Over the last few years, senior executives, legal teams and IT departments have been have been heavily tasked with protecting their companies from a multitude of evolving legal and compliance liabilities.
The Dodd-Frank Wall Street Reform and Consumer Protection Act, RESPA, TILA Regulation Z and more have changed the entire landscape of the mortgage industry and the way communications are handled. E-mails are full of disclosures, ambiguous regulations make it difficult to decide what ‘marketing communications’ must be archived and originators have lists of terms that should never be used.
But a growing number of banks are finding the greatest legal risk to the security and stability of any financial institution is not the communications going out today, but the ones that have been stored for the past five, 10 or more years. Those stockpiles of legacy backup tapes, servers, e-mails, PSTs and other file types are Big Data at its worst.
This ‘red flag’ content includes highly sensitive PST email archives created by the former CEO’s admin, unencrypted personally identifiable information (PII) sent from a client to an originator, aged emails from former employees, copies of business data such as contracts, network file shares and even decade-old backup tapes. As policies, laws and employees have changed, aged emails and files containing sensitive information and valuable intellectual property have not been located and managed according to policy and get buried, just waiting to be uncovered at the most inopportune time.
To mitigate these risks, avoid security breaches and manage legal hold requirements, more banks are proactively managing Big Data at an enterprise level through an information governance policy. An information governance policy dictates the use, disposition and management of corporate data in order to protect the firm’s assets and manage long-term risk.
Information governance for financial institutions
Most financial institutions save too much data. While some of this data is important business documents required for day-to-day operations or is mortgage documentation required to be held by law, much of what has been saved has no business value and some could become a liability over time. Saving everything is not a sound corporate policy. However, unless legal teams work hand in hand with IT and have corporate oversight, all of the company’s data will continue to be saved.
The “save everything policy” exposes a company to breaches and litigation. Recent lawsuits about unencrypted customer PII being breached and ambiguous emails being interpreted as misconduct have muddied waters for the mortgage industry. Proper queries and data policies could have prevented both cases.
Information governance allows banks to control Big Data by determining the location and disposition of sensitive data, which protects both the consumer and the company. Once policy is defined, it can be overseen, audited and enforced. An email, for example, that belongs to a former employee, sent to another employee that has not been accessed in seven years can be purged from the system for having no business or legal value. This prevents it from being taken out of context at a later date. Information governance also allows for proper records to be put on legal holds and search for unencrypted information that clogs originator inboxes. If a consumer sends an originator an email with bank account or social security numbers, it does not get deleted because the originator presses that button. A copy remains on backup data.
The legal and regulatory climate
Over the past decade eDiscovery events have taught many industries a painful lesson, and the mortgage industry is no exception. Organizations have spent significant time and resources identifying sensitive user data and collecting it to support active litigation. It is not unusual for a single litigation event to cost hundreds of thousands or even millions of dollars.
Over the past 10 years, the successful use of the “inaccessibility” or “undue burden” argument when faced with the collection and production of sensitive user data has eroded. Ten years ago it was fairly easy to claim that specific content was not easily found within the complex corporate infrastructure; today this argument is less successfully utilized. It is a high-risk proposition to enter a court without the requested data and take a chance that you won’t be admonished or even issued fines and sanctions.
Beyond eDiscovery, compliance and regulatory requirements have been increasing, resulting in renewed emphasis on records and information management strategies. These regulations, and those that are still to be written, are requiring significant updates to corporate policies, including retroactive communications and new strategies for data managers such as the requirement to encrypt sensitive records or archive specific classes of correspondence. The Consumer Financial Protection Bureau (CFPB) is out there monitoring this and has the authority to distribute harsh penalties.
The final straw in the legal challenge is the issue of data breaches. Sensitive information is commonly moved around corporate networks through e-mail, external drives and other media such as backup tapes. Without the ability to understand what data is sensitive and where it is located it cannot be properly managed and secured. Without appropriate management of this content it will work its way outside of your secure environment.
As a result of these legal and regulatory issues alone, financial institutions are taking a fresh look at their policies and implementing sound information governance strategies.
Policies and data profiling
The corporate data policies are complex. They are complex because for year’s compliance officers, legal and IT have just been trying to keep up with regulations without having any real knowledge of what data exists. The policies, in theory, address industry regulations, corporate compliance issues and legal hold requirements, but the frustration is that it is hard to enforce, apply and audit those policies.
Applying policy to data is simplified once the data is profiled and knowledge of what exists is gained. Data profiling is the process of examining data from all sources and collecting metadata-level information on the content to create a searchable and reportable repository of information about the user files and email such as owner, age, types of files, location, last accessed or modified, duplicates and more.
Profiling user data provides the knowledge required in order to understand what data exists where, and to allow those who manage policy to take action on it.
Information governance strategies include such initiatives as eDiscovery, and also provides a platform for defensible deletion and compliance. Most financial institutions let data accumulate on the network and within archives because classifying what has value and purging what is no longer required has not been possible due to the scale of the data environment, therefore, data accumulates and is not managed according to policy.
Today’s information governance strategies include determining the disposition of the content, what records have value, what has no value and taking action on it. Common dispositions include moving essential content to an archive, preserving data for legal hold, removing duplicate content, encrypting sensitive data and purging what has no business value.
Disposition of data is the foundation of information governance strategies, preventing data from remaining on networks unmonitored and unmanaged. Using policy as the foundation, disposition can be executed and data can be leveraged and managed more effectively.
Red flag methodology
Loan originators, underwriters and processors all deal with sensitive information and store it uniquely, this makes it is easy to determine where the most sensitive information exists.
►User shares: Financial institutions typically set up network shares where users can store files and other content. These shares have grown to the point where managing the content has been impossible. Using queries, an analysis of the content can occur and an action plan defined. For example, find all data owned by ex-employees that have not been accessed in more than five years. This data may be easily moved off this environment or even purged if it has no business value.
►Departmental servers: Departments that work frequently with PII have the highest risk of security breaches associated with their servers. An enforced information governance policy would make sure all data is properly encrypted and secured.
►Legacy backup tapes: Backup tapes contain a copy of all existing user files and e-mail over time. This content has in the past been considered burdensome to access, however, new technology makes the data on these legacy archives reasonably accessible and thus a corporate liability if not managed according to policy. Organizations are now cleaning up this content and preserving what has value from the remaining content.
►E-mail server: Typical corporate e-mail servers are overloaded with data from users that have saved large volumes of historical e-mail, e-mail addresses that are no longer in use, but continually accumulate content and redundant mailboxes that contain duplicate e-mail communications. Profiling this server and analyzing the content will allow for immediate decisions that will manage the unknown risk and liability hidden within.
►M&A consolidation: As financial institutions acquire or merge with others, or simply consolidate data centers, they must move large volumes of unknown user content. Analyzing and determining disposition of the ‘new’ data before the consolidation or migration occurs can avoid exposing many skeletons down the road.
►Aged data: Many banks have saved files that are decades old and have not been accessed in more than seven years. An analysis of this content will allow you to easily classify the data and determine how to manage it. Some of it may be data that has long outlived its business value and is nothing more than a liability.
An information governance policy sets standards of where to look, what to look for and how to handle it. Red flag areas are typically the focal point of these policies.
Big Data managed
Managing big data through an information governance policy allows financial institutions to understand, ensure and manage data’s inherent risks. Without an understanding of what exists and policy to manage content, enforcing policy is next to impossible and organizations put themselves in jeopardy of litigation.
Those banks where compliance, legal and IT are proactive in developing and supporting data policies manage their risks, control liability and harness corporate knowledge. The failure to act has already resulted in devastating financial and public perception ramifications.
Jim McGann is vice president of Index Engines, a leader in enterprise information management and archiving solutions. He may be reached by e-mail at [email protected]