Securities and Exchange Commission (SEC) Rule 17a-4
The SEC 17a-4 rule requires that members must archive all customer communications and billing information for 6 years.

"[f]or record retention purposes under Rule 17a-4, the content of the electronic communication is determinative, and therefore broker/dealers must retain only those email and Internet communications (including inter-office communications) which relate to the broker/dealer's "business as such.""

Based on the rule, any communication determined to be unrelated to the business can be deleted and not archived. Although in recent SEC investigations (Mutual Fund 'Late-Trading") the SEC has requested all customer communications including email as well as any information that describes the extent to which the firm or any of its employees permit, assist or facilitate late trading. It is important to note that the information requested could be considered internal information and not direct customer communications and may not have been saved. In this case, the SEC believes that any communication relating to late trading may be valuable and would most likely frown on deliberate destruction of such communications. In these cases it may be prudent to retain all communications for review rather than delete information that could be viewed as critical evidence in the future.

Recent penalties for failing to abide by these and the SEC 17a-4 rules have cost firms millions of dollars.

NASD Rules 3010 and 3110
The NASD rules follow along with the SEC rules and require members to retain all communications with the public to ensure that there was no manipulation or criminal intent on the part of the member.

"On December 31, 1997, the Securities and Exchange Commission (SEC) approved amendments to National Association of Securities Dealers, Inc. (NASD) Rules 3010 (Supervision) and 3110 (Books and Records). The amendments will allow firms to develop flexible supervisory procedures for the review of correspondence with the public."

Rule 3010 "Rule 3010(d) (1), as amended, provides that procedures for review of correspondence with the public relating to a member's investment banking or securities business be designed to provide reasonable supervision for each registered representative, be described in an organization's written supervisory procedures, and be evidenced in an appropriate manner." Essentially, to protect the rights of the customers, companies must establish and document the ability to monitor all communications including email.

Rule 3110 "Each member shall make and preserve books, accounts, records, memoranda, and correspondence in conformity with all applicable laws, rules, regulations, and statements of policy promulgated there under and with the Rules of this Association and as prescribed by SEC Rule 17a-3. The record keeping format, medium, and retention period shall comply with SEC Rule 17a-4."

Recent penalties for failing to abide by these and the SEC 17a-4 rules have cost security-trading firms millions of dollars.

Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act was introduced to establish board and executive level audit controls to prevent corporate fraud. The Act requires that the CEO and CFO prepare a statement that the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer."

Section 404 of the Act (Management Assessment of Internal Controls) requires each annual report to contain an "internal control report" which shall:
1) State the responsibility of management for establishing and maintaining an adequate internal financial reporting process and control structure.
2) Provide a year-end assessment of the financial reporting process and control structure.
The auditor must also report on the assessment of internal controls made by management.

Section 802 of the Act requires the auditors to retain all pertinent audit records including electronic communications for seven years (http://www.sec.gov/rules/final/33-8180.htm). This retention will enable investigators to examine any questions that the auditors had during the audit process to more clearly understand if and when questionable accounting activities took place.

Maximum penalties for willful and knowing violations of the act are reimbursement of all incentive and equity-based compensation including any profits from the sale of securities during that period and a fine of not more than $5 million and/or imprisonment of up to 20 years.


Committee of Sponsoring Organizations (COSO)

COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. COSO was jointly sponsored by the five major financial professional associations in the United States: the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives Institute, the Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants).

In 1992 the committee published its "Internal Control - Integrated Framework" which is:

"A process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives."

It is separated into three categories--effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Each of these categories is separated into five levels: the control environment, risk assessment, control activities, information and communication as well as monitoring. The scope of internal control therefore extends to policies, plans, procedures, processes, systems, activities, functions, projects, initiatives and endeavors of all types at all levels of a company.

The Sarbanes-Oxley Act Section 404 (Management Assessment of Internal Controls) final rule:
"Encompasses the subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives"

Since the COSO Internal Control - Integrated Framework is not specifically a regulation, there are no penalties for violating the COSO process.

Gramm-Leach-Bliley Act (1999)
The Gramm-Leach-Bliley Act (GLB) that is also known as the Financial Services Modernization Act requires financial institutions to protect against disclosure of non-public personal information. It was ratified after some significant financial institutions sold Non-Public Personal Information (NPI) to marketing companies who subsequently billed the customers for services that were never purchased.

It requires any company that markets banking, insurance, stocks and bonds, financial advice and/or investments to:
· Securely store the Non-Public Personal Information (NPI),
· Inform the customers on their policy of sharing Non-Public Personal Information (NPI),
· Provide a process for the customer to "opt-out" of sharing Non-Public Personal Information (NPI).

It also requires the institutions to protect against any anticipated threats or hazards to the security and integrity of such records along with unauthorized access to those records.

Under GLB Section 505, the agencies may enforce GLB with the same sanctions that they currently use to regulate financial institutions. For example, the FDIC may enforce violations under Section 8 of the Federal Deposit Insurance Act, which gives the FDIC the authority to impose penalties ranging from $5,000 per day up to $1,000,000. GLB Sections 521 and 523 also provide enhanced criminal penalties for persons who gain fraudulent access to protected financial information.

523 (a) states that "whoever knowingly and intentionally violates, or knowingly and intentionally attempts to violate, section 521 (Privacy Protection for Customer Information of Financial Institutions) shall be fined in accordance with title 18, United States Code, or imprisoned for not more than 5 years, or both."

523 (b) provides for enhanced penalties for aggravated cases where "whoever violates section 521 while violating another law or has a pattern of any illegal activity involving more than $100,000 in a 12-month period shall be fined twice the title 18 amount, imprisoned for up to 10 years or both."

California Privacy Law (SB 1386, July 2003)
The new privacy law requires any company that owns licenses or maintains computerized personal information data to disclose any breach of security of the database to all California residents that they suspect may have had their information compromised. This law was put into effect to protect California residents against identity theft.

Interestingly, Companies that encrypt their data within the databases do not have to disclose hacking activities.

The statute does not provide for specific criminal or civil penalties but section 1798.84 does state that:
     a) Any customer injured by a violation of this title may institute a civil action to recover damages.
     b) Any business that violates, proposes to violate, or has violated this title may be enjoined.
     c) The rights and remedies available under this section are cumulative to each other and to any other          rights and remedies available under law.
Section 1798.84 opens the door to a class action lawsuit by the "injured" customers.

Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was ratified by Congress in 1996:
"To improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals. [§ 164.501]."

HIPAA changes the way in which healthcare records are handled by everyone involved in the healthcare process. This includes hospitals, doctor's offices, insurance companies and corporations. The Act provides patients with the rights to:
· Control how Health Information is Used
· Access Medical Records
· Amend/Correct Medical Records
· File Complaints about Violations
· Notice of Privacy Practices
· Know Who is Accessing their Records

The Act requires all entities that process healthcare information to safeguard Protected Healthcare Information (PHI) from becoming public.
The Act is separated into three sections of focus:
· Transaction Rules (Oct 2002)
· Privacy Rules (Apr 2003)
· Security Rules (Apr 2005)

Transaction Rules
· Provides Electronic Data Interchange (EDI) Standards for Healthcare Providers
· Adopted Electronic Standards for Eight Electronic Transactions and Six Code Sets

Privacy Rules Requires that Healthcare Providers:
· Designate a Privacy Official
· Document Privacy Training
· Implement Safeguards to Prevent Intentional or Accidental Misuse of PHI
· Institute Sanctions for Employee Violations

Security Rules Mandates Safeguards for Physical Storage and Maintenance, Transmission and Access to PHI. This Rule Affects:
· All Security and Privacy Related Policies and Procedures
· All Audit Procedures
· IS Technical Security Mechanisms and Capabilities
· Network/Internet/Data-Com/Dial-up Capabilities
· Physical Access Controls
· System Access Controls
· Data Storage

Security Management Process (164.308(a)(1)(i))
· "Risk analysis, risk management and sanction policy are adopted as required implementation specifications"
· Information system activity review is a mandatory implementation specification

Audit Controls (164.312(b))
· It is required that "audit mechanisms be put in place to record and examine system activity"

Penalties
· Civil penalties. Health plans; providers and clearinghouses that violate these standards will be subject to civil liability. Civil money penalties are $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.
· Federal criminal penalties. Under HIPAA, Congress also established criminal penalties for knowingly violating patient privacy. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

Under HIPAA, it is mandatory to review all systems and provide a risk analysis to determine how to make the entire process more secure. Analysis and frequent auditing are important to ensure that continuous improvement takes place to avoid unintended distribution of PHI.

Freedom of Information Act (FOIA 1966)
The Freedom of Information Act covers records in the possession of agencies and departments of the executive branch of the U.S. Government. Many state governments have also adopted it as well. Currently, it applies to "All writings made, maintained or kept by the federal government, any agency, institution, a non-profit corporation or political subdivision of the Federal Government for use in the exercise of functions required or authorized by law or administrative rule or involving the receipt or expenditure of public funds."

The FOIA can affect a company when corporate communications are exchanged with anyone that falls under one of the above mentioned Government funded agencies. Recently, the Federal Regulatory Energy Commission (FERC) released hundreds of thousands of email communications from Enron citing the FOIA as their reasoning. The documents are available for anyone to view and contain confidential business email as well as embarrassing personal email. There are now many Enron employees who will use email differently due to the disclosures.

ISO 17799
ISO 17799 started in the UK as British Standard for Information Security 7799 (BS 7799). The International Standards Organization (ISO) adopted it in December 2000. Since then many companies have implemented the standard. In fact, many Insurance companies are looking at it as potentially requiring their customers to be ISO 17799 certified before issuing them Cyber-Liability Insurance. It is organized into 10 sections:
· Business Continuity Planning
· System Access Control
· System Development and Maintenance
· Physical and Environmental Security
· Compliance
· Personnel Security
· Security Organization
· Computer & Operations Management
· Asset Classification and Control
· Security Policy
The standard provides guidelines to corporations to implement policies and processes to monitor and protect the systems infrastructure. Currently, there are no penalties for not implementing the ISO 17799 standard other than the potential for losing business as it becomes a requirement from customers or losing insurance as it becomes a requirement for insurance companies.


Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA Patriot Act 2001)

The Patriot Act was ratified primarily to identify and stop terrorism and any source of funding for terrorism. Section 352 achieves this goal by expanding the reach of a number of existing Acts (Bank Secrecy Act, Foreign Intelligence Secrecy Act). In its current form, it affects any "Financial Institution" which includes: insurance companies, investment companies other than mutual funds; loan and finance companies; dealers in precious metals, stones, or jewels; vehicle sales; persons involved in real estate closings and settlements; etc. The Treasury Department has issued guidance on their intention to clarify anti-money laundering programs for certain industries. Currently, it requires these institutions to report any suspicious activity including money transfers.

Section 352 amends U.S. Code Title 31 section 5318 (h) Anti-Money Laundering Programs and states that the following four actions need to be taken to be in compliance:
(A) The development of internal policies, procedures, and controls
(B) The designation of a compliance officer
(C) An ongoing employee training program, and
(D) An independent audit function to test programs

The effect of section 352 is that it requires entities to implement programs to identify money laundering and to report this to the Treasury Department. This puts significant burden on entities that have not had to worry about this type of reporting in the past.

Importantly, Section 314 (b) Cooperation among Financial Institutions relieves a financial institution from prosecution from other laws such as Gramm-Leach-Bliley for sharing information that could potentially uncover evidence of terrorist activity or money laundering.

Certainly one of the most controversial sections of the USA Patriot Act is section 215 Access to Records and Other Items under the Foreign Intelligence Surveillance Act. This section modifies the rules on records searches "on any tangible thing (including books records, papers documents and other items)". This means that the FBI can search financial documents, library records, travel records, phone records, medical records, stored e-mail communications, etc for any information leading to terrorist activities. The searches must be accompanied by a search warrant from a Federal Judge with the purpose of the search being to protect against terrorism.

This section could establish new burdens on entities that have not had to worry about reporting in the past and if required to report may have to spend significant amounts of time and money complying with the law.

Entities that fail to comply with the money laundering sections can be fined according to section 363.

Section 363(a) Civil Penalties for aiding in money laundering is not less than 2 times the amount of the transaction and not more than $1,000,000.

Section 363(b) Criminal Penalties for aiding in money laundering are not less than 2 times the amount of the transaction and not more than $1,000,000.

Canadian Laws

Personal Information Protection and Electronic Documents Act (PIPED C-6 2001)
Canadian laws are constantly being updated to reflect changes in U.S. laws. Section One of the PIPED Act aligns with the Gramm-Leach-Bliley Act in the US and applies to "any work, undertaking or business that is under the legislative authority of Parliament". This includes international transportation, airports, telecommunications, radio and television broadcasts, and banks to name a few. It focuses on the collection storage and usage of personal data with an overall goal of protecting that data from unauthorized use.

The PIPED Act provides ten responsibilities to covered entities:
1) Be Accountable for Compliance
2) Identify the Purpose of Collecting Data
3) Obtain Consent from the Individual
4) Limit Collection of Data to that Which is Needed
5) Limit Use, Disclosure and Retention of Data
6) Be Accurate with the Data
7) Use Appropriate Safeguards to Protect the Data
8) Be Open about your Use of the Data
9) Give Individuals Access to their Data
10) Provide Recourse when you have incorrect data or data is used incorrectly.

Penalties for non-compliance with the Act
The Privacy Commissioner may make public any information relating to the personal information management practices of an organization.

The Privacy Commissioner may also enforce penalties against the entity if they:
1) Destroy information pertaining to an investigation
2) Take action against an individual for upholding the Act

The penalties include:
(a) An offence punishable on summary conviction and liable to a fine not exceeding $10,000; or
(b) An indictable offence and liable to a fine not exceeding $100,000.


Keeping the Promise for a Strong Economy Act (2002)(Bill 198)

Each Canadian Province has its own Securities Act. The Ontario Securities Commission has recently amended its Commodity Futures Act and Securities Act to keep it current with changes in the U.S. SEC laws. The reasons for updating the Acts are twofold, 1) to keep current with events in the marketplace and 2) to provide similar penalties to similar U.S. laws so investors will feel comfortable investing in Canadian securities. The predominant changes to the Acts include increases in requirements on information disclosure, CEO and CFO accountability, and penalties that are more economically current.

Commodity Futures Act
The Commodity Futures Act provides trading guidelines for Canadian Commodity Trading companies. The Commodity Futures Act of 1990 is amended to provide more leverage for government investigations on Commodities Futures trading fraud. It provides the basis for investigators to examine individuals and companies involved in the trading of commodities. To facilitate the investigative process, it provides guidelines for record keeping on transactions. It also increases the penalties for misleading or allowing others to mislead a person or company.

Section IV Investigations and Examinations
Scope of Investigation includes:
"For the purposes of an investigation under this section, a person appointed to make the investigation may investigate and inquire into,
(a) the affairs of the person or company in respect of which the investigation is being made, including any trades, communications, negotiations, transactions, investigations, loans, borrowings or payments to, by, on behalf of, or in relation to or connected with the person or company and any property, assets or things owned, acquired or alienated, in whole or in part, by the person or company or by any other person or company acting on behalf of, or as agent for, the person or company; and
(b) the assets at any time held, the liabilities, debts, undertakings and obligations at any time existing, the financial or other conditions at any time prevailing in or in relation to or in connection with the person or company, and any relationship that may at any time exist or have existed between the person or company and any other person or company by reason of trades in contracts, investments, commissions promised, secured or paid, interests held or acquired, the loaning or borrowing of money, stock or other property, the transfer or holding of stock, interlocking directorates, common control, undue influence or control or any other relationship. 1999, c. 9, s. 30."

Section V Record Keeping and Compliance Reviews
Record Keeping includes:

"Every market participant shall keep such books, records and other documents as are necessary for the proper recording of its business transactions and financial affairs and the transactions that it executes on behalf of others and shall keep such other books, records and documents as may otherwise be required under Ontario commodity futures law. 1999, c. 9, s. 30."

Section XIII Enforcement
Offences, General includes:

"Every person or company that,
(a) makes a statement in any material, evidence or information submitted to the Commission, a Director, any person acting under the authority of the Commission or the Executive Director or any person appointed to make an investigation or examination under this Act that, in a material respect and at the time and in the light of the circumstances under which it is made, is misleading or untrue or does not state a fact that is required to be stated or that is necessary to make the statement not misleading; (b) makes a statement in any application, release, report, return, financial statement or other document required to be filed or furnished under Ontario commodity futures law that, in a material respect and at the time and in the light of the circumstances under which it is made, is misleading or untrue or does not state a fact that is required to be stated or that is necessary to make the statement not misleading; or (c) contravenes Ontario commodity futures law, is guilty of an offence and on conviction is liable to a fine of not more than $5 million or to imprisonment for a term of not more than five years less a day, or to both. 1999, c. 9," s. 39; 2002, c. 22, s. 10 (1).

"Directors and Officers
Every director or officer of a company or of a person other than an individual who authorizes, permits or acquiesces in the commission of an offence under subsection (1) by the company or person, whether or not a charge has been laid or a finding of guilt has been made against the company or person in respect of the offence under subsection (1), is guilty of an offence and is liable on conviction to a fine of not more than $5 million or to imprisonment for a term of not more than five years less a day, or to both. 1999, c. 9, s. 39; 2002, c. 22, s. 10 (2)."

The Record keeping section does not designate specific record retention periods but the investigation section allows examination of any trades, communications, negotiations, etc. In this case, it would be prudent for the company to archive all trades as well as all communications.

Ontario Securities Commission Securities Act
The OSC Securities Act provides guidelines for all securities trading firms in Canada. The Securities Act has been enhanced by making changes that closely align with the requirements in the Sarbanes-Oxley legislation in the U.S. These changes are primarily focused on CEO and CFO accountability along with tighter restrictions on financial auditing.

181. (2) Subsection 122 (3) The Ontario Securities Commission amended the Securities Act to increase the penalties for non-compliance from $1 million and imprisonment of two years to a fine of $5 million and imprisonment for five years less a day. This may also include disgorgement for amounts obtained as a result of the non-compliance.

187. (3) Subsection 143 (1)
The amendment adds paragraphs requiring the issuers to:

57. Appoint audit committees and prescribe requirements for the functioning and responsibilities of those committees including:
· Standard of review including standard documents
· Certification of review by the audit committees
· Composition and qualification of audit committee members

58. Devise and maintain internal controls for financial reporting and asset controls to ensure that:
· Transactions are executed under management control
· Transactions are recorded to permit preparation of financial statements
· Transactions are recorded to maintain accountability of assets
· Access to assets is in accordance with managements authorization
· Recorded accountability for assets is audited against actual assets on a "reasonable interval" to ensure accuracy

59. Devise and maintain information disclosure controls to ensure that:
· Information required to be reported is recorded processed and reported within the specified amount of time
· Information required to be reported is disclosed to management including the CEO and CFO in a timely manner for disclosure decisions to be made

60. Have CEO's and CFO's certify that:
· They have established and maintained internal procedures and controls · Describe the design of procedures and controls
· They evaluate the effectiveness of the internal procedures and controls

61 Have CEO's and CFO's certify that:
· They have established and maintained disclosure procedures and controls
· Describe the design of disclosure procedures and controls
· They evaluate the effectiveness of the disclosure procedures and controls

These changes require the corporation to understand and document their financial processes and hold their top executives accountable. The difference between the OSC Securities Act and the Sarbanes-Oxley Act is that SOX requires the auditors to retain all relevant communications about the corporate audits. Since the intent of the OSC is to closely align with SOX, there is a potential that the OSC will enact additional requirements on the auditing companies to mandate that they retain audit related communications in the future.