PATRIOT ACT and
Records Managment
The passing of the USA PATRIOT Act reinforces the reality that any paper or electronic
data management program should garner top priority for corporate leadership and
corporate governance.

The Patriot Act requires the Secretary of the Treasury to prescribe regulations "setting
forth the minimum standards for financial institutions and their customers regarding the
identity of the customer that shall apply in connection with the opening of an account at
a financial institution." Broker-dealers must develop and fully implement
the customer
identification program (CIP)
by October 1, 2003. The CIP must include procedures for
making and maintaining a record of all information obtained
. Retention of records: The
broker-dealer must retain the records made under paragraph (b)(3)(i)(A) for five years
after the account is closed and the records made under paragraphs (b)(3)(i)(B), (C) and
(D) for five years after the record is made. In all other respects, the records must be
maintained pursuant to the provisions of 17 CFR 240.17a-4.
Corporate Governance and Compliance:

The following guidelines should be considered when developing and maintaining rules for
record retention and reference archiving:

  • Make electronic-data and paper-based document management a business initiative,
    supported by corporate leadership in the form of a corporate governance sub-
    committee.
  • Maintain records of all types of hardware and software that are in use and the
    locations of all electronic data.
  • Create a business records and document review, retention and destruction policy,
    which includes consideration of backup and archival procedures, up-to-date
    evidentiary standards, content integrity, document reproduction tests, online
    storage repositories, record custodians and a destroyed documents "log book."
  • Create an employee technology use program, including procedures for written
    communication protocols, data security, employee electronic data storage and
    employee termination/transfer.
  • Clearly document your corporate data retention polices in a record procedures
    manual.
  • Document all ways in which data can be transferred to or from the company.
  • Regularly train employees on the company's data-retention policies.
  • Implement a litigation response team, comprised of outside counsel, compliance
    staff, corporate counsel, the human resources department, business line managers
    and IT staff, that can quickly update or amend document-destruction policies.
  • Be aware of electronic "footprints" - delete does not always mean delete, and
    meta-data is a fertile source of information and evidence.
  • Cease formal document destruction policies at the first notice of a regulatory
    investigation, suit or reasonable anticipation of suit. Note, the subject or topic of
    an investigation or suit may reside on any business records, data file or reference
    archive.

Finally, make a practice of conducting routine audits of policies and procedures,
compliance assessments and enforce violations.
Learn more about records
management solutions
that enable Patriot Act
compliance by contacting
TELA Technologies and
asking for a free  
no-hassle
Document
Management Assessment