A recent panel discussion hosted by Bloomberg’s Hong Kong office on 13 March 2012 has provoked some ideas about records management and compliance. The panel discussion defined its scope quite effectively to focus on compliance challenges with electronic discovery, a technique used to retrieve relevant information, usually in the context of civil litigation, in Hong Kong. Of particular concern are situations where the Securities and Futures Commission (SFC)—one of Hong Kong’s financial industry regulators—exercises its investigative powers to request information.
While the panel brought up some interesting challenges faced in selecting a software system, there seemed to be an underlying idea that Bloomberg’s Vault service and others like it, are a panacea for tracking records, specifically email and social media records. However, robust policies should be in place beforehand, and retention schedules should be strictly adhered to. Software should support these policies by making information retrieval more efficient, but it is not a substitute for them. Ultimately, the discussion has led to these further reflections on how records management could be better integrated into a company’s compliance function in Hong Kong.
The role of records management in compliance
What really sparked this reflection was a specific question by an audience member: “Do I really destroy documents after their retention period has expired?”
The response from the panel indicated an unwillingness to say, “Yes, absolutely.”
The panel said that it depends on the situation, but it is also important to be consistent. As an illustration of this somewhat contradictory principle, one of the panelists said that a document with a retention requirement for seven years was still around after eleven years when it was requested for review by an external party. The company, he said, was lucky that it still had the document that was requested.
But if the retention requirements are not systematic, and applied on an ad hoc basis, then the time spent developing records retention schedules is wasted. In the above case, the continued existence of a record four years past its retention requirement is a strong indication that the company who owns the record is not following its procedures. If it is not following its own procedures in one area, how can one be certain that it is following its procedures in another area, recording personal share dealing of its employees or maintaining a restricted list for trading, for example?
The challenge of a principle-based approach
Should the record have been destroyed according to routine internal procedures, the external party’s request would have been unreasonable. If documents should not be destroyed routinely and according to internal policy, then regulators like the SFC need to clarify precisely what retention requirements are for specific documents in specific contexts.
If these sorts of requests are common, a principle-based approach is not clear enough to offer firms guidance. It would be disingenuous to propose a certain requirement, rumoured to be seven years unofficially, and then punish someone for failing to keep records four years beyond that agreed upon time. In the absence of clear and specific requirements from legislative and regulatory bodies, a company’s compliance with its own procedures should be sufficient to anticipate the SFC’s request for a document that has been destroyed.
Existing standards for records management
The SFC is fond of encouraging the use of industry standards advocated by such bodies as the Alternative Investment Management Association (AIMA). A records management policy could do worse than to take its cues from standards promulgated by ARMA International.
Their Generally Accepted Recordkeeping Principles (GARP®) provide a good base on which to build. These principles are:
Without going into too much detail about what all of them mean, I will just highlight four of them, and discuss three, as they relate to the current discussion.
Compliance here means the specific compliance of records management practices with legislated requirements. For example, the Inland Revenue Department of Hong Kong requires businesses to keep their tax records for not less than seven years after the completion of the transactions, acts or operations to which they relate. A retention policy that requires keeping records for seven years after the tax filing for the relevant year would be a prudent policy that would define the whole series, making it easier to schedule the destruction of all of those records. These requirements should be articulated clearly by legal counsel or an experienced records manager, but in smaller firms might fall to a compliance officer.
In this sense the word “compliance” is not meant to indicate compliance with functions that are part of a financial company’s compliance program, such as maintaining liquid capital requirements. This principle describes a slightly different and narrower definition of compliance than the one usually dealt with by compliance officers of SFC licensed corporations.
The worries about electronic discovery, as discussed by the panelists of the Bloomberg event, are primarily concerned with the transparency principle. Transparency requires that records be produced easily and timely in certain situations, such as when a regulator exercises its investigative powers.
The retention principle is the idea that each record series has a retention period attached to it. Depending on the nature of the series, the nature of the company’s business, and the legislative requirements for keeping records, these retention periods can vary significantly from one series to the next. Some records may be required to be disposed of immediately after they are no longer needed; some may be required to be kept for a number of months, others for a number of years; still others may have an indefinite retention period that only lapses when they are made obsolete.
However, these series can be identified, classified and assigned an appropriate retention period based on schedules that define the company’s requirements for each type of record. The schedules need not be written in stone, but should be comprehensive and consistently applied.
The disposition principle is often the most difficult for people to practice. It requires that all records that have reached the end of their retention period be assigned a final disposition. A final disposition could be destruction, permanent archiving, or conveyance to another organization.
Each form of disposition carries further burdens. Destruction should be irreversible (i.e. more so than a shredder). Items slated for permanent archives should be appraised as to their archival value, and catalogued for any content that might be pertinent to an event like a regulatory investigation. Information transferred to other organizations should follow a similar appraisal. All copies of the same record, electronic and print, should be disposed of at the same time.
Disposition, retention and transparency taken together
During an exercise in electronic discovery, transparency is key. However, part of transparency is showing clear retention schedules for documents that have previously been destroyed.
One of the reasons for being able to show records to the SFC in a timely manner is to demonstrate that you have strong systems in place. However, a robust records management system also requires that one follows schedules and routinely disposes of items. Surely, a transparent records management system with routine destruction of records would raise less questions about the competency of the organization than a system where one relies on lucky breaks to produce requested records. While it is important to be able to comply with a regulator’s investigation, it is equally important to demonstrate that one is following one’s own procedures.
If no one is thinking about why information is being retained, or why it has a time attached to it, then the benefit of having software to help with those problems is lost.
My impression is that the members of the Bloomberg discussion panel have not moved beyond the mental barrier that exists in most people: the idea that information is somewhat sacred and should not be destroyed if you can help it. However, for various reasons, it has to be destroyed regularly.
There is a tendency to think, “But what if I need it later?” But that thought is more common than the idea of taking charge and destroying documents that have ceased to be useful. Thus, most companies tend to endlessly collect information thinking that they might need it sometime in the future. If people did this with objects, we would call them hoarders. As long as there are no legal obligations to keep a record that is no longer of any use, or of no other archival value, it should be destroyed. Search features will continue to improve, making it easier to find information in a sea of data; but the utility of a hard drive or a shelf full of useless information will not.
ARMA International. (n.d.). Generally Accepted Recordkeeping Principles, GARP®. Retrieved April 10, 2012, from http://www.arma.org/garp/
About ARMA International and the Generally Accepted Recordkeeping Principles ®
ARMA International (www.arma.org) is a not-for-profit professional association and the authority on managing records and information. Formed in 1955, ARMA International is the oldest and largest association for the information management profession with a current international membership of more than 10,000. It provides education, publications, and information on the efficient maintenance, retrieval, and preservation of vital information created in public and private organizations in all sectors of the economy. It also publishes Information Management magazine, and the Generally Accepted Recordkeeping Principles ® (GARP ®). More information about GARP ® can be found at www.arma.org/garp.