Summary – “Industry in One: Financial Services”
This article summarizes a report published by AIEF on June 26, 2019. Additionally, the article is included in Information Management Magazine, ARMA-AIEF Special Edition, which will be available for download in mid-November. A printed version of the special issue will be available as well, for a nominal fee.
The scope of a records and information management (RIM) program in financial services can seem overwhelming. Compared to other industries, the complexities of managing records and information in financial services are arguably some of the toughest to solve, primarily because of the intense regulatory scrutiny. The program must evolve with the industry as new challenges and opportunities emerge, and it requires constant attention and program adjustments. Designing RIM programs in financial services requires a pragmatic and consistent approach that supports balancing the requirements of regulatory compliance with the goals of growing the business.
History of Financial System
From the establishment of the first bank in 1791 to the modern day, the financial system in the United States has been shaped by a cyclical experimentation of federal and state legislation. Over the years, the regulations reflected the conflicting forces of centralized government control to maintain stability in the financial system vs. the fear of too much control being concentrated in too few hands, which resulted in deregulation.
Shaped by several financial catastrophes of modern history, such as the Great Depression of 1929 and the Great Recession of 2007, the U.S. financial system continues to evolve in response to changing regulations. If history is any indication, the lessons demonstrate that 1) financial stability of major firms is paramount to the stability of the financial system and the economy overall, and 2) financial institutions have to be more transparent and accountable when conducting business practices to protect consumers’ best interests. Regulations force financial institutions to “play by the rules.” Non-compliance no longer results in just fines and bad publicity; it can take firms out of business.
Now more than ever, financial institutions are required to show evidence that their business practices are in line with regulatory requirements, and one of the best ways to do that is through sound RIM practices. The turbulent history of the U.S. financial system has led to the imposition of enhanced reporting, supervisory, and recordkeeping regulations, which require prudent and consistent implementation to withstand the regulatory and legal scrutiny. The role of RIM in financial institutions has been elevated in the last two decades, now requiring a continued focus, executive support, and an enterprise-wide program scope to be effective at minimizing the risk of non-compliance and delivering organizational value of information.
Financial Services Industry Overview
In today’s financial services marketplace, a financial institution exists to provide a wide variety of deposit, lending, and investment products to individuals, businesses, and/or governments. The major categories of financial institutions include central banks, retail and commercial banks, investment banks, investment companies, brokerage firms, internet banks, credit unions, and savings and loans associations. To build and implement a compliant RIM program, it is important to understand the difference between the types of financial institutions to determine their specific recordkeeping obligations.
Federal and state governments have many agencies that regulate and oversee financial institutions. While these agencies each have specific responsibilities, they work to accomplish similar goals – to regulate and protect those who participate in the financial industry. While their areas of coverage often overlap, federal agencies usually supersede state agencies. However, this does not mean that state agencies have less power, as their responsibilities and authorities are far-reaching.
Drivers for RIM in Financial Services
Intense regulatory pressure is the main driver for RIM in financial services. Many of the financial services regulations have requirements for sound recordkeeping as a way to demonstrate transparent and accountable business practices. By far, the most stringent recordkeeping regulations in the United States are those imposed on the securities broker-dealer industry. There are many recordkeeping regulations that apply to specific types of registered members and also broadly across many registrants and types of financial institutions.
In addition to financial services regulators mandating recordkeeping obligations on its member firms, there are other regulations in the United States and globally that impact the RIM practices of the U.S. financial institutions. Generally, those regulations cover data privacy and information security, and include limitations on data retention and requirements for data disposition. With privacy and cybersecurity challenges impacting RIM, it is important for organizations today to rethink how they look at data, records, and non-records, and develop a combined approach for broader information management that involves collaborative efforts of business, legal, data governance, privacy, information security, and RIM stakeholders to build a coordinated, comprehensive, and agile information governance program.
There are several other drivers that can help make the business case for RIM in financial services, such as business needs, industry standards and best practices, business continuity, corporate legacy, litigation risk, information overload and inefficiencies, lacking or ineffective RIM practices, and information security breaches.
Risk Management and RIM
Most financial institutions have become very effective at managing risk in traditional financial risk areas such as markets, liquidity, and credit. However, the emerging key risk areas for financial institutions are non-financial in nature, broadly defined as events or actions, other than financial transactions, that can negatively impact the operations or assets of a firm. Both financial and non-financial risks can result in financial ramifications to the firms if not managed properly.
It is no surprise that cybersecurity is not only the number one operational risk in the non-financial risk category, but is also the one expected to increase the most in importance over the next several years as the number of cyberattacks, their size, associated costs, and consumer impact rise. Financial organizations are among the most targeted by hackers. Most firms have terabytes of sensitive information that do not need to be retained for legal, regulatory, or business purposes and can be deleted, but doing so is one of the greatest challenges most firms face. By implementing ongoing defensible disposition processes, RIM professionals can minimize the amount of sensitive information being exposed in data breaches and thereby reduce the financial and reputational damages to their firms.
Constantly changing regulations is the second biggest operational risk for financial institutions today. The regulators in the United States and around the world are increasing their focus on risk management, cybersecurity, data privacy, conduct and culture, and financial crimes. RIM professionals need to stay abreast of regulatory developments by collaborating closely with the business, legal, and compliance stakeholders in their organizations to be able to adequately respond to the regulatory changes and incorporate them into the RIM policies, retention schedules, and procedures.
Third-party risk is the third biggest operational risk faced by the firms, resulting from the growing reliance on vast networks of external service providers for everything from online platform management to extra network capacity. Being able to police the way the vendors do business and protect the firms’ data and intellectual property is a constant area of concern. Poor management of third-parties and fourth-parties (vendors’ vendors) leaves firms exposed to the risk of costly data breaches. RIM professionals must be standing members of a third-party risk management process in their organizations to ensure that vendor contracts have proper provisions for data and record retention, disposition, legal holds, inspection, data transfers, etc., to enable the most control over the data.
Electronic Communications Retention and Supervision
Electronic communications (e-communications) is one of the key record categories that RIM professionals at financial organizations need to manage effectively. While 15 years ago emails were the only means of e-communications utilized at workplaces, today firms are witnessing a number of emerging communication technologies being employed in conjunction with or instead of email to conduct business as they offer more interactive and effective ways of sharing information with internal and external parties. Such new e-communication technologies include social media, blogs, instant messaging, audio and video recordings, and websites.
The first step in managing the emerging communication tools is developing policies delineating the use of those tools at the firms. The acceptable use may be limited to internal employee communications, in which case the firms may choose to not treat those as official records. However, adoption of the new e-communication tools as acceptable for conducting business with clients immediately mandates that the firms implement recordkeeping and supervisory controls for governing communications as they become regulated records. As the use of emerging e-communication tools broadens among financial institutions, so does the market for e-communication archiving solutions, some of which offer capabilities to retain all types of e-communications with a single interface to search, view, retrieve, and manage records while preserving their native format.
Industry Trends and Impact on RIM
Emerging e-communications technologies is just one example of new technologies that will continue to impact financial services. Firms are beginning to use a wide variety of other new technologies, such as cloud computing, artificial intelligence (AI), machine learning, big data, advanced analytics, and blockchain. Many firms are undergoing a digital transformation as an increasing number of transactions are moving to digital channels, and more and more institutions are introducing digital-only entities to provide lending, investing, and specialty services. The focus is on gaining operational efficiencies to provide innovative personalized customer experiences and increase information value to both the firm and the customer.
The speed and the rate of change brought about by new technologies are forcing RIM, risk, and compliance professionals, as well as regulators, to look into these new technologies and understand their impacts. RIM has to be closely aligned with other risk and compliance functions to be able to ensure continued compliance with regulations and internal RIM policies.
Future Industry Outlook and RIM
To be able to compete where margins are thin, competition is fierce, regulations are changing, and technology has an increasing impact, financial institutions will place innovation as a top priority. Organizational cultures must be shifted to support innovations which will impact not only increasingly outdated business models, but perhaps entire organizations that fail to recognize the significance of innovations in maintaining their competitive position or staying in business. Firms will also put a stronger focus on improving customer experience to be able to innovate in ways that prioritize the most effective mix of capabilities, processes, and people.
The job of RIM professionals in this rapidly changing business environment is to become a profit protection center for the business. RIM processes have to be cognizant, agile, and adaptable to the constantly changing regulations, non-regulatory drivers, risks, new technologies, trends, and innovations to support the objectives of growing the business while making sure they do it in a compliant way to avoid the alternatives of regulatory fines or shut downs. As with any industry, the success of RIM in financial services relies on collaboration of many stakeholders across the organization to bring the common vision of sound, legally-defensible information governance to the forefront, where information is raised to the same level as other key organizational assets.
The full report is available at http://armaedfoundation.org/research-program_menu/research-reports/
View a PDF version of this article.
Copyright 2019 ARMA International / AIEF
About the Author
- Anna Lebedeva, IGP, CIPM, PMP, is a vice president of records and information management compliance at a global financial services firm. With more than 20 years of experience in various professional information management and technology positions in the financial services industry, her RIM accomplishments include establishing an enterprise-wide RIM program from the ground up, standing up a defensible legal hold process, implementing enterprise content management, and regulatory recordkeeping compliance. Anna has extensive experience and skills in software development and project management. Anna holds a Master of Science degree in software engineering and a Bachelor of Science degree in finance.