Take These Steps Now to Minimize Risk Later
When it comes time for a FINRA audit, financial organizations can spend a significant amount of resources gathering and producing the necessary data. It can be a challenge to do this without damaging the metadata or overlooking privileged items while also ensuring you meet all regulations and compliance rules. Rather than waiting to receive a request or inquiry from FINRA before getting your data in order, invest the time now in effective data management.
Each year, Financial Industry Regulatory Authority (FINRA) sends notices for its annual audits to approximately 1,500 to 2,500 financial institutions nationwide.
During these audits, FINRA examines an organization’s “identified risks and controls and determine[s] whether firms are in compliance with federal securities laws, rules and regulations.”
Throughout the examination process, FINRA will make requests to view documents and emails from specific timeframes. Gathering and producing the necessary data without damaging the metadata or overlooking privileged items can be a burden for many financial organizations, as it requires significant time and resources to do properly.
Getting your data in shape now will lessen the burden and risk associated with collecting data for an audit later. Here are a few tips:
Map Your Data
Company data can exist on desktops, laptops, tablets, back-up tapes and repositories, cell phones, networks, servers and other drives. And as technology advances, the amount of data we produce and store continues to grow. The first step in managing that data is knowing what data you have and where it’s located. For example, are there email archive systems, online CRM systems, text message archives or other such systems that may contain potentially relevant information? The goal is to make sure that, when you need to collect that data, you’re not first spinning your wheels, wasting time and money, trying to figure out where that data exists or who to ask.
Mapping your data isn’t always a simple task, but doing so will allow you to improve the efficiency and management of your content, and it will save you significant time, effort and money overall. With a firm understanding of your data, you’ll be able to find and collect important, relevant data during an audit more easily and with less hassle.
Establish a Data Preservation Policy
Once you gain a better knowledge of what data you have and where it is stored, you can develop a preservation policy for managing corporate data. This policy should include guidelines for what information to preserve, whether it be for compliance or a legal hold or simply because your firm has determined – via some set of qualifications – it needs to be archived and saved versus destroyed.
To start, first take stock of your data resources from the first step and consult the laws and compliance rules that apply to the financial industry to ensure you’re meeting all regulations. Focus on preserving only the relevant and related information while correlating with your data map to track data that exists within the organization.
A solid data preservation policy can mean the difference between being prepared for a smooth audit process and last minute scrambling, desperate searching and even potentially finding out too late that the data needed simply wasn’t preserved.
Create a Defensible Deletion Policy
While preserving certain data is required for regulatory, compliance and legal reasons, storing all your data is unnecessary and expensive. So, once you’ve determined the data you need to keep, you can establish defensible deletion policies that define what data you can delete – and when.
After a designated amount of time, documents and emails that are no longer required for regulatory, compliance or ongoing business purposes can be destroyed. Deleting unnecessary files frees up your organization’s storage, lessens the amount of information you’ll need to sort through during an audit collection and reduces a variety of other data and security risks that accompany the unnecessary storage of such legacy data.
As long as you have a well-defined, proper policy in place that covers both the retention of data and when such data can be deleted – and it is executed consistently – the deletion itself will be defensible.
Establish an Information Governance Plan
An information governance (IG) plan dictates how you handle your company’s electronically stored information (ESI). It encompasses your data map, data preservation policy and defensible deletion policy as well as data security and management policies. An IG plan should also include audit and enforcement mechanisms to ensure the program can be measured, controlled and improved. By conducting your own internal audits from time to time, you can determine whether your IG plan is well-maintained and effective. It also allows you to make changes and updates to ensure you’re in compliance with all financial regulations so that when you receive a FINRA audit notification, you’re ready.
Because it forces you to organize your data on the front end, an IG plan reduces the lost productivity that results from searching for data in a disorganized system.
Effective information management requires planning – so don’t wait to receive a request or inquiry from FINRA before getting your data in order. Establish a structured process to proactively manage your data now and save your company time, money and headaches down the road.
When the time comes for your FINRA audit or exam, consider working with an outside vendor to help with collection. End-to-end e-discovery providers can help collect data in a secure and targeted manner, ensure metadata isn’t changed, search the documents for relevance and review it for privilege – all while saving your firm significant resources.
Johanny Olmedo is a National Account Director for 
