Competent management of business information is a challenge for organizations across industries, but banking and financial services organizations face heightened information governance challenges that require dedicated efforts to ensure compliance with existing laws and regulations.
The Graham-Leach-Bliley Act (GLBA), “sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” In the same manner, the Code of Federal Regulations (CFR), Part 314 – Standards for Safeguarding Customer Information sharpens the information governance requirements of GLBA by stipulating that firms must:
Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. (§ 314.4.c.6)
In addition, firms subject to NY State laws and regulations—that is, most Fortune 1000 banking and financial services firms—must also comply with NYCRR 500 Cybersecurity Requirements for Financial Services Companies, which stipulates that:
As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.01(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. (500.13)
Most firms will struggle to comply with these information governance requirements, but they don’t have to: the solution to meeting these regulations is conceptually straightforward—although effective execution will require a tremendous amount of elbow grease.
In this post, we’ll lay out the high-level steps required to comply with these regulations, digging into the specifics of each step in subsequent posts. So let’s dive in.
The absolute minimum requirement for being able to dispose of corporate data that’s past its legal lifespan is a functioning records and information management (RIM) program. After all, the core customer and other non-public data implicated in GLBA, CFR, and DFSNY are almost entirely business records. If your organization’s RIM program is sub-par, its ability to comply with these regulations will be severely compromised.
Building a highly capable RIM program does not require formidable resources and a multi-year timeline. Most organizations can jump-start their journey to better compliance by completing three foundational activities:
- Conduct a RIM controls review. Assess current RIM policy and the records retention schedule to determine their ability to support data disposition according to all applicable laws, regulations, and other compliance obligations.
- Cultivate awareness about RIM. Educate the wider organization, partners, clients and vendors about the new accountabilities, responsibilities and benefits associated with the new RIM controls.
- Clean up your data. Define the policy and processes needed to govern and perform defensible deletion of content, documents, and data—implement the processes and technologies, over a reasonable timeline.
Let’s dig into each of these in detail.
How to Conduct a RIM Controls Review
The most critical RIM controls are the RIM policy and RIM records retention schedule. It’s important to review both and update each to ensure that they support effective disposal of records after their retention periods have expired.
No two organizations are the same, but a vast majority share the common goal of simplifying and streamlining their RIM policy so that the definitions of records and non-records can be easily understood and can be applied to the information being managed.
The objective for the records retention schedule is to ensure that the record types are easily understood by end-users and that they can match their documents or records sets to each record type. Accordingly, the retention requirements must be both understandable and implementable so that they fully understand how their documents and information fit into each records type and understand how a retention or disposition event is triggered.
How to Cultivate RIM Awareness
Cultivating RIM awareness is essentially a change management exercise that prepares the organization for the new paradigms that emerge from the establishment of a RIM program. This step is equally if not more important than process or technical implementations—adoption is king. Organizations that choose to skip this phase will struggle to succeed with their RIM programs, if not fail altogether. The good news is that it requires the least cost of the three foundational activities.
Stakeholder communications matrix. A matrix of awareness-building messaging events, segmented by audience. The stakeholder communications matrix ensures that all audiences are receiving role-appropriate information at the most optimum time, which helps set their expectations and responsibilities for the forthcoming RIM program. Messages are categorized by campaign, theme, importance, and are mapped to the RIM Program implementation timeline. Communications about RIM typically begin a year or more before any tangible RIM-related changes are implemented. Most organizations are familiar with the communications matrix approach to planning change initiatives.
Awareness-building events. Audiences are enticed to engage with the forthcoming RIM program by participating in simple and fun interactive activities including brown bag lunches, coffee breaks, competitive quizzes, information scavenger hunts, and more.
Learning management modules (LMS) role-based training. A RIM program affects roles at all levels in an organization. Employees in the lines of business, as well as senior executive leadership, must be made RIM-aware; each has a responsibility and plays a distinctive part that helps ensure the organization’s information is well-managed according to RIM policy. Executives must be made aware of the potential penalties and damage that can be caused by RIM non-compliance. They must also ensure that management in the lines of business are also aware of the importance of RIM and, will in turn, ensure that the business units are operating according to the RIM policy and processes. RIM training is typically developed for each role level, using brief and engaging interactive training modules that can be delivered to employees regardless of location, language, skill level, or device type.
How to Clean Data
Simply put, the process of data cleanup includes three discrete activities that have the collective goal of finding and destroying information that is no longer of any use to the team, department, line of business, or the entire organization.
Repository risk analysis. A repository risk analysis is a non-technical approach that considers the type of information that is stored in a corporate repository and determines its overall risk to the organization. A repository can be any place or system where information is stored, including shared (network) drives, paper filing rooms on-premises or in a managed storage facility, Microsoft 365 products, cloud-based storage, and collaboration tools, structured data systems, document management repositories, and much more. The analysis may be completed through interviews with representative business users and custodians of the information and owners of the systems being assessed. Conversations with system owners and the use of simple, low-cost utilities can provide a reliable high-level understanding of the content in the repository, including volume, age, file types, and other metrics about the content stored within.
Unstructured data cleanup pilot and long-term cleanup activities. The unstructured data clean up pilot is a short-term project of three to six months. It typically uses a software solution to securely scan and index the content in a repository, providing an index that can be queried for high-risk information, such as customer or employee personal information, social security numbers and other personally identifiable information. Used in combination with an organization’s RIM policy and records retention schedule, an organization can devise a disposition profile that enables a business unit or departments to defensibly dispose of electronic files in their network shared drives and other systems.
Defensible disposition addresses the primary problem of over-retention—thereby reducing risk—while simultaneously enabling the remaining information to be found more easily. The clean-up process can also reduce the amount of personal/customer information found in an organization’s repositories.
Before embarking upon a data clean-up pilot, consider the high cost and long learning curve of the technical solutions most popular today. For the first clean-up pilot, choose a department or group that has high volumes of simple information—and preferably high visibility within the organization. This will enable the tools to work at their best, quickly revealing compelling findings that can be used as evidence of a successful proof of concept—and greasing the skids for future data cleanup efforts across the larger organization.
Although proper data management for banking and financial services organizations is difficult in practice, the theory behind it is straightforward: align your policies and retention schedule, take the time to do effective change management, and take steps to clean up legacy data. These three activities will set the stage not only for the management of data in accordance with key regulations but also for good data hygiene in general.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.