As we know, the finance industry is heavily regulated when it comes to retaining data and information. FinTech companies carry very sensitive data that are valuable and commonly hacked for unlawful economic gains and often required at a later date for various reasons, such as regulatory investigations, litigation or court cases. Financial companies must take the necessary steps to ensure that all data passed within the company are securely protected and can be found and referenced easily and quickly.
FinTech Industry Regulations
Industry regulators are setup in FinTech to ensure the protection of the investing public. While new rules and technologies are introduced to the industry, the rules remain the same to protect the industry.
In the UK, the Financial Conduct Authority (FCA) is the industry regulator while FINRA (The Financial Industry Regulatory Authority) regulates the US industry. For countries inside the EU, other regulations (such as GDPR) has regulatory implications and applies to all business, including those within the Finance sector.For FinTech companies, certain things are expected in relation to archiving, record-keeping and email data management.
FinTech companies have certain expectations in relation to email archiving. FinTech services must:
- Have information readily accessible to that an individual can reconstitute the key stages of processes involved in each transaction.
- Ensure all versions of documents can be easily seen – corrections and amendments, and contents of records before corrections or amendments, must be easily obtained.
- Make it impossible for records to be altered or manipulated.
- Have methods in place for efficient exploration of records when data needs to be analysed.
In short, a FinTech business needs to monitor how electronic communications are archived no matter where they’re based in the world.
For FCA, email archiving regulation is SYSC 9.1.2C.
19(4) The records shall be retained in a medium that allows the storage of information in a way accessible for future reference by the competent authority. The competent authority shall be able to access them readily to reconstitute each element in a clear and accurate manner and to identify easily any changes, corrections or other amendments, and the contents of the records prior to such modifications.
The above regulation derives from EU legislation, meaning a business that follows this complies with both the Union and the UK.
Record-keeping is vitally important to compliance. By keeping accurate records in the business, you can prove to your regulator that you have taken necessary compliance actions. Your service can easily provide the correct disclaimers, make well-researched recommendations suitable to your clientbase, and supervise staff on these regulations but without thorough records, you can’t prove those actions have taken place.
The FCA has a general requirement for Record-keeping:
A firm (other than a common platform firm) must arrange for orderly records to be kept of its business and internal organisation, including all services and transactions undertaken by it, which must enable the FCA or any other relevant competent authority under the UCITS Directive to monitor the firm’s compliance with the requirements under the regulatory system, and in particular to determine that the firm has complied with all obligations regarding clients.
FINRA also takes record-keeping a step further, in relation to social media, online communications and text messaging. Regulatory Notice 10-06 offered clarity in its guidance by “ensuring that—as the use of social media sites increases over time—investors are protected from false or misleading claims and representations, and firms are able to effectively and appropriately supervise their associated persons’ participation in these sites.” FinTech companies must retain all records of communication with the public to achieve what is expected of them in this goal.
FINRA Regulatory Notice 17-18 extends the rule to text messages, instant messages and chat applications, adding that “every firm that intends to communicate, or permits its associated persons to communicate, with regard to its business through a text messaging app or chat service must first ensure that it can retain records of those communications as required.”
With accurate record-keeping in place of every communication that takes place, your service can be sure it’s complying with GDPR and more.
“Cryoserver is an absolute necessity. How else would you know what your customers said or what you said? Our industry is heavily regulated – with each deal worth millions of pounds – so ensuring truth in our email communications and being accountable becomes of utmost importance – a necessity”
Group IT Director, Natural Resources
Finding Information & Monitoring
Keeping records of data just in case a regulatory investigation takes place isn’t enough to be compliant. Businesses need to have archives and records that are work – reviewable, navigable and functional. If FinTech companies will invest in technology to manage their data, it must also be something they can use on a daily basis.
Not only is this important for finding information requested but also give businesses a way of monitoring the storage of sensitive information. Failure to prove you can successfully monitor staff who have access to data, can lead to heavy fines for businesses.
“We recently had to search the archive for a specific email in a critical business case. We found it in record time, which made the project manager’s day and saved the company a massive bill; Cryoserver to the rescue again!”
IT Infrastructure Manager, Manufacturing
Email Data Management
While archiving emails and recordkeeping are vital parts of being compliant, ensuring email data is managed correctly is just as important.
2018 saw outsourcing data management as one of the top trends in FinTech companies. It’s a benefit for businesses to do so as it streamlines operations and reduces costs. Managing data within emails will fall under FCA guidelines such as High Level Principal 3 in PRIN 2.1 which states that “A firm must take reasonable care to organise and control its affairs responsibly and effectively”. The phrasing is open-ended, but if email data, where 60% of critical data of a business resides, isn’t managed properly, a company could be accused of being in breach of this.
In relation to data management and securing it, there are three regulations this falls under:
- Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorised access.
- Regulation S-ID (17 CFR §248.201-202), which outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft.
- The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewritable, non-erasable format.
By proving you follow these regulations, a company can prove it’s taking its management of data seriously.
“The big thing for us has been the reduction in the size of the database; we started at about 850gig, but we expect to be down to around about 250gig.”
Head of IT & Change, Financial
The only way for FinTech organisations to prove they are complying with EU and financial regulators is to have an email archiving service that can act as a functional archive, can keep vast amounts of records and be the perfect email data management solution. Cryoserver can offer just that. Get in touch with us to see how our solutions can support your FinTech company.