Skip navigation

17a-4 Best Practices: The Regulatory Compliance Risk of Fileshares

August 27, 2014

In most institutions, there is more content in fileshares than there is email.  Though most of us find this statement hard to believe, survey after survey confirms it and finds that even regulated departments like compliance and legal use fileshares as their main repository for content.

Millbrook, NY – Financial institutions, largely due to regulatory pressure and fines, have, by and large, resolved their email compliance issues.  Over the past decade, approximately 10 email archival vendors have emerged that provide very effective products and services for ingesting, indexing, searching, holding and disposing of email content.  However, the next phase of unstructured content management, fileshares, is just beginning and represents unique challenges for regulated users and archive vendors.  Leading research reports reveal as much as 40% of corporate data resides in fileshares.

First, whether producing electronic records as part of an e-Discovery production or retaining records in accordance with SEC Rule 17a-4 or 204-2, there is no real distinction between an email or fileshare record.  Both need to be retained, incorporated into legal holds and produced if required.  Many financial firms believe that Rule 17a-4 only applies to email records.  In fact, it applies to all electronic records retained exclusively in an electronic format.

Second, recent regulatory examinations have shown that regulators are now asking about non-email regulated records.  These may include employee trading, advertising, performance data and representations, outside business activities, research reports, etc.

But what are the challenges of fileshare content?  Though metadata is attached to the information, it is often very difficult to find the true owner.  Whereas an email record shows the owners, records on a fileshare may be owned by several users, a department or no one at all.  Also, how does one know if a content is a regulatory record?  Certainly going through TBs of content trying to make this determination is a job that no one wants.  Can you simply implement a policy that says, ‘If it hasn’t been accessed in 5 years, delete it?’

The first question an institution should answer is:  How will we manage unstructured user content in the future?  The best practice is to phase out fileshares and substitute either Microsoft’s SharePoint, OpenText or other content management system.  Once these systems have been implemented and regulatory content transferred, then the fileshare documents can be disposed of over time.

If the institution is going to continue to use fileshares for document retention, then best practice is to incorporate into an institutional email archive which will allow such features as, retention in accordance with Rule 17a-4 and other regulatory requirements, centralized searching and e-Discovery production, stubbing of fileshare content and, in accordance with policy disposition.  Many of the archival vendors now provide for fileshare management and can greatly assist in this phase of unstructured records management.

For more information on bringing fileshares into compliance, please call (212) 949-1724 or request more information here.