Guest Contributor: Mary Beth Hamilton, Director of Marketing, Eze Castle Integration
At 800+ pages, the Dodd-Frank Wall Street Reform and Consumer Protection Act is far reaching and requires a serious time commitment to comb through. As the deadline approaches, investment firms are increasingly looking at the technology requirements outlined in the regulation and the implications on existing IT practices.
Below is an excerpt from the Dodd-Frank Act on the System Safeguards and Recordkeeping requirements. What you’ll see is that registered firms will need disaster recovery, data protection and archiving systems in place.
“SYSTEM SAFEGUARDS: (i) Establish and maintain a program of risk analysis and oversight to identify and minimize sources of operational risk, through the development of appropriate controls and procedures, and automated systems, that are reliable and secure; and have adequate scalable capacity.
“(ii) Establish and maintain emergency procedures, backup facilities, and a plan for disaster recovery that allow for the timely recovery and resumption of operations; and the fulfillment of the responsibilities and obligations of the facility.
“(iii) Periodically conduct tests to verify that the backup resources of the facility are sufficient to ensure continued order processing and trade matching; price reporting; market surveillance; and maintenance of a comprehensive and accurate audit trail.”
“RECORDKEEPING: Each organization shall maintain records of all activities related to the business of the facility, including a complete audit trail in a form and manner that is acceptable to the Commission; and for a period of not less than 5 years.”
IT Answering the Regulators
These stringent new guidelines direct firms to have specific technologies in place to protect investors and minimize risks. Let’s look at three key areas where advanced tools and processes should be implemented:
Data Retention & Archiving
Under Dodd-Frank, firms are required to maintain records for no less than five years. To satisfy this requirement, firms should seek archiving technology that uses a Write Once Read Many (WORM) format, which prevents alterations and ensures the integrity of the documentation. You’ll also want a solution that allows for prompt search and recovery of documentation and gives employees the flexibility to view data in its original format at anytime from anywhere. Finally, an archiving tool should automatically capture incoming and outgoing messages behind the scenes, without interruption to email or IM traffic.
A disaster recovery (DR) plan should encompass the steps taken to implement and support the firm’s infrastructure, including hardware, software and sites necessary for the recovery of mission-critical services and applications such as email, trading and voice. In creating a DR plan, a firm must prioritize all its critical systems and realistically consider the amount of downtime and data loss they can accept. This assessment will determine the types of technologies used.
It is important to note that tape backup is not an alternative to a DR system as there are a number of risks associated with relying strictly on tape. These risks include extremely long recovery times, data being stored or restored improperly and tapes being left on-site and ruined or inaccessible during a disaster or outage. The cost of DR systems has come down considerably in recent years so firms of all sizes should be able to find a solution that meets their budget and regulatory requirements.
Business Continuity Planning
Complementing a DR system, business continuity planning (BCP) helps firms minimize potential business disruptions by creating a framework for maintaining business processes and operations in the event of an interruption. Beyond IT operations, BCP focuses on the firm’s critical operations and processes to ensure that these will be available if a disruption should occur. An effective BCP should include a thorough risk assessment, business impact analysis, plan and recovery strategy and ongoing testing and training.
The Reality: While regulations are putting these three areas in the spotlight, most alternative investment firms would tell you that investors have already made these requirements of the due diligence process. These ‘nice to haves’ are now ‘must haves’ to secure capital.