Bank Retention of Electronic Mail Archives

OCC and FDIC Regulation and Guidance

Financial Institution Audit Procedures

What do regulations say about a bank retaining e-mail records? Relevant statements have been issued by both the Office of the Comptroller of the Currency (OCC) (regulator for all national banks in the U.S.) and The Federal Deposit Insurance Corporation (FDIC).

Auditor Expectations

OCC

The OCC issued an Advisor Letter on Electronic Record Retention June 21, 2004. The Advisory Letter points to the Electronic Signatures in Global and National Commerce Act (E-Sign) as special reason for financial institutions to set up electronic record keeping systems. The E-Sign Act generally confirms the legal effectiveness of electronic commerce transactions, including e-mail contracts. The implication for banks is that their electronic records, such as e-mail records, can be evidence of legally-binding contracts and other transactions.

Accordingly, the OCC Advisory Letter states:

"[B]anks should design, implement, and operate their electronic records systems so that they are adequate to serve the following purposes and functions according to the nature of the retained records:

* Potential use in litigation support,

* Internal and external audits and controls,

* Bank supervision, and

* Compliance with regulatory requirements."

Notice those are broad purposes, which suggests that the retention of e-records should be generous at a time when the quantity and importance of electronic transaction is growing. The Advisory Letter goes on specifically to emphasize the retention of electronic message and electronic mail records.

FDIC

Consistent with the OCC Advisory Letter, FDIC has issued guidance on the retention of electronic records under the E-Sign Act. See FDIC Compliance Handbook — June 2006, page X-3.1. Although the FDIC Handbook does not provide as much detail as the OCC Advisory Letter, it says banks need good records of their electronic business transactions. Naturally, those records will include e-mail records, as the OCC Advisory Letter confirms.

The FCIC Handbook page X-3.1 states: "Record Retention. The E-Sign Act requires a financial institution to maintain electronic records accurately reflecting the information contained in applicable contracts, notices or disclosures and that they remain accessible to all persons who are legally entitled to access for the period required by law in a form that is capable of being accurately reproduced for later reference."

Further, the FDIC's 1998 Electronic Banking Safety and Soundness Examination Procedures specifically discuss record retention procedures for e-mail at page 8. Page 8 says bank examiners should expect banks to have retention policies for e-mail. It reads: "Determine if retention guidelines exist and are updated for source documents supporting electronic activities, such as account applications, instructions for account transactions, and other records. Determine whether the guidelines also address electronic mail, data files, and similar records." The implication is that if a bank does not have a retention policy, and FDIC examiner will expect the bank to create one.

Policy

So precisely how long should banks keep email records? I have led in-house workshops to address this question at numerous, diverse enterprises. The outcome of these workshops has varied, depending on many factors, including corporate culture.

In my experience, the best email retention policy is one that is developed by collaboration of the various stakeholder departments in the enterprise (legal, IT, HR, operations et al.). Normally, these different stakeholders will start with different positions on what the policy should say. But, in my experience, after the stakeholders have talked through the issues, they tend to compromise their positions and coalesce into a policy that is unique to the enterprise.

By Benjamin Wright, Senior Instructor on Law of Data Security and Investigations at the SANS Institute.

Related: How to write an enterprise records policy.

Update July 2012: Cost of Storage

I just led a workshop at a group of companies that owns two national banks. The purpose of the workshop was to help the stakeholders from the various enterprises develop a group-wide policy for the retention and destruction of email and other electronic records, including audio records of telephonic interactions with customers.

I have been leading workshops like this for years, and I have noticed from these workshops that something has changed. The cost of storage has become a non-issue. The raw cost of storing 100 terabytes of data is insignificant to an enterprise larger than a mom-and-pop. That is not to say that the raw cost of storage is the only issue in setting an electronic record retention policy. There are lots of issues, and no regulator is going to tell a bank how to resolve all of its issues. But the dynamics in these workshops has changed on account of how cheap storage has become.

[The above is only general information. If a bank needs legal advice, it should of course consult its lawyers.]

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law