Is it time to reevaluate your recordkeeping policies and controls?

Recordkeeping is a vital part of any data governance strategy. It’s also a legal requirement for many industries and use cases. Understanding your record retention obligations will help you meet and surpass increasingly stringent regulatory demands, reducing the risk of severe legal, financial, and reputational consequences.

Before mass digitization, when records existed only in the form of printed documents or recorded phone calls, recordkeeping used to be simpler. Today, in the era of globalization and hybrid work, record retention is a much more sophisticated matter. Employees and customers alike have grown used to popular messaging apps, such as WhatsApp, for their communications, despite security and compliance challenges. What this means is that information subject to stringent recordkeeping laws often ends up being unmonitored and unaccounted for, staying in employee-owned devices and application user accounts.

The question of whether or not a business still has certain information in its possession often comes up during legal investigations. Depending on the nature of the information, you might be obligated to keep it for a minimum amount of time, such as seven years in the case of financial records in many jurisdictions.

On the other hand, privacy laws like GDPR or CCPA grant subjects the right to request access to or deletion of their personal information. This introduces some apparent contradictions with record retention rules like the EU’s MiFID II which is intended to protect investors by assuring greater transparency with regard to communications and other records. A recordkeeping policy must strive to balance these various requirements in order to meet them both to a reasonable standard.

The concern among regulators is understandable. The rise of off-channel communications in today’s hybrid work environments makes it easier than ever for businesses and employees to avoid scrutiny, whether or not it’s intentional. In highly regulated sectors like government and finance, such a scenario is the perfect breeding ground for improper conduct and scams that go unnoticed.

The hurried and often chaotic transition to remote work in response to the pandemic did mean that some compromises were inevitable. However, the law is rapidly closing in on companies around the world that are still lax in their recordkeeping practices. For example, in September 2022, the US Securities and Exchange Commission (SEC) dished out $2 billion worth of fines to global financial firms for their failure to meet recordkeeping obligations – specifically with regard to their use of WhatsApp for client engagements.

Recordkeeping regulations vary widely by industry, use case, and jurisdiction, but they tend to center around the same concepts of data confidentiality, integrity, and availability. In order to ensure the latter, organizations need to have visibility and control over their data. This will only be possible if they have the means to record and monitor every interaction and transaction between their employees and customers, no matter what communication channel is used.

In the regulations put forth by the SEC and FINRA in the US, organizations subject to the laws must retain account-related records for a period of six years after a customer closes their account. Similar laws exist in most countries. For example, the UK’s FCA also sets a minimum retention period of six years, while the EU’s MiFID II sets a five-year minimum.

By now, most companies have migrated from physical to digital records, but digitization is merely the first step. The digital domain offers a vast and growing range of devices, applications, and storage formats that can be used in today’s business environment. It’s when you have to factor in client communications across email and instant messaging apps that you start to see the scale of the challenge. 

To keep up with the evolving regulatory landscape, it’s important to review and reevaluate your recordkeeping policies and controls regularly. It is best practice to do this every year or two, whenever any new regulations are announced, or whenever you make any significant changes to the operational structure of your organization. When the time comes to reevaluate your policies and the regulatory obligations they have to align with, there are some important questions to address:

• Who will be responsible for overseeing the evaluation of your recordkeeping policies?
• What sort of information does your organization generate, process, and store?
• Where are your records, including any backups and archives, stored? 
• How long do you have to keep your records, and when should you destroy them?
• How will you implement your updated recordkeeping policy?

An effective records-management program should make it easy to retain all business-critical data, as well as any other information you’re obligated to keep for compliance purposes. The best approach is to use standardized and interoperable formats that can all be connected to the same electronic discovery system and searched as a single, centralized database.

To get to this stage, you need to address the challenge of archiving everything from financial records to communications with your clients. You can’t protect the information you don’t know about, so it’s vital to have a way to capture all content from all apps and platforms you use to conduct business. For example, you might use Slack or Microsoft Teams for internal collaboration and WhatsApp for engaging your clients. Each system has different ways of recording data, but many consumer-grade apps, including WhatsApp, don’t have the archiving capability. These modern apps are now mission-critical for business communication, so it’s essential for you to ensure that they’re being used in a safe and compliant manner.

Once you’ve overcome that hurdle, you can enjoy the efficiency that these tools bring into your daily operations while still ensuring complete alignment with industry regulations and full accountability across your entire team – no matter where they’re located or which devices they’re using.