As any company involved in the financial market place was only too well aware, 1 November 2007 marked the deadline for the 12 000 firms operating in the financial services markets in the UK to demonstrate compliance with the directives of the European Commission’s Financial Services Action Plan. The preceding months had witnessed frantic activity as companies strived to ensure the Markets in Financial Instrument Directive (MiFID) guidelines were met and, as the deadline passed, the general feeling was one of confidence that the new measures adopted were in place.
Early in 2008 just how well those measures will stand up to scrutiny will be put to the test, as the FSA sets about a comprehensive review of how the industry is complying with the directives. It will also give those involved the opportunity to take stock of whether the overall affect on their business has been a positive or negative one.
The underlying principles of the directive were intended to create a single European market for investment services: to update how investment banks do business by improving record keeping and encouraging ‘best execution’ for trades among other things. One of the most challenging concerns for many banks from a technology standpoint was compliance with Article 51, which required organisations to keep details of trades for five years.
Since the de facto business communications medium today is email communications (Gartner estimates that 97% of business based communications is via email), this equated to a serious rethink on the management of email across the business. Since emails have become the electronic substitute of legal business documentation, E-mail records were required to be retained for five years.
Unless approached intelligently this process could result in increased storage infrastructure and high costs, particularly when we consider that the Radicati Group estimates that a typical corporate e-mail account receives about 18Mb of data per day and that this number is expected to grow to over 28Mb by 2011 as both the volume and size of E-mails explode.
For those companies operating on a pan-European basis the risks were potentially even higher, unless they could find a way to create a central repository for all email communications that offered efficiency and cost gains over the typical fragmented email management strategy that existed in most organisations. For many companies it represented the opportunity to overhaul the way the company approached email management and retention and put in place a system to provide the organisation with better governance of email communications.
Underpinning the need for reform of the guidelines was the need to ensure the following:
* Data permanence – data must be kept in its original state and not changed or deleted;
* Data security – records should be kept secure against theft or misappropriation; and
* Auditability – information must be easily accessible by authorised personnel only.
To meet these challenges a stringent email archival policy was needed to ensure that email records could be stored and indexed in a cost effective manner and stored in a read-only format. According to Radicati, however, in 2007 only 14% of corporate emails were archived and Osterman Research states that 46% of companies were still predominantly using tape backups to ‘archive’ their emails.
However, back-up systems were traditionally intended for storing live data in the event of system failure or disaster; never as a longer term archival solution. The cost of finding electronic records over the course of a five year period – frequently a time-consuming, manually intensive process using a back-up solution alone was not a viable one.
Moving beyond the challenge of anticipating email capacity requirements over a five year period, other issues relating to security and accessibility also come into play. The need to ensure that emails are both secure and tamper proof can itself prove challenging. For this to be possible the solution chosen would need to provide full forensic trails of all policy changes and all searches would need to be recorded. It also dictates that strict checks and balances were in place to regulate viewing of different types of content.
Another complicating aspect is the fact that an E-mail is not only concerned with the content of the document but also the delivery or acknowledgement of receipt; ‘cc’ or ‘bcc’ and the ability to monitor the time and date of delivery.
Other potential loopholes exist such as the fact that traditional E-mail archives capture email post-receipt, after delivery has been made to the email server. But what about if the email server were to fail before that archive snapshot was taken? The ability to prove that an email communication is delivered also requires that not only the E-mail contents but also the record of delivery needs to be stored and accessibly over a five year period.
To complicate the picture even more, what if the email gets quarantined and never reaches the intended recipient? These issues and more are even more difficult to resolve when a company is running a set of fragmented E-mail systems and services where the gateway, archival, policy and security/spam gateway are separate entities.
And yet deploying a cohesive unified E-mail management system can have benefits that stretch beyond that of pure compliance. Other benefits include litigation support, storage management and knowledge management. In these other areas where clear directives about the number of years that records need to be maintained are often absent, it can be hard to decide on the length of period of record retention.
Most companies at some time in their history are exposed to or implicated in lawsuits and may be called upon to produce documentary evidence in the course of the legal discovery process. High-profile cases in the US have resulted in hefty fines for major corporations like Deutsche Bank Securities, Goldman Sachs, Morgan Stanley and Solomon Smith Barney, all fined $1,65-million each for failing to produce E-mails requested in the course of an investigation.
For many companies handling E-mail storage, archival, security and continuity in a fragmented, multi-solution manner, the task of maintaining hardware and software and upgrading these solution across the enterprise, whilst attempting to predict and budget for future email storage capacity, is a difficult exercise. The typical challenges of scalability and the complexity of the resultant systems can be expensive and resource intensive to manage.
Data volumes are frequently growing too fast to store and secure within budget, time and technology constraints. When compliance deadlines are pressing the speed and predictability of an online web-based solution, such as that offered by Mimecast, becomes more apparent.
Management consultant McKinsey predicts that software-as-a-service deployments are growing at a rate three times greater than traditional software packages and that in the next three to four years storage and storage management alongside security will become two key growth areas for SaaS.
“As the FSA embark on their new year review of how well the industry has adapted its business to comply with the MiFID directives, it will be interesting to see whether the measures put in place will stand up to scrutiny and what actions, if any, the governing body will take for those that fail to make the grade, says Garth Wittles, MD of Mimecast SA.
“Nonetheless, one thing is clear, E-mail will continue to dominate the business communications landscape for some time to come and determining the optimum way to maintain, manage and secure this vital information will be key to the future business success of any organisation.”