Incriminating e-mails are increasingly being produced as evidence in corporate crime trials

With financial services providers now being obliged to archive every electronic communication for potential regulatory scrutiny, more than a few executives may be losing sleep over the thought of what might lie hidden in the server room. Bo Manning reviews the implications.

The sight of senior company executives in handcuffs is becoming a common one, following the high-profile arrests and indictments of figures such as CSFB's Frank Quattrone, Enron's Andrew Fastow and Kenneth Lay, and Tyco's Dennis Kozlowski.

It is largely thanks to people like Fastow, Quattrone et al, that lawmakers and regulators are now taking such a hard line on white-collar crime.

In an attempt to restore faith in business, the penalties for market manipulation, insider dealing, corporate fraud, misleading investors, discrimination and many other crimes are being made harsher, and prosecutors - epitomised by New York state attorney general Eliot Spitzer - are becoming more tenacious and less tolerant.

The situation is a worrying one for financial institutions, who are caught between two conflicting trends. On the one hand there is the requirement to comply with an ever-increasing raft of regulations. Both the Securities and Exchange Commission (SEC) and the National Association of Securities Dealers (NASD) have significantly tightened their trading rules in the last couple of years. The Sarbanes-Oxley Act mandates improved and better-documented controls over financial processes, and the forthcoming introduction of the Basel II Capital Accord for financial institutions worldwide means that banks have to step up their risk monitoring, mitigation and reporting procedures, or incur financial penalties.

What this means in practice is that more and more internal policies have to be drawn up, disseminated and adhered to. Policies for information sharing, risk management, documentation of controls and other regulatory requirements are being added to the myriad of existing policies governing everything from workplace ethics to evacuation procedures. The consequences of policy infringement can be very serious, ranging from lawsuits and financial penalties to disqualification or imprisonment.

At the same time, financial institutions are having to cope with the fact that an increasing volume of regulated business and other policy-driven activities are being conducted via modern electronic communications technologies. Not only is e-mail replacing the telephone as the primary means of communication, but many banking industry executives have also fallen in love with instant messaging (IM) and BlackBerry handhelds as enablers of 'real-time' business. While these technologies can be highly productive, they are also fraught with danger. Spontaneous electronic exchanges may breach policy in any number of ways, yet banks have had no way of preventing this happening, other than to impose a blanket ban on the use of the technology in question.

As a result, company e-mail and message archives are becoming mines of information for regulators and litigants. Quattrone was famously convicted on the strength of one e-mail he forwarded to his team, but this is just the tip of the iceberg. E-mails are now regularly seized as evidence for everything from insider dealing to harassment and discrimination. To compound the issue, banks are finding that retrieving and producing subpoenaed e-mails carries a punitive cost. To give one example, in a recent alleged gender discrimination case, the bank in question estimated that retrieving and handing over 94 data tapes of archived mails would cost in the region of $275,000.

Incriminating content?

The cost of retrieving and producing archived communications is one reason why banks should be worried about this new trend, but it is by no means the only one. The primary cause for concern is - or should be - whether there is actually any incriminating content in the archive. Most financial institutions have strict e-mail usage policies in place now, but how many can be 100% sure that such policies are always observed by employees?

And even if employees are now aware of the need to abide by e-mail policy, was this also true three, five, or seven years ago? Statutory records retention regulations mandate that electronic communications be kept for these durations and longer, which is why Quattrone's e-mail was able to come back to haunt him three years after he sent it.

Again, even if employees are more aware of e-mail policy, can the bank be sure that policy is always uppermost in their mind? E-mail is, by its very nature, an informal communications medium in which conversational exchanges about regulated business can take place spontaneously and with little forethought. In hurried exchanges, insufficient attention may be paid to the use of language, with the result that the e-mail may constitute a breach of policy or regulation, even if the sender had not intended any wrongdoing.

This applies even more forcefully to instant messaging. Users of IM platforms may be unaware that their messages are being recorded and archived alongside e-mail, and this may serve to lower their guard. Employees may also think that messages they send through personal e-mail accounts such as Hotmail go unrecorded by their employer, with the result that they feel safe in sending confidential or illicit information through these channels. A survey conducted by Orchestria in the City of London in 2004 found that 71% of respondents had used a personal webmail account to send information they did not want their employer to know about.

Yet the SEC and other regulators mandate that all business-related electronic communications made by employees are recorded and archived for the appropriate retention period, in the SEC's case (Rule 17-a-4), six years. For senior management, chief compliance officers and chief risk officers, this presents a dangerous state of affairs. The bank may be stockpiling evidence of wrongdoing that senior management is powerless to stop, because it cannot see or prevent the transgressions being committed. While this is a worrying situation for any senior executive, it is doubly so for those CEOs and CFOs of public companies who are subject to Section 906 of the Sarbanes-Oxley Act, and who are therefore personally accountable - and punishable - for any inaccurate or misleading statements made by the company, and for any fraudulent activity conducted by the company as a whole.

Checking and archiving

Compounding the problem is the relative lack of sophistication with which e-mails and other electronic communications have traditionally been stored.

Although the regulations mandate that only business-related communications are preserved in the archive, what this means in practice for many banks is that all electronic communications made by employees are recorded and archived, since they lack the ability to determine accurately which communications are business-related and which are not.

Similarly, banks are only just starting to use archiving software that can evaluate the content and context of an e-mail or IM conversation and assign it to an appropriate storage cycle - ie three years, seven years, perpetuity. The same software will ensure that when the retention period ends, the e-mail will be permanently deleted from the records. This kind of software was not available until recently, meaning that hundreds upon thousands of e-mails from years gone by are being kept for longer than is legally necessary.

The result is an archive that is stuffed to the brim with business, personal and spam messages. This is why a regulatory investigation or lawsuit costs banks so much - it takes time, money and technical expertise to identify and retrieve the correct individual messages and conversations. Failure to produce the requested communications, however, can itself bring penalties for perceived obstruction or spoliation of evidence. Small wonder, then, that some banks reluctantly opt to hand over their entire archive - with all the confidential information that it contains - rather than spend thousands of dollars locating the requested communications.

For one major global investment bank, the situation had become intolerable.

Eliot Spitzer's 2003 investigation into Wall Street market abuses resulted in the bank's having to pay a $1.4bn settlement, thanks in great part to incriminating evidence found in employee e-mails. The bank decided to take action on two fronts: firstly to reduce the ability of employees to commit breaches of regulatory compliance via e-mail and other electronic communications, and secondly to invest in more sophisticated e-mail archiving technology that would only store business-related messages and only for the relevant statutory retention period.

The bank chose three technologies which work together to provide an overall solution to the problem. Software from my own company was chosen to provide 'active policy management' - that is to say, the software checks the content and context of each e-mail and instant message as it is written and matches it against internal and regulatory policy. If it appears to breach policy, the user is alerted and can amend or abandon the communication before it is sent. In this way, the vast majority of non-compliant messages can be eradicated before they are created, without disrupting the flow of business or having to ban staff from using the latest communications technologies.

On the archiving side, the bank chose Exchange Archive Solution (software) from ZANTAZ, which indexes the content of each message and assigns it a definitive retention period, after which it will be automatically deleted.

The e-mails are then archived in Centera machines from storage vendor EMC.

The bank is now able to prevent compliance breaches taking place via electronic communications without disrupting the daily flow of business.

It can easily conduct searches and forensic analysis of archived communications in the event of litigation. Moreover, much of the compliance process is now automated, saving administrative costs, and the use of archive space is now much more controlled, resulting in reduced data storage costs.

One of the more poignant comments to come out of the Frank Quattrone trial was the observation of one juror, Sheldon Silver, that in his opinion the former banker had not meant to do anything wrong. "He over-reacted, thinking 'oh maybe they'll find something'," Silver commented to the San Jose Mercury News. "That's what is very sad about this. It could have been stopped in some way." Silver was not wrong - e-mails like Quattrone's can now be stopped before they are sent, making for a few less sleepless nights among banking executives.

Bo Manning is chief executive officer of Orchestria, Tel: 001 212 364 5300, E-mail: bo.manning@orchestria.com

CONVICTED FOR A SINGLE E-MAIL

Investment banker Frank Quattrone (pictured right) was recently sentenced to 18 months in prison for obstruction of justice. His sentence was the result of one e-mail which he sent to members of staff in December 2000, recommending them to "clean up" their files, in accordance with the firm's policy of document management. He claimed to have been unaware that his group was part of an investigation into CSFB involving management of initial public offerings and allocation of shares. Quattrone is appealing against the sentence.