Last week I was having a lively discussion with a colleague regarding the most over hyped technologies of the past decade. While many worthy candidates came to mind I settled on WORM (Write Once Read Many) as my personal favorite primarily because my initiation into the arcane world of regulatory compliance via the SEC began when a client of mine from a large brokerage firm called me up in November of 1998 to ask if I would look into the legal and technology implications of Rule 17a-4.
My client’s CIO had just left a board meeting where the topic had come up and they needed to know not only what WORM was but who manufactured and sold it, what it would cost, how were other broker dealers complying and what policies did legal need to implement to meet the requirements. It seems SEC rule 17a-4 mandated that broker-dealers needed to save or archive all of their emails in a non-rewritable, easily accessible WORM format for a minimum of 6 years.
After the requisite push back from the finance industry – because the SEC estimated the cost of compliance at ZERO and IT was preparing for the Y2K fire drill – the rule finally went into effect in 2002, but with no modifications to the WORM requirement.
To their credit, vendors such as EMC, HP, IBM and others scrambled to find or develop solutions. EMC created the most successful entry in the space when it bought a European firm called FilePool and rebranded it as Centera to date selling over 4,000 systems. A key to WORM storage systems is that they provide “authentication” that each email or object has not been tampered with or altered in any way.
At the time, few if any people understood the cost or infrastructure ramifications that email and other forms of unstructured ESI (Electronically Stored Information) such as documents, images and web content would have on business and IT. But thanks to the explosive growth of unstructured data and additional “enabling” legislation such as FRCP (Federal Rules for Civil Procedure) amendments in December 2006 governing the use of ESI as evidence in court cases, the genie was out of the bottle – so to speak.
Initially, mandatory archiving and WORM solutions were limited to a few financial firms with the occasional need to produce emails for regulatory purposes. The FRCP update has given rise to a multi-billion dollar ediscovery solutions and services business while the unmitigated growth of email and its unstructured partners, predicted by many pundits to be growing at roughly 50% per year, is straining IT resources and causing most legacy solutions to buckle under “discovery” and “find” requirements that were not considered as part of the solutions roadmap when they were designed. Now you just can’t save and occasionally retrieve, you need to “manage” that data including categorizing, compressing, deleting, indexing, migrating adding policy and securing as well as declaring if it is a business record.
Add to this idea, promulgated by a few over zealous vendor sales people and their marketing support teams, that WORM can only be achieved through a hardware storage device, that the SEC ruling supports this supposition and that WORM storage is the only way to properly meet this regulatory demand.
Industry experts I have contacted have indicated they are not aware of any court case that has EVER been lost based on a firms NOT having WORM installed. Creating appropriate policies for archiving and saving data along with metadata that tracks changes to documents or emails and demonstrating to courts the implementation and adherence to those policies from an IT, technology support and best practices perspective has been enough so far.
Meanwhile, the founders and developers of FilePool, left EMC and have started a new firm called Caringo out of Austin, Texas that offers the same WORM capabilities through software only.
The Future of Regulatory Compliance and Mandated Technologies
As the financial industry awaits what most citizens and legislators anticipate will be a major overhaul of the regulatory landscape, I believe there are a few lessons to be learned.
1 – Regulations, if they are useful, outlive the technologies they embrace to meet their requirements.
2 – Technologies will evolve more quickly to meet business needs than the regulations that mandated their use in the first place.
3 – Regulatory bodies such as the SEC should stay out of the technology business and focus on regulatory requirements.
Hopefully, their is no future for federally mandated technology implementations to meet regulatory requirements. Hey SEC, or whatever governing body will exist in the near future, stay out of the technology business and focus on driving legislation that will support the electorate not drive business costs up.
Warmest Regards,
Gary MacFadden
Thanks for reading our blog, you may want to subscribe to the RSS feed, or follow Wikibon on Twitter for future updates and information as well.
Recent Comments