paul johnson
Post on 12-Jul-2015
274 Views
Preview:
TRANSCRIPT
Looking after it all – Records Management & e-Discovery
Paul Johnston – Senior Manager, Group Records Management, NAB15 April 2011
Outline of Topics
Meeting the legal requirements
Storage, recall and security requirements
Building an effective risk framework to protect your records
Records Management Culture at NAB
Management Response to RM Risk
YES, we really must
do something about this!
Meeting the Legal requirements
Since 2005 there have been over 260 million individual records that have been lost – with many of these records containing sensitive business data or individuals’ personal identification information. Cost to companies to reproduce a record is approximately $200*
Risks and Costs include:
Regulatory fines (i.e. Austrac, APRA, ASIC, FSA, MAS, Basel II etc.)
Reputational damage
Courts
External third party legal fees
External auditor costs
Technology costs - capture, retrieval and restoration
People costs
Loss of customers
* Source – Quantum March 2010 newsletter
Paying the Penalties
Recent overseas penalties for AML/CTF breaches have included:
in the US:
in September 2006 a settlement agreement in the amount of US$7.5 million between Bank of America Corporation (BAC) and the Manhattan District Attorney stemming from BAC's deficiencies in handling foreign money service business clients and AML controls; and
in December 2005 ABN AMRO agreed to pay US$80 million in fines and penalties for various defects, including AML internal controls and failures to identify, analyse, and report suspicious activity;
in the UK:
in 2005 the FSA imposed financial penalties of £175,000 on Investment Services UK Limited and £30,000 on its managing director; and
in 2004 it imposed fines of £1,250,000 and £375,000 on the Bank of Scotland and Bank of Ireland respectively.
in Japan:
in September 2004 the Japanese financial authorities ordered Citibank NA Japan to suspend its private banking operations for a number of violations including some relating to anti-money laundering.
Note - Austrac penalties - Businesses that breach the laws can be fined $11 million, while individuals within the company could receive penalties of up to $2.2 million.
Planning for e-Discovery
When does the e-Discovery clock start ticking?
The duty to preserve relevant documentation may commence upon:
initiation of a lawsuit by or against the institution
institution is put on notice by a party that litigation is or may be imminent or
institution has knowledge of facts that indicate litigation is reasonably anticipated
Planning for e-Discovery
Identify a centralised Coordinator for all special preservation requests
Regular discussions with your Litigation team
Legal and Coordinator must be the first to know of any potential litigation
Organise meetings with business key stakeholders (i.e. IT, forensics)
Prepare an action plan (i.e. steps you are taking to identify, preserve, collect and restore.) Also document all your communications including actions!
Understand what records are impacted (customer, corporate, employees and what regions are impacted?
Understand how far back you have to go?
Think about creating a virtual team to support e-discovery
Maintain legal professional privilege in all your communications relating to the case
Challenges of e-Discovery
Knowing where the information is stored
NAB is a global organisation (across 5 countries)
Different database systems (current)
Historical database systems (legacy)
Knowledge management
Documents incorrectly classified due to lack of knowledge of policy
Have records already been destroyed pursuant with the records retention policy requirements? (this may reduce the high costs on discovery)
Mergers and acquisitions – multiple systems
The time required to identify records across all systems
What resources do you have at your disposal? (the virtual search team)
Storage gone wrong
Challenges of capture and storage
People need to be made aware of the requirements to capture records in either:
Physical
Electronic
or both (though look to prevent duplication)
Burden of storing physical records due to environmental and sustainability reasons
Victorian Evidence Act 2008 and admissibility of computer-generated records
Challenges of identifying records
Records kept to compensate
Records needed,but not located
‘ Needle in the haystack’
In the past when the Bank needed to preserve records, it would place a blanket
embargo to compensate for the way in which records were captured.
This has changed
Challenges of identifying records
Configuration of computers workstations and file servers
Mirror disks
Removable media (diskettes, fobs, tapes, etc.)
Metadata
Temporary files and fragments
Histories
Embedded comments
Audit trails and log files
Legacy Systems
Internet information
Corporate intranets
Computers and laptops
PDAs
Backup tapes and facilities
“Deleted” files
Sharepoint
Non-textual electronic devices
Culture
NAB Records Management Program 09/10
Policy/Framework
Regulator Liaison &
Regulatory Change
Governance and Reporting
Training and Communication
Monitoring & Testing
Advisory
Records Management Centre of Excellence
Records Management Risk Framework
Building the right Culture at NAB
Training staff at day 1 to reduce our future e-discovery costs
Induction course includes records management
E-learning training module on records management (mandatory)
Group Records Retention Policy
Regular Change communications (regulatory updates etc.)
Assurance and monitoring (do staff really follow the policy?)
Risk sign-off required on a wide range of aspects, projects etc. impacting the records management lifecycle
NAB Records Management Program 2010
Compliance with Group Policy
Mitigate records management risks
Improve Processes and Controls to provide an improved level of service
Reduce costs
Reduce our Environmental impact
Improve and Sustain awareness of records management culture
Litigation Hold (Special Preservation Procedures)
Develop on our current records management framework
Post-Implementation Compliance and Auditing
Records Management overview
NAB focuses on six key phases that make up the records management lifecycle
Each Phase has a set of internal principles which we adhere to
All impact how we comply with e-Discovery requirements
Create Maintain Retain Retrieve Archive Destroy
It’s not just here
Understand your business to help reduce your discovery costs.
Number of technology systems used to capture records
What and why third parties hold records for you?
Test your controls around e-discovery (i.e. time to produce documents v’s tight request deadlines)
Can you identify only those records that are required (why recover everything if not required)?
The increased volume of Technology storage devices (map out what you use and where)
Work with - IT, Forensics, Legal, Risk teams and third party legal teams to understand what they require and in what format (native, PDF, TIFF etc..)
Controls around ‘temporary’ storage
Mandate electronic channel into third party offsite storage
Do your staff understand what is expected of them in the records management lifecycle?
19
Conclusion
BE PROACTIVE AND NOT REACTIVE
Disclaimer
The materials, ideas, opinions and information expressed are the personal views of the presenter. In no event shall National Australia Bank Limited or its related entities be liable for any damages whatsoever resulting from any action arising in connection with the use of this information or its publication, including any action for infringement or copyright or defamation.
21
QuestionsPaul Johnston
National Australia BankEmail: paul_johnston@national.com.au
Phone: 0458 346 208
top related