More Related Content More from Microsoft Private Cloud (20) Microsoft Unified Communications - Messaging in the Financial Services Industry Whitepaper1. Messaging in the Financial
Services Industry
an Osterman Research white paper
sponsored by
Osterman Research, Inc. • P.O. Box 1058 • Black Diamond, Washington 98010-1058
Phone: +1 253 630 5839 • Fax: +1 866 842 3274 • info@ostermanresearch.com • www.ostermanresearch.com
2. Messaging in the Financial Services Industry
Why You Should Read This White Paper
More than organizations in virtually any other industry, firms in
the financial services industry face the most difficult
requirements in the context of how messaging capabilities
are used and managed. Financial services firms like broker-
dealers, traders, and others who manage securities or
investments require real-time access to e-mail and instant
messaging (IM) capabilities because of the time sensitivity of
their communications. That means that e-mail and IM must
be continually available and that server disruptions can cost
thousands or millions of dollars in lost revenues. These firms
require that messaging systems be robust and transparent so
that users can seamlessly use these capabilities without
having to deal with unwanted messages and other
distractions. These firms also face incredibly strict regulatory
requirements for preserving and accessing e-mail and
Firms in the financial instant messages on a long-term basis, meaning that
services industry archiving and retrieval must be very robust and easy to use.
face the most
difficult In short, financial services firms place among the most
requirements in the difficult demands on messaging systems. This white paper
context of how focuses on some of the areas that differentiate the financial
messaging services industry from other industries.
capabilities are
used and
managed.
Key Issues in Financial Services Industries
Financial Services Firms Face Unique Requirements
There are a variety of organizations in the financial services
industry that face difficult and stringent requirements in the
context of messaging. These firms include brokerage houses;
investment companies, such as those that manage mutual
funds; transfer agents; and investment managers. These firms
are subject to very strict government oversight regarding
how they communicate with clients, how they must preserve
these communications, how they must present them when
asked to do so, who must have access to them, and so
forth. These firms must preserve all e-mail messages and
instant messages that contain communications with clients,
along with certain other types of information.
Regulations
There are a variety of strict requirements for messaging that
apply to certain financial services firms. One of the oldest
and most stringent requirements is Rule 17a, a key provision
of the Securities and Exchange Act of 1934. This rule is
© 2006 Osterman Research, Inc. Page 2
3. Messaging in the Financial Services Industry
among the Securities and Exchange Commission (SEC)
Books and Records regulations and has two key parts:
• Rule 17a(3) mandates that broker-dealers keep all
records of their transactions regarding securities trading,
all communications with clients and the public,
information on customer positions and other account
information, and so forth. This includes all e-mail, IMs, and
other electronic communication in any form.
• Rule 17a(4) specifies record-retention periods, the media
on which it is acceptable to store these records, and
other requirements. Specifically, Section 240.17a-4 of the
requirement states “(a) Every member, broker and
dealer subject to § 240.17a-3 shall preserve for a period
of not less than six years, the first two years in an easily
Rule 17a mandates accessible place, all records required to be made
a variety of strict pursuant to paragraphs § 240.17a-3(a)(1), (a)(2), (a)(3),
requirements (a)(5), (a)(21), (a)(22), and analogous records created
around e-mail
pursuant to paragraph § 240.17a-3(f). (b) Every member,
preservation and
retrieval, including
broker and dealer subject to § 240.17a-3 shall preserve
a requirement that for a period of not less than three years, the first two
the media on which years in an easily accessible place: (1) All records
messages are required to be made pursuant to § 240.17a-3(a)(4), (a)
stored be non- (6), (a)(7), (a)(8), (a)(9), (a)(10), (a)(16), (a)(18), (a)(19),
rewritable and non- (a)(20), and analogous records created pursuant to §
erasable. 240.17a-3(f).”
Rule 17a mandates a variety of strict requirements around e-
mail preservation and retrieval, including a requirement that
the media on which messages are stored be non-rewritable
and non-erasable, that storage media must be serialized,
that duplicates of electronic records and indices must be
kept, as well as a variety of other provisions.
In addition to Rule 17a, there are a number of other
important regulations focused on financial services firms:
• National Association of Securities Dealers (NASD) Rule
3010 is another key requirement for financial services
companies. Rule 3010 basically requires that broker-
dealers and others implement specific capabilities for the
sampling and review of messages sent out by broker-
dealers. A particular broker might have between 4 and
10 percent of his or her e-mail sampled and reviewed for
compliance, while broker-dealers suspected of non-
compliance might have 50 percent or more of their e-
mail sampled and reviewed. Other NASD rules of interest
© 2006 Osterman Research, Inc. Page 3
4. Messaging in the Financial Services Industry
in the context of e-mail and IM are Rules 3110 and 2210.
Rule 3110 requires that member organizations establish a
retention program for correspondence that involves
registered representatives. Rule 2210 requires, among
other things, that e-mail, sales literature, and
correspondence that is provided to customers or the
public be retained for three years from the date each
document is used.
• The Gramm-Leach-Bliley Act (GLBA) focuses on a
number of issues surrounding the privacy of confidential
information that banks, insurance companies, credit
unions, investment firms, and others hold. In short, GLBA
requires that these firms protect the privacy of Social
Security numbers, account numbers, and other
confidential information. GLBA is particularly important in
the context of messaging, since this type of information
can easily be transmitted through e-mail or IM systems.
• The Sarbanes-Oxley Act of 2002 (SOA) imposes
In December 2002,
‘corporate governance’ standards on public companies,
five Wall Street
brokerage houses— requiring them to implement adequate controls on how
Morgan Stanley, information is preserved and managed, including the
Piper Jaffrey, retention and protection of e-mail and IMs. While SOA
Salomon Brothers, applies ostensibly only to public companies, some
Goldman Sachs, companies directly affected by SOA are requiring their
and Deutsche Bank suppliers and others to be SOA-compliant, as well.
—were fined $1.65
million each for their
• New York Stock Exchange Rules 342 and 440 focus on
failure to comply
fully with Rule
review and supervision of communications; as well as the
17a(4). format, media and period of retention for records,
respectively.
International Requirements
There are a number of other important regulations outside of
the United States that affect financial services firms:
• In Canada, the Universal Market Integrity Rules for
Canadian Marketplaces contain a number of content
retention requirements that are similar to those imposed
on U.S. financial services firms.
• Bill 198, imposed by the government of Ontario, is similar
in scope and intent to SOA and imposes similar reporting
and corporate governance requirements.
• The Markets in Financial Instruments Directive is a key
element of the European Union’s Financial Services
© 2006 Osterman Research, Inc. Page 4
5. Messaging in the Financial Services Industry
Action Plan and will impose more rigorous record-
keeping requirements, including those related to e-mail.
• Basel II sets out a new framework for improving the
transparency of banks’ financial reporting. It also sets
forth principles for these institutions to determine the
adequacy of their capital for risk assessment purposes
and will require improved record-keeping toward that
end.
• In the U.K., the Companies Act contains a number of
provisions designed to encourage retention of records.
• Also in the U.K., the Combined Code on Corporate
Governance 2003 imposes reporting requirements on the
boards of directors of a variety of companies.
Penalties for Noncompliance Can Be Severe
There have been a variety of high-profile cases in which
companies received significant fines for a failure to comply
with industry requirements:
• In June 2004, Morgan Stanley certified that it had turned
over all e-mail messages it was required to produce as
part of a lawsuit, but later found that 1,600 backup tapes
had not been searched for e-mail. As a result, the judge
hearing the case instructed the jury that they could
assume that Morgan Stanley had been involved in
defrauding the plaintiff.
• In March 2004, Bank of America was fined $10 million by
the SEC for its failure to retain e-mail records that dealt
with its merger and for taking too long to comply with
regulatory requests for these records.
• In December 2002, five Wall Street brokerage houses—
Morgan Stanley, Piper Jaffrey, Salomon Brothers,
Goldman Sachs, and Deutsche Bank—were fined $1.65
million each for their failure to comply fully with Rule
17a(4).
• Frank Quattrone’s Investment Banking division at Credit
Suisse First Boston (CSFB) used a selective deletion policy
that required the staff to periodically delete old e-mail
and instant messages. Since this had been a long-
running policy, Quattrone’s request to his staff in
December 2000 to clean up their e-mail seemed
reasonable. However, Quattrone was aware that a few
© 2006 Osterman Research, Inc. Page 5
6. Messaging in the Financial Services Industry
days earlier, CSFB had received a grand jury subpoena
to produce certain records. His order to destroy e-mail
helped to convict Quattrone.
Key Considerations for Financial Services Firms
Archiving
Archiving and retrieval of e-mail and IMs is a critical
requirement for financial services given the demands of SEC
Rule 17a and its related provisions. Depending upon the size
of the firm and other factors, an archiving solution selected
Because so many
by a regulated entity must be able to scale to perhaps
brokerage houses,
investment firms, hundreds of millions of messages owing to the enormous
and others depend volume of some firms’ communications with its clients and
upon real-time the length of time that records must be preserved (up to six
messaging in years or longer). An archiving solution must be able to
support of their perform complex queries in order to satisfy the most stringent
revenue-generating demands from regulators. Further, regulators typically allow
activities, even little time to satisfy requests, so an archiving system must
disruptions as short allow an organization to go through large volumes of e-mail
as 10 minutes can
and provide records to regulators in the time frame and
have seriously
format demanded.
negative impacts
on corporate
revenues and Encryption
customer Because of the sensitive nature of communications between
satisfaction. financial services firms and their customers, encryption is a
growing requirement for these firms at all levels, from the
brokerage house down to the local bank branch. Encryption
and the ability to preserve the confidentiality of customer
data is important given the several regulations that require
protection of this data, such as GLBA and California’s
SB1386, but also because breaches of data security can
have far reaching impacts on the reputation of an
institution.
A February 2006 survey by Osterman Research found that
about one-half of the e-mail users in financial services firms
currently are provided with secure/encrypted messaging
capabilities, but that this figure will increase to 60 percent by
early 2007 and 74 percent by mid-2008. Clearly, encrypted
communications is a critical requirement for a wide variety
of financial services organizations.
Business/E-mail Continuity
Perhaps no industry is more critically dependent upon the
reliability of messaging than the financial services industry.
For example, a January 2006 survey of e-mail users
© 2006 Osterman Research, Inc. Page 6
7. Messaging in the Financial Services Industry
conducted by Osterman Research found that average e-
mail users in the workplace spend about 30 percent of their
day working within their e-mail client, and that 41 percent of
users check e-mail every few minutes when they’re in the
office. However, looking at just the e-mail users in finance-
related organizations indicates that 38 percent of the
average user’s day is spent using e-mail and 47 percent of
users check e-mail every few minutes while in the office.
Because so many brokerage houses, investment firms, and
others depend upon real-time messaging in support of their
revenue-generating activities, even disruptions as short as 10
minutes can have seriously negative impacts on corporate
Another key revenues and customer satisfaction. Consequently, it is
consideration for critical that messaging capabilities in use by financial
any financial services firms maintain continuity in the event that the
services firm is how primary messaging system fails for whatever reason.
its messaging
services are to be Regulations Vary for Different Parts of an Organization
delivered: as It is important to note that different activities within financial
software that runs
services firms will be subject to different regulations with
on internally
regard to data retention, supervisory review, and other
managed servers,
as on-premise requirements. For example, an insurance company that also
appliances that are sells securities products will face more stringent requirements
managed by in- for its securities activities than for other activities that take
house staff, or place within the organization. While some organizations will
through managed segregate messages that contain customers’ confidential
services. information onto completely separate systems, other firms
may opt for better controls to be able to manage data from
different parts of the organization on common systems.
Other Issues
Financial services firms that operate in different parts of the
world will face a variety of additional requirements that will
dictate that they comply with regional requirements for data
retention, privacy, and other issues. For example, in the U.K.
there are a number of requirements that financial services
firms and others must follow, including the Data Protection
Act, the Freedom of Information Act, the Human Rights Act,
and the Companies Act. The European Union also imposes a
number of requirements on financial services firms, including
Basel II and the Markets in Financial Instruments Directive, as
noted earlier. Other nations impose their own requirements
on financial services and other firms.
Another key consideration for any financial services firm is
how its messaging services are to be delivered: as software
that runs on internally managed servers, as on-premise
© 2006 Osterman Research, Inc. Page 7
8. Messaging in the Financial Services Industry
appliances that are managed by in-house staff, or through
managed services. The choice of form factor for the delivery
of messaging services will depend upon a number of factors,
including its size, its current infrastructure, and its corporate
culture.
Conclusion
Financial services firms face very stringent requirements for
messaging that are more difficult to satisfy than for firms in
most other industries. Messaging systems in the financial
services industry must be continually available, the content
Financial services generated by them must be archived and readily
firms face very accessible for many years, and much of the content sent
stringent through them must be encrypted to preserve the
requirements for
confidentiality of communications. Financial services firms
messaging that are
face a variety of statutory obligations with regard to the
more difficult to
satisfy than for firms preservation and retrieval of data, and these requirements
in most other are becoming more stringent over time.
industries.
Consequently, financial services firms must choose
messaging and related capabilities that are very robust, that
provide virtually 100 percent uptime, that can preserve all of
the information that regulators require, and that can provide
these capabilities at reasonable cost.
About Microsoft Exchange Hosted Services
Microsoft Exchange Hosted Services offer a cost-effective
way for enterprises to actively ensure the security and
availability of their messaging environment, while instilling
confidence that their messaging processes satisfy internal
policy and regulatory compliance requirements. A seamless
extension of Microsoft Exchange that operates over the
Internet as a service, the complete set of services includes
hosted filtering for spam and virus protection; hosted
archiving to satisfy compliance requirements and internal
policies; hosted encryption to preserve e-mail confidentiality;
and, hosted continuity for ongoing access to messaging
systems during and after disasters. Microsoft Exchange
Hosted Services provide value to corporate customers by
eliminating upfront capital investment, freeing up IT
resources, and removing incoming e-mail threats before
they reach the corporate firewall. For more information, visit
http://www.microsoft.com/exchange/services
© 2006 Osterman Research, Inc. Page 8
9. Messaging in the Financial Services Industry
© 2006 Osterman Research, Inc. All rights reserved.
No part of this document may be reproduced in any form
by any means, nor may it be distributed without the
permission of Osterman Research, Inc., nor may it be resold
by any entity other than Osterman Research, Inc., without
prior written authorization of Osterman Research, Inc.
THIS DOCUMENT IS PROVIDED “AS IS”. ALL EXPRESS OR
IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES,
INCLUDING ANY IMPLIED WARRANTY OR FITNESS FOR A
PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE
ILLEGAL.
© 2006 Osterman Research, Inc. Page 9