Information Governance as part of the Due Diligence Process
BY ALLISON WALTON ON JULY 24TH, 2013
The recent $7.5 million fine imposed by the Financial Industry Regulatory Authority (FINRA) on investment firm LPL, LLC (LPL) is evidence of three main points all organizations, regulated or not, need to follow for best practices.
Those three considerations have chronological and operational implications. In chronological order they are: information governance as a necessary part of the due diligence process (for every merger or acquisition), content v. technical control (iterative analysis as new data sources and systems are integrated), and finally the need for a compliance department (that not only develops policy around compliance, but can subsequently measure it).
Organizations must realize that there are multiple areas of vulnerability for improper information governance. In the case of LPL we initially see this is in the form of the largest fine in FINRA history for an email case. In addition to the fine, LPL was also required to set aside a $1.5 million fund to compensate brokerage customers potentially affected by their failure to produce email. What is unclear is whether LPL will also be subject to sanctions for spoliation and/or failure to issue proper litigation holds in future lawsuits given their lack of information governance compliance.
Information Governance and the Due Diligence Process
The LPL case is a prime example of disparate business structures and IT systems. Because many LPL independent contractors were not archived on the internal systems when they joined the organization, yet they were conducting business via email, many email accounts and transactions went unmonitored.
This is a classic case of putting the cart before the horse. The independent contractors generating revenue were allowed to conduct business as independent operators on behalf of LPL. While from an employment law standpoint they may not have been employees, if they were operating in a regulated business the onus is on the organization to ensure compliance.
Organizations must plan for information integration at the outset of a merger or acquisition in order to avoid inconsistencies that are expensive and damage an organization’s brand. All leaders should be looking at how deals are booked, and how their representatives are corresponding, in addition to focusing on revenue. In today’s environment, all these information pieces are linked and it is up to the stakeholders of the organizations to treat information just like any other asset or liability that needs to be managed.
Content v. Technical Control
Another common area of failure in the realm of information governance is the disconnect between the content of the policy and whether or not IT systems can execute the policy. For example, Symantec has a product called Compliance Control Suite (CCS); this product can take regulations from any regulatory body and set compliance policies from an IT perspective. While this type of testing is crucial to achieve compliance, it does not replace the work an organization must do to develop records information management and classification policies for both document retention and data loss prevention. Organizations are unique and so is their information, which is why this aspect of compliance takes planning and humans to implement.
What many organizations miss is the coordination of content control with technical control. One cannot exist without the other in order to achieve maximum compliance. This means organizations must work on their content classification and workflows in addition to implementing the IT compliance aspect. Both the content and IT control need to match up to the most recent form of regulation or legislation. This iterative multi-stop process is not impossible to achieve, but one must also remember it is not a game of perfection. It is an ongoing obligation.
The compliance department is now quite large at LPL, LLC. They state they have added 137 compliance professionals to the department in the past two years. These individuals not only have the task of ensuring that the correct policies have been constructed, but they must subsequently measure if compliance has a) been understood by the employees and b) (in conjunction with IT) the technological capabilities within the firm to truly implement what the policies mandate.
One of the key issues for any organization to grapple with is that standard bodies issue regulations, without any mention of specific technology or a vendor. This is understandable as technologies change so quickly and promoting one vendor’s capabilities over another is not the role these standard bodies should play. There is however, a gap created between the regulations, and what physically needs to happen in an organization’s policy and IT capability to effectuate compliance. This results in an ongoing requirement for compliance departments to continually stay abreast of what technologies are available and how they interplay with current IT environments, provide training to employees with meaningful testing, and to work with regulators and internal information stakeholders alike for holistic information governance.
LPL’s alarming fine from FINRA is a reminder that information governance is a serious requirement for all organizations. LPL is not alone in addressing this challenge; this is an issue we all face. Information is the backbone of an organization’s activities and, without a properly deployed archive, fines and sanctions for spoliation will likely follow. Analyzing the way information is classified, collected and monitored in an environment is important to day-to-day operations, in the event of investigations, and also to comply with the law. Organizations should also want their IT policies and systems to be compliant so that they are able to sufficiently monitor and investigate for their own internal purposes.