The July extradition of three British bankers to the US shows that the repercussions of the Enron scandal – in which company executives were able to conceal billions of dollars of debt from shareholders – are still being felt.
The most lasting impact of Enron, and other corporate failures such as Italy’s Parmalat, has been felt via the US’s Sarbanes-Oxley Act, which requires companies listed on the US stock exchange to establish and manage an adequate internal control structure and procedures for financial reporting, and to obtain annual reports from its auditors about the effectiveness of those procedures.
Businesses in the EU, too, are facing numerous new regulatory requirements. The financial sector has been affected in particular by regulations such as Basel II, the first phase of which comes into force at the end of this year, and the Market in Financial Instruments Directive (MiFID), a wide-ranging directive that comes into force in 2007, and imposes requirements governing the organisation and conduct of business of investment firms.
Trying to keep track of the compliance burden, particularly across national borders, is difficult. Most regulations, however, require for essentially the same thing: transparency of information. That transparency has to be effected through IT systems – as Paul Beach, head of compliance at outsourcing specialists Atos Origin, says: “Data management is core to all of the regulatory changes.” In practical terms, this means that all data relating to relevant transactions is stored by organisations in a way that leaves a clear audit trail and makes it easily accessible to regulators. The financial burden of this to business is becoming clear: a report last year entitled Gartner’s Top Predictions for 2006 and Beyond showed regulatory compliance spending is growing at twice the rate of IT spending.
Organisations need to implement systems that enable them to keep track of their data, which can be difficult when data is held in discrete silos. Unstructured data (such as documents and e-mails) presents an even tougher challenge. Software services vendor CA suffered a corporate governance scandal when its CEO and head of sales admitted to a huge accounting fraud that took place between 1998 and 2000. Two of the requirements of its deferred prosecution agreement, says Patrick Gnazzo, CA’s chief compliance officer, were that it should put into place a good records management system, so that regulators would in future be able to find the information they needed, and implement a process where e-mails were tied to the server, so that if an employee’s laptop was stolen or destroyed, their e-mails were still available on the server.
While some regulations require that relevant transactions such as e-mail be archived for a certain period of time, they can come into conflict with other regulations, such as European data protection laws, that require documents containing personal information to be deleted after a period of time. But, as Mr Beach explains, conflicts don’t just happen because of data protection laws. “The classification of client data varies between MiFID and Basel,” he says. “Both have established a new standard for what data you hold around your clients but they themselves are inconsistent in the way they classify those clients.”
How can organisations manage such contradictions? Mr Beach argues that the key is putting into place a structure that can cope with different demands. “A well-architected data management environment will have the flexibility to compensate for the frustrations and the inefficiencies.”
Graham Titterington, principal analyst at consultants Ovum agrees. “If you design your systems with basic core controls in place, a mixture of reporting tools, access control and data lifecycle management technology, it should be relatively easy coming up with compliance packages for a specific law. It’s often just a matter of configuring appropriate reports.”
Increasingly, technology makes this possible. The availability of open architecture standards means that organisations with data silos in different places can bring them together more easily, while enterprise resource planning (ERP) systems such as SAP are the most straightforward way of maintaining structured data and producing reports. Information lifecycle management systems can define categories of data and business policies relating to how that data is to be stored and where they are going to be stored. Encryption software, Mr Titterington says, enables organisations to “lock” certain documents and give the keys only to particular people, enabling regulators to establish with confidence who has seen or edited particular documents.
Nonetheless, the development of policies governing the management of documents and e-mails is a challenge, and not just because of the conflicting requirements of different regulations. Mr Gnazzo believes that increasingly, regulators will demand that e-mails from certain officials or functions within the organisation be saved for a certain period of time. Businesses, he argues, are “on the horns of a dilemma”: they may be required by regulation to keep primary documents for a certain period of time, but they will also, from a business point of view, want to delete certain documents and e-mails after a particular period. The trouble arises because people will often say things in e-mail that are informal or indiscreet, and may prove damaging to the company if seen by outsiders.
The growing use of instant messaging (IM) systems in business compounds the problem. Mr Gnazzo believes that the days of using IM to avoid putting potentially incriminating information in e-mail are over: “IM systems can be logged, and if there’s an ability to log, courts are going to say, ‘Why didn’t you log them?’ You may find this phenomenon of sending messages without having to worry about them being preserved is going to evaporate.”
The solution for most corporates is tighter control, and a clear set of procedures and guidelines in place for creating, using and managing data. “The technology is only one part of the solution,” says Richard Archdeacon, director of innovation at Symantec. “You should be looking at a rounded solution that looks at roles, responsibilities, process and control.” He recommends that businesses use ISO 17799, the standard for an Information Security Management System, as a starting point.
If it’s true that regulatory requirements are expensive to implement and sometimes frustratingly complex, says Mr Titterington, they will in the long run bring benefits to the organisation: “Maybe the law is forcing you to go a bit further than you would like to go, but a lot of these checks and controls are consistent with running an efficient and tightly controlled ship.”