Compliance archiving is defined as a mission-critical process for collecting, preserving, and enabling search and analysis of electronic business communication data. Compliance archiving enables supervision and surveillance, advanced eDiscovery, business insights, and automation.
Organizations are often compelled to implement compliance archiving by regulatory authorities charged with overseeing the conduct of firms and organizations in key sectors, such as banking, finance, insurance, and securities brokerage. However, organizations can realize numerous benefits from the data and insights that compliance archives yield that extend beyond regulatory compliance.
Organizations have a variety of options for implementing compliance archiving solutions:
This article reviews the advantages and specific use cases for implementing managed archiving services.
A managed service is a solution offering that allows organizations to relegate a specialized process or operation to a third-party provider. Managed service providers (MSPs) typically leverage cloud technologies to serve the specific requirements of multiple customer organizations through a centrally managed pool of compute, storage, and other resources.
Organizations can use managed services to reduce the overhead associated with a specialized function – information technology (IT) security, enterprise resource planning (ERP), or supply chain management, to name just a few examples – that are considered outside of the organization’s core competencies.
By outsourcing non-core operations, organizations can better focus internal teams and resources on more mission-critical work, such as new product development, technological innovation, and competitive differentiation.
Compliance archiving is a resource-intensive business process. As mandated by such authorities and regulatory frameworks as the Securities Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the European Commission (EC) directive Markets in Financial Instruments Directive 2 (MiFID 2), and the California Consumer Privacy Act of 2018 (CCPA), organizations in designated industries must retain and protect employees’ electronic communication for a specified number of years.
Thus archived, this data needs to be available for search and analysis to determine whether any rules regarding lawful communications have been broken. Examples of unlawful behaviors that regulatory authorities are charged with investigation include fraud, insider trading, and collusion. The material cost to an organization found in violation of these rules can be substantial, and can result not only from fines and penalties, but from lawsuits and reputation damage.
Given the potential cost of compliance violations, coupled with the extensive technical and human resources demanded of compliance archiving, a growing number of organizations have opted to relegate compliance archiving to qualified solution providers using an MSP delivery model.
Contrary to a common misconception, compliance archiving solutions are more search-intensive than they are storage-intensive. In this, compliance archive solutions differ fundamentally from cloud storage or backup-and-recovery solutions.
To mitigate risk, compliance teams can be tasked with conducting searches as frequently as several times per week. When an organization employs 20,000 people across multiple countries, and archives upwards of 33 terabytes of communications data per year each search puts extraordinary demands on the archiving system.
The ability to return a set of search results within seconds, rather than minutes or hours, depends on an aggregation of technologies that include data collection, ingestion, structuring, enrichment, and indexing. The knowledge required to manage and maintain a compliance archiving solution therefore needs to include proficiency in IT, networking, security, the communications channels being monitored, and the regulatory frameworks driving the operation at the very least.
While staffing and resourcing a skilled compliance archiving operation for an 8,000-employee organization is challenging, doing so for a 650-employee organization can be nearly impossible. Yet industry regulations demand the same due diligence of organizations no matter whether it’s a Fortune 500 enterprise or a small start-up. There are thus many factors for an organization to opt for compliance archiving as a managed service.
There is yet another advantage that organizations can derive by relegating compliance archiving to a specialized MSP. Whereas historically, the electronic communications referenced in regulations such as SEC Rule 17a-4 primarily constituted email, organizations today often leverage numerous social media channels and collaboration tools (known collectively as social collaboration tools).
These range from social media giants like Twitter and Facebook to collaboration tools that surged in adoption due to the Coronavirus pandemic, such as Microsoft Teams and Zoom. Financial firms often use lesser known, more specialized tools as well.
Social collaboration tools exacerbate compliance archiving challenges in two ways. First, being proprietary applications, each social collaboration tool has its own set of interfaces, features, and personalization elements (e.g., emojis, stickers, and animated GIFs). Second, given the intense competition in this market, social collaboration tool vendors have been pushing software updates – sometimes with no advance warning – at a rapid pace.
Whether modest or major, each update can potentially undo the archiving technologies developed to collect, ingest, search, and retrieve its data. For organizations running internally developed or commodity-grade solutions, these updates can throw operations teams into crisis mode, scrambling to troubleshoot, analyze, and remediate the issue to restore compliance.
Organizations that leverage managed archiving services, on the other hand, have made the strategic decision to offload this work to their archiving MSP. Managed compliance archiving service providers maintain trained staff to monitor operations for performance anomalies that can signal unanticipated updates. Once the issue is assessed, these domain experts can mobilize resources to restore compliance, minimize risk exposure, and systematically report their findings and actions to their customers.
In addition to managed archiving services, solution providers can offer more specialized services to help customers tailor their compliance archiving solutions to their unique needs and environments. These services can be delivered via a managed service model, under a professional service agreement, or as a hybrid of the two.
The following section lists some examples of supplemental managed service offerings that organizations should consider using to help ensure that their compliance archiving solution fully accommodates their unique needs and strategies.
As mentioned above, organizations occasionally need to archive communications content from social collaboration tools that are more specialized or even built internally, and therefore may not be supported as standard by the compliance archiving solution.
A social collaboration connector-as-a-service (CaaS) can support your organization’s ability to manage and preserve chat messages, conversation threads, microblog posts, history, and file attachments for ingestion into the compliance archive for easy and fast search, analysis, supervision, and export regulatory and corporate compliance of all communication content, including both email and non-email channel data.
Managing archive retention policies involves finding the optimal balance between retaining archive data to comply with legal and regulatory minimum durations and legally disposing archive data when both its retention period and strategic value have expired.
Finding this balance point can be challenging. On one hand, different data types can be subject to different regulatory retention rules. However, retaining data far beyond the expiration of its retention period can also expose an organization to risk if it proves material to a lawsuit.
Organizations have the option to work with third-party retention management service providers to address the retention and preservation (Legal Hold) needs mandated by governing bodies (e.g., SEC, FINRA, etc.) and to define precisely when data has been retained for the required period of time.
Among other benefits, retention management service providers can provide the means to dispose of data that has reached the end of its retention period while ensuring preservation of data still under Legal Hold.
Compliance archive data collection service allow organizations to quickly and cost-effectively respond to urgent and complex regulatory requests for information retained in the archive. Providers of these services require a deep understanding of search query syntax and logic, as well as expertise in the specific archiving platform in which the information resides.
Selectively outsourcing search and export projects to third-party expert teams, organizations can minimize the impact of high-profile cases on ongoing core business work while complying fully with regulatory or legal requirements.
Compliance and legal teams occasionally need to analyze the metadata information of selected messages within the compliance archive. This information is contextually rich and can provide vital evidence to determine the disposition of a regulatory or legal issue.
Standard metadata fields include such information as Archived Date, Sent Date, Sender, Recipients, and unique Message Identification Designators. Organizations may also need to analyze information contained in customized metadata fields added in an archive’s metadata enrichment stamping process.
Metadata extraction service providers work with customers to determine which metadata fields to be included in the analysis, to best support downstream usage requirements.
Data consultancy services can take a wide variety of forms but are most frequently sought by organizations either deploying compliance archiving for the first time or migrating archive data from one platform to another (e.g., as part of a technology refresh program).
As part of a data consultancy engagement, a team of specialists can conduct a gap analysis to identify new data types that should be ingested into the compliance archive, formulate new archiving and retention policies that may be required to comply fully with regulations, or differentiate between ongoing feed requirements and one-time migrations. Other use cases for data consultancy services include reducing downstream eDiscovery costs through focused searches and extractions and surfacing data gaps that need to be remediated.
Micro Focus offers managed archiving services to help regulated organizations streamline compliance operations and provide more comprehensive and effective compliance risk mitigation. Micro Focus also offers a family of supplemental managed archiving services to help organizations tailor their solutions to suit their unique compliance strategies and needs.
For more information, visit the following web pages:
Micro Focus Compliance Archive – Enterprise
Organizations in regulated markets face momentous change, but properly equipped organizations can parlay this change into opportunity. How can your business benefit from the injection of Managed Services expertise?