The financial industry is facing a wave of new regulations. Implementation of SEC, Sarbanes-Oxley (SO) and Basel II regulations have started in the global financial market for some time. With the UAE announcement that all financial institutions will have to comply with Basel II by January 2008, more countries in the region will soon follow. This will require significant investment of time and effort as well as capital, if companies are to meet data retention and disaster recovery requirements.
The regulations give both broad and narrow definitions of what companies must do to comply with data retention, but these are not issues only reserved for the largest financial institutions. All sizes of company working across many different industries will be affected by the new regulations, although many of these still underestimate the complexity involved. There is a real sense of urgency to educate the industry and ensure that processes are being put in place to ensure that companies comply with both regulations and time scales.
Companies will need to be guided by the regulations as to what is considered critical business data.
The regulations cover three main areas. Basel II will require robust systems to support the collection, storage and analysis of vast amounts of data, while the SEC sets out requirements for out of region disaster recovery and online retention of email. SO specifies requirements for financial reporting.
At board level, the CEO must ensure compliance, in the legal sense of the word, by making sure all senior managers understand which are mandatory requirements for their business and what are the relevant time scales. The CFO has the responsibility for liability, and lawyers for the litigation discovery element. As for the CIO, CTO and IT director, they have the challenge of ensuring compliance in a fashion that is both useable and traceable in IT. This involves a gap analysis to audit existing systems and find where new equipment must be brought in to plug these gaps. At the next stage, the IT department and CFO must work hand-in-hand to analyse the cost-risk ratio to prioritise business processes. The final stage is to look at the IT requirements, prioritise respective budgets and map the demand level for new processes.
It is expected that all the regulations will require companies in the financial sector to retain records for anything up to eight years, dependent on the type of record, and for data less than two years old to be easily accessible. In practice this will mean that all records - including email, scanned documents and computer output - on financial statements, bills, debt and capital must be kept for a minimum of at least three years. Regulations will require stored data to be archived in a non-rewriteable and non-erasable storage environment. Above all, it is email archiving that will place the biggest strain on most companies' systems, presenting a new challenge for data retention as they do not archive easily.
For many companies in the financial sector, storage is a sore point, due to incompatible IT systems from multiple vendors - usually amassed over many years of growth. This is not only a common problem at the enterprise end of the market, but also among many small and medium size companies.
However, the finance industry's data retention and disaster recovery regulations are so stringent that companies must appoint a champion to drive company compliance on networked storage. For many, the best option is to approach companies intimate with these regulatory requirements. In reality, companies will notice little difference in their working habits with the regulations, but the technology must be in place behind the scenes to ensure compliance. The key is to understand early what needs to be done and to start early on implementing these processes.
Tony Ward is general manager at Hitachi Data Systems, Middle East & North AfricaFor all the latest banking and finance news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.
Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.