New regulations in the US and Europe are pushing email retention and storage up the agenda of financial services firms. Peter Madigan explores the challenges and the pitfalls of the changes for compliance teams

The Federal Rules of Civil Procedure (FRCP) have been the cornerstone of civil legal action in the US for almost 70 years. First adopted in 1938, they have undergone no less than nine significant revisions in the course of their history that sought to streamline and improve the clarity of the legislation.

A tenth revision took effect on December 1 2006, aimed at remedying confusion around the issue of discovery, the pre-trial process by which parties in a legal action ask documents and information of each other for use as evidence. More specifically, the December amendments focused on the issue of electronic discovery (e-discovery) and issued new guidance and regulations regarding companies' obligations in presenting electronically stored information (ESI), an issue that has historically been somewhat hazy.

"ESI, and particularly email, has been a tremendous part of litigation in the last five years. The problem was that the FRCP has until now only addressed paper documents – there was nothing formal in there to discuss ESI. This caused massive arguments between litigants," says Deborah Johnson, vice-president of discovery and litigation at electronic risk consulting firm Orchestria. "What the new amendments do is put specific rules and best practices around the ESI and the part it plays in e-discovery."

Major changes

The December amendments to the FRCP focus on half a dozen key issues pertaining to e-discovery although the two biggest changes are:

• Limits have been placed on the production of ESI "from sources that the party identifies as not reasonably accessible because of undue burden or cost". Examples of this may include data that is stored in obsolete formats or backup tapes specifically designed for disaster recovery purposes.

• A provision is included for the producing party should "potentially discoverable information" be lost "as a result of the routine, good faith operation of an electronic information system".

These two amendments will have far-reaching consequences not only for financial institutions but for all firms of all sizes in the US, and they run the gamut of civil procedures from wrongful dismissal claims to sexual harassment cases. Aside from the obvious ramifications involving litigation and the extra costs that the changes will entail, the new rules also promise to fundamentally overhaul email storage and retention practices.

"Something in the region of 80% of ESI that parties are asked to produce in the discovery process is email and really that's not all that surprising," says David Campbell, product marketing manager at software provider Symantec. "Attorneys know that email is where the juicy bits are – rather than finding something significant in a transaction report you'll more often find it in the emails about the transaction report. Knowing this, and in light of the FRCP amendments, companies are developing a strong desire to facilitate the retention of email information and optimise how it is being stored," he adds.

This will certainly be a growing concern for businesses going forward. While the price of investing in better data retention facilities will be substantial, an even bigger cost is posed by failing to streamline data recovery processes and face the huge expense of bringing in external lawyers to sift through millions of gigabytes of ESI on the company's behalf.

"If you plan your ESI preservation programme effectively up front, the pool of information that has to be assessed by attorneys in the discovery process is far smaller. The processing and review cost is one-fifth to one-tenth the cost of the actual attorney review, so getting a finer data set is the key factor in making savings down the line," says Joel Wuesthoff, senior consultant at Ibis Consulting.

On the agenda

There can be no doubt that e-discovery is a growing business and there are no shortage of consultancies operating in the market today. According to the 2006 Socha-Gelbman Electronic Discovery Survey, there were 541 e-discovery vendors in the market-place worldwide last year – a huge number given that in 1987 there was just one. Yet aside from the data retention and archiving services that one would expect of such firms, how else is the potential liability posed by email being managed? Are firms also expressing interest in monitoring internal email to ensure that nothing potentially incriminating or inappropriate is being forwarded by staff?

"I've seen a huge growth in interest from companies toward email monitoring services and in the number of firms offering them but not a huge adoption of the technology. It's time-consuming and expensive to do it right, and even now such systems are only just beginning to be effective and cost-effective," says George Socha, president of Socha Consulting. "Additionally, monitoring really doesn't have much of a role to play in the e-discovery debate since it is the ability to retain and produce information that is key, not to monitor what is being written."

Indeed, as well as been somewhat beside the point for FRCP compliance, the actual cost of attempting wide-scale email monitoring at a large financial institution appears to be simply impractical. "We saw a spike in email monitoring five years ago in response to security concerns post-Enron, but it became such an overwhelming burden for corporations to try to monitor that they simply had to stop and start looking at other areas to try and identify security risks," says Karen Schuler, vice-president of consulting at litigation support provider Onsite3.

For financial institutions, and securities firms in particular, the impact of the FRCP amendments would appear to be relatively innocuous. Numerous existing regulations already mandate that data must be retained for set periods, especially for broker-dealers, and in some respects the new rules amount to little more than a repetition of requirements already in place.

"Regulations like NASD 3010 and 3110 and SEC17a-4 already specify that broker-dealers need to retain in an easily accessible manner email communication of their representatives for at least three years, so they really were early adopters of email archiving," says Campbell. "The FRCP changes may seem like old news to financial services firms, but the older regulations only applied to traders and registered representatives so the December amendments bring a whole new aspect to the discussion."

Despite having a veritable head-start over other industries in the FRCP compliance race, financial institutions would be unwise to assume they are immune to getting stung by the new changes. The two civil actions that informed much of the thinking behind the amendments, Zubulake vs UBS Warburg and Coleman Holdings vs Morgan Stanley, both saw financial giants facing off against small fry opposition and losing – in both cases due to a lack of co-operation with the court when it came to their e-discovery obligations.

In both actions, the turning point came when the judge gave the jury an adverse inference order, effectively instructing them to assume that the companies' failure to produce the evidence asked of them inferred their guilt. With clearer guidance now on the table, will such judgements become more likely if a bank cannot deliver what it is asked to?

"When a judge gives an adverse inference instruction to a jury, you've pretty much lost the case, but if anything I think the new amendments will make them less likely in future now that there is a national framework in place to tell companies what's expected of them," says Jon Sablone, an e-discovery attorney at law firm Nixon Peabody.

"Moreover, a judge might take a dim view if a company has failed to invest in archiving systems to make ESI more discoverable, since the rules committee behind the FRCP amendments has said judges should look at a party's resources in these matters. It's a scary thought for a large firm in a securities class action because when a defending firm's IT capacity far outstrips the plaintiff's, this could be a crucial factor," Sablone adds.

In this instance then, the key issue is not whether a company has done anything wrong, but whether it has shown the intent to ensure that its records are easily accessible and discoverable in the event of a civil suit. The prospect should rightly unsettle legal and compliance teams, especially given that Coleman vs Morgan Stanley ended with the investment bank shelling out $1.4 billion, essentially for not producing the documents requested of it.

Grey areas

There are other ambiguities in the FRCP amendments that also present pitfalls for companies that fail to comply with the spirit of the new rules. Significantly, despite the great emphasis placed upon data retention in the changes, no guidance is given on exactly how long ESI should be retained for, ostensibly so as to not unfairly penalise small businesses without the resources to keep such files for long periods of time.

In the place of direct instruction, the amendments repeatedly refer to the "good faith operation of electronic information systems," most pointedly in the "safe harbour" rule that promises no sanctions will be taken against firms that delete ESI in the routine operation of business. What constitutes "good faith" will be left to the discretion of the judiciary, and is largely dependent on whether firms cease deleting ESI in the event of a litigation hold, which is the prelude to legal action.

However, the interpretation of "good faith" may be dependent on what a firm does before the litigation hold. "The use of vague terms such as "good faith" and others such as "exceptional circumstances" and "routine" make it difficult to take too much comfort in the "safe harbour" provision, says Davis Cohen, a partner at law firm K&L Gates.

"Furthermore, comments to the FRCP rules make it clear that this provision will not protect companies that fail to suspend routine deletion of ESI once litigation is reasonably anticipated," he adds. The fact that companies are required to cease normal ESI deletion procedures as soon as litigation becomes a reasonable possibility or foreseeable, is another stipulation that will no doubt pose further headaches for compliance teams.

Transatlantic trend

The US is not alone in seeing an increase in data retention obligations. As part of the Markets in Financial Instruments Directive (Mifid), EU nations are required to keep ESI relating to customer relationships to give investors recourse to complain if they are unfairly treated or defrauded.

"Generally, there are around 25 to 30 documents pertaining to the identity of a client, such as client details, allocation of orders and in essence any document relating to a key client interaction that must be kept for a period of five years. On top of this there are other documents, such as client agreements, that must be kept for the life of the customer relationship," says Richard Thornton, partner at Sungard Consulting Services.

Similarly to the FRCP, Mifid also calls for documents to be kept in a readily accessible form, although it does not go on to state what form that is. The resemblance between the two regulations, at least in this respect, is evident, and seems to be indicative of a bar-raising exercise that can only mean better, swifter legal proceedings and more importantly, greater protection for investors and individuals, on both sides of the Atlantic.

It would be tempting to become jaded after yet another obligation is laid down upon compliance teams that are already flat out grappling with a wealth of regulations. Nonetheless, the FRCP amendments are an important and long overdue addition to the legislative slate, and they will prove to be valuable in the long run.

Ultimately, litigation is an issue of when not if, for all firms of all sizes, especially in a country as litigious as the US. Investment in archiving services today, as the guys at Morgan Stanley would surely tell you, will lead to considerable savings tomorrow. And in the very least, more accountability across all industries, not just financial services, will result in benefits for us all as consumers and investors.

"Things are getting better, in terms of e-discovery experts in the field and the understanding of e-discovery among firms," says Socha. "Things will be a little rough for a while, but we'll get there. The rules will bed in and we'll begin to feel the benefits of these changes."