What are the SEC rules for email archiving?

Investing in the stock market is a high stakes gamble, with one swing either way making or breaking an investment firm or investor – as many have painfully learned during the past two recession-marred years. And, because of what's at stake, the U.S. Securities and Exchange Commission was created out of the Securities Exchange Act of 1934 to regulate the industry, which at the time was decimated by the Great Depression.

As the financial industry has changed, along with the means for conducting business within it, so too have compliance regulations. One of the more recent, and most significant, rule changes is the inclusion of email archiving mandates.

According to the SEC, requirements for the retention and archiving of electronic communications was made effective by Rule 17a-4, enacted on May 12, 2003. Looking back, the rule was necessary at the time, as a Cohasset Associates survey published in April 2003 revealed that 53 percent of financial organizations did not include electronic records, including email, in their records management program. And 39 percent said they did not have an email retention policy.

That was all forced to change once the law's rule change was put into effect. Still, financial companies can use a refresher on regulatory mandates every so often.

What must be archived?

According to the SEC, broker-dealers may preserve records from "electronic storage media," as many now deal in such communications anyway. Rule 17a-4 of the Exchange Act, defines the term as "any digital storage medium or system," which includes email.

In terms of material that must be stored, financial institutions are required to retain a record of each securities transaction they administer, as defined in Rules 17a-3 and 17a-4. This includes any investments they broker, such as the buying and selling of stocks.

The retention of such transactions, information of which may be found in stored emails, is an integral part of the SEC's ability to protect investors. These records can be used to audit compliance among financial institutions.

How must data be stored?

According to the law, electronic records must be archived in a non-rewritable and non-erasable manner. Records must also be easily accessible when stored. These mandates will ensure the stored document or email is the original and hasn't been altered, and they can be retrieved in a timely manner.

Of course, this is easily accomplished through the use of an email archiving solution, which the SEC endorses for companies to the meet regulatory compliance.

"One method using such a system stores a specified expiry or retention period with each record or file system. The system blocks record deletion or alteration by any manner of intervention until the expiry is reached or the retention period has lapsed," an interpretation of the SEC rule posted on the organization's website states.

For how long must records be stored?

Here's where a lot of financial institutions run into much confusion regarding their data archiving requirements. Even the aforementioned interpretation of rule changes refers only to a "specified time period."

According to the SEC, in general, these can be any organization, association, person, group of persons or system that constitutes, maintains, or provides a market place or facility for bringing together purchasers and sellers of securities.

And, according to the SEC, archives must hold electronic data for six months with immediate access, and with non-immediate access for a period of at least two years. Following the specified time period, data may be deleted without regulatory repercussions.