Emailing It In: No Simple Matter
February 8, 2010
Let’s say your securities firm operates in 30 countries. That means that the email you exchange with customers, business partners and service suppliers in the course of doing business has to abide by the storage, retrieval and compliance laws of 30 nations. Right?
Wrong.
A number you probably don’t want to count. Every country from which you get an email from a customer and to which you send an email. Etc.
Which means: You need a lot of eyes on the ground, when you go global, to make sure even your most basic communications adhere to laws not just where you operate, but from which you draw business.
This in turn means you have to watch any service supplier, who helps you transport or archive email and other communications like a hawk.
You have to put each and every contingency into a broad, global or near-global contract, with clear agreement on where the buck stops on adhering to local laws, says Pinaki Roy, managing director of the CIO Advisory Practice at PricewaterhouseCoopers. “You have to put those all into the contract, so you know what jurisdictions you may have to comply with in regulations,” he told a gathering of information systems managers who are members of the Wall Street Technology Association last week.
But it doesn’t just stop there. Where the people you deal with are located is one thing. But whatever country is being touched – by your service provider, too –matters. You’re liable to prosecution of that geography.
“The service provider needs to have the technical capability to determine when where and how the data was used,” Roy says.
What about the servers and data centers where the communications are stored? Don’t kid yourself. Your operations will be affected by those local laws as well. If one of your customers in Croatia or a counterparty in Tangiers is involved somehow in some kind of fraud, and the evidence is stored in a computer in Singapore, you can bet the famously tough upholders of truth, justice and righteous way in Singapore will jump right in.
It’s hugely complex.
Auditors (and regulators) will want to know not just where the messages are stored, but where each has been during the last six or nine months and whether you have a clear record of any stops and any changes.
The bottom line: “You’re under the jurisdiction … of wherever the activity takes place,’’ Roy says.
Simply put, “you can outsource your application, but you cannot outsource your obligation” to maintaining good controls and reporting to regulators, says Eric Olden, the chief executive and founder of Symplified, a firm that helps identify users of “cloud” computing services and keep their communications secure.
Which means, when it comes to any type of relationship with a third party, to manage your email around the world, work out where the buck stops.
So you can stop the bucks that party gets, when it matters.
