; </li></ul></ul></ul><ul><ul><li>in the UK: </li></ul></ul><ul><ul><ul><li>in 2005 the FSA imposed financial penalties of £175,000 on Investment Services UK Limited and £30,000 on its managing director; and </li></ul></ul></ul><ul><ul><ul><li>in 2004 it imposed fines of £1,250,000 and £375,000 on the Bank of Scotland and Bank of Ireland respectively. </li></ul></ul></ul><ul><ul><li>in Japan: </li></ul></ul><ul><ul><ul><li>in September 2004 the Japanese financial authorities ordered Citibank NA Japan to suspend its private banking operations for a number of violations including some relating to anti-money laundering. </li></ul></ul></ul><ul><li>Note - Austrac penalties - Businesses that breach the laws can be fined $11 million, while individuals within the company could receive penalties of up to $2.2 million. </li></ul>
  6. 6. Planning for e-Discovery <ul><li>When does the e-Discovery clock start ticking? </li></ul><ul><li>The duty to preserve relevant documentation may commence upon: </li></ul><ul><ul><li>initiation of a lawsuit by or against the institution </li></ul></ul><ul><ul><li>institution is put on notice by a party that litigation is or may be imminent or </li></ul></ul><ul><ul><li>institution has knowledge of facts that indicate  litigation is reasonably anticipated </li></ul></ul>
  7. 7. Planning for e-Discovery <ul><li>Identify a centralised Coordinator for all special preservation requests </li></ul><ul><li>Regular discussions with your Litigation team </li></ul><ul><li>Legal and Coordinator must be the first to know of any potential litigation </li></ul><ul><li>Organise meetings with business key stakeholders (i.e. IT, forensics) </li></ul><ul><li>Prepare an action plan (i.e. steps you are taking to identify, preserve, collect and restore.) Also document all your communications including actions! </li></ul><ul><li>Understand what records are impacted (customer, corporate, employees and what regions are impacted? </li></ul><ul><li>Understand how far back you have to go? </li></ul><ul><li>Think about creating a virtual team to support e-discovery </li></ul><ul><li>Maintain legal professional privilege in all your communications relating to the case </li></ul>
  8. 8. Challenges of e-Discovery <ul><li>Knowing where the information is stored </li></ul><ul><ul><li>NAB is a global organisation (across 5 countries) </li></ul></ul><ul><ul><li>Different database systems (current) </li></ul></ul><ul><ul><li>Historical database systems (legacy) </li></ul></ul><ul><ul><li>Knowledge management </li></ul></ul><ul><li>Documents incorrectly classified due to lack of knowledge of policy </li></ul><ul><li>Have records already been destroyed pursuant with the records retention policy requirements? (this may reduce the high costs on discovery) </li></ul><ul><li>Mergers and acquisitions – multiple systems </li></ul><ul><li>The time required to identify records across all systems </li></ul><ul><li>What resources do you have at your disposal? (the virtual search team) </li></ul>
  9. 9. Storage gone wrong
  10. 10. Challenges of capture and storage <ul><li>People need to be made aware of the requirements to capture records in either: </li></ul><ul><ul><li>Physical </li></ul></ul><ul><ul><li>Electronic </li></ul></ul><ul><ul><li>or both (though look to prevent duplication) </li></ul></ul><ul><li>Burden of storing physical records due to environmental and sustainability reasons </li></ul><ul><li>Victorian Evidence Act 2008 and admissibility of computer-generated records </li></ul>
  11. 11. Challenges of identifying records Records kept to compensate Records needed, but not located ‘ Needle in the haystack ’ In the past when the Bank needed to preserve records, it would place a blanket embargo to compensate for the way in which records were captured. This has changed
  12. 12. Challenges of identifying records <ul><li>Configuration of computers workstations and file servers </li></ul><ul><li>Mirror disks </li></ul><ul><li>Removable media (diskettes, fobs, tapes, etc.) </li></ul><ul><li>Metadata </li></ul><ul><ul><li>Temporary files and fragments </li></ul></ul><ul><ul><li>Histories </li></ul></ul><ul><ul><li>Embedded comments </li></ul></ul><ul><li>Audit trails and log files </li></ul><ul><li>Legacy Systems </li></ul><ul><li>Internet information </li></ul><ul><li>Corporate intranets </li></ul><ul><li>Email </li></ul><ul><li>Computers and laptops </li></ul><ul><li>PDAs </li></ul><ul><li>Backup tapes and facilities </li></ul><ul><li>“ Deleted” files </li></ul><ul><li>Sharepoint </li></ul><ul><li>Non-textual electronic devices </li></ul>
  13. 13. Culture
  14. 14. NAB Records Management Program 09/10 Records Management Risk Framework Policy/ Framework Regulator Liaison & Regulatory Change Governance and Reporting Training and Communication Monitoring & Testing Advisory Records Management Centre of Excellence
  15. 15. Building the right Culture at NAB <ul><li>Training staff at day 1 to reduce our future e-discovery costs </li></ul><ul><li>Induction course includes records management </li></ul><ul><li>E-learning training module on records management (mandatory) </li></ul><ul><li>Group Records Retention Policy </li></ul><ul><li>Regular Change communications (regulatory updates etc.) </li></ul><ul><li>Assurance and monitoring (do staff really follow the policy?) </li></ul><ul><li>Risk sign-off required on a wide range of aspects, projects etc. impacting the records management lifecycle </li></ul>
  16. 16. NAB Records Management Program 2010 <ul><li>Compliance with Group Policy </li></ul><ul><li>Mitigate records management risks </li></ul><ul><li>Improve Processes and Controls to provide an improved level of service </li></ul><ul><li>Reduce costs </li></ul><ul><li>Reduce our Environmental impact </li></ul><ul><li>Improve and Sustain awareness of records management culture </li></ul><ul><li>Litigation Hold (Special Preservation Procedures) </li></ul><ul><li>Develop on our current records management framework </li></ul><ul><li>Post-Implementation Compliance and Auditing </li></ul>
  17. 17. Records Management overview <ul><li>NAB focuses on six key phases that make up the records management lifecycle </li></ul><ul><li>Each Phase has a set of internal principles which we adhere to </li></ul><ul><li>All impact how we comply with e-Discovery requirements </li></ul>It’s not just here
  18. 18. Understand your business to help reduce your discovery costs. <ul><li>Number of technology systems used to capture records </li></ul><ul><li>What and why third parties hold records for you? </li></ul><ul><li>Test your controls around e-discovery (i.e. time to produce documents v’s tight request deadlines) </li></ul><ul><li>Can you identify only those records that are required (why recover everything if not required)? </li></ul><ul><li>The increased volume of Technology storage devices (map out what you use and where) </li></ul><ul><li>Work with - IT, Forensics, Legal, Risk teams and third party legal teams to understand what they require and in what format (native, PDF, TIFF etc..) </li></ul><ul><li>Controls around ‘temporary’ storage </li></ul><ul><li>Mandate electronic channel into third party offsite storage </li></ul><ul><li>Do your staff understand what is expected of them in the records management lifecycle? </li></ul>
  20. 20. Disclaimer <ul><li>The materials, ideas, opinions and information expressed are the personal views of the presenter. In no event shall National Australia Bank Limited or its related entities be liable for any damages whatsoever resulting from any action arising in connection with the use of this information or its publication, including any action for infringement or copyright or defamation. </li></ul>
  21. 21. Questions Paul Johnston National Australia Bank Email: [email_address] Phone: 0458 346 208