I. INTRODUCTION
The federal E-SIGN Act (the “Act”), codified at 15 USC § 7001, et seq. and effective March 1, 2001, changed the legal framework for electronic records and as a result, paved the way for banks to implement electronic record retention systems to support a variety of operations (e.g., loan file imaging, retention of paperless applications and online agreements and the use of electronic payment systems; however, checks and other negotiable instruments governed by the Uniform Commercial Code are specifically excluded from the Act). On June 21, 2004, the Office of Comptroller of the Currency (OCC) issued an Advisory Letter entitled Electronic Record Keeping (AL 2004-9) that highlighted issues regarding bank electronic record systems in light of the E-SIGN Act and to offer a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems. While the letter is addressed to national banks, the substantive contents should serve as good guidance for all other financial institutions to consider.
An electronic record, defined by the Act as a contract or other record created, generated, communicated or stored by electronic means, will satisfy most legal record retention requirements for contracts or other records (including requirements that a record must be retained in its original form) provided that the electronic record meets these “general standards.”
When an electronic record meets all of the above general standards, it will satisfy a legal requirement that a contract or other record (e.g., a consumer disclosure) must be retained in writing [See, 15 U.S.C. § 7001(d)]; however, at the present time, these general standards have not been subject to court interpretation. Therefore, there is a lack of predictability as to how a court may interpret the general standards.
In addition, the Act does not resolve all legal or practical issues relating to electronic records to ensure that such records fulfill their intended purposes and are in compliance with other applicable regulatory requirements, outside of the area of record retention (e.g., the Act does not ensure admissibility of electronic records in litigation). According to the OCC Advisory Letter, the “practical effect of having electronic records that are not admissible into evidence in judicial proceedings may be to render the electronic contract or record effectively unenforceable.” Under the Act, a contract or record that is required by law to be in writing may be denied legal effect unless it is in a “form that is capable of being retained and accurately reproduced for later reference by all parties or persons who are entitled to retain the contract or other record” [See, 15 U.S.C. § 7001(e) – the provision (and its sanction of denial of enforceability) relates to the form in which the record is made available to other parties (i.e., whether the record was provided in a proper form) and does not relate to whether the record was properly retained by the bank under § 7001(d)]. As a result, this means that while banks are allowed to satisfy record retention requirements with electronic record retention systems that comply with the Act, banks will need to plan the implementation and operation of such systems to be sure that they meet both functional and regulatory requirements. II. FUNCTIONAL AND REGULATORY RISKS
The OCC Advisory Letter notes that although the Act does not provide specific definitions for its general minimum standards of accuracy, integrity or accessibility, banks adopting electronic record retention systems should understand and consider the significant reputation, transaction, credit and compliance risk resulting from inadequate record retention practices and systems.
Any bank electronic record system must have sufficient accuracy, accessibility and integrity to achieve and accomplish all essential functions and purposes that pertain to the specific records that are contained within that particular system, including: potential use in litigation support; internal and external audits and controls; bank supervision; and compliance with regulatory requirements applicable to such records.
A. Potential Use of Records in Litigation Support
Since a bank may have to produce or to introduce into evidence in litigation certain records, it is obvious that without adequate and admissible records, the bank could not enforce its rights and protect itself against claims in litigation. If records that support transactions are inadmissible, they are useless in litigation, even though they may satisfy federal record retention requirements. As a result, in a bank’s electronic records cannot be admitted into evidence, the bank may face credit, transaction and market risk. Under the Interagency Guidelines and Standards for Safety and Soundness, Appendix A of 12 C.F.R. Part 30, it is an unsafe and unsound practice for a bank failing to maintain loan documentation that, among other things, ensures that the bank's claims against its borrowers are legally enforceable.
While the Act does not provide any assured standards for admissibility of electronic records, the courts continue to develop precedent on the admissibility of electronic records; however legal standards for admissibility of electronic records can vary from state to state. The lack of legal uniformity poses significant risks for a bank developing a single electronic record retention system and doing business in multiple states. Therefore, bank counsel should be consulted when attempting to implement an electronic record retention system. On the issue of admissibility of electronic records, bank counsel may be directed to review the Federal Rules of Evidence (particularly Fed. R. Evid. § 1001(3)) and to §§ 12 and 13 of the Uniform Electronic Transactions Act (a state uniform act that is a “counterpart” to the E-SIGN Act and adopted in several states, including Nebraska). B. Records Necessary for Internal and External Audits and Controls
Once again, an electronic record system must demonstrate sufficient accuracy, integrity and accessibility to support internal and external audit controls and therefore, bank internal and external auditors should be consulted to ensure that electronic record retention systems will support auditing and control functions. This requirement is consistent with the above-cited Guidelines and Interagency Standards for Safety and Soundness, which implicitly require that there be a record retention system (whether paper or electronic) is adequate to support an appropriate internal auditing system.
C. Records Necessary for Bank Supervision
A regulator’s ability to examine and supervise a bank is dependent upon prompt access to adequate and accurate records. A bank’s electronic record retention systems should maintain records that are sufficiently complete and accurate enabling regulators to timely access such records and to determine a bank’s financial condition and the substance and purpose of transactions that may have a material effect on its financial condition.
D. Records Necessary for Compliance with Laws and Regulations
Since many federal regulations contain record retention requirements pertaining to consumer protection (e.g., Regulations B, Z, and DD), securities activities and Bank Secrecy Act compliance purposes, inadequate record retention systems could result in compliance violations. Most of these record retention laws and regulations do not address the use of electronic record retention.
Therefore, if a bank adopts an electronic record retention system that contains records subject to consumer protection and Bank Secrecy Act laws, bank management should ensure that the system is designed and operated so that electronic records will comply with the specific requirements of applicable laws and be able to retrieve and produce records within legally required timeframes.
III. DEVELOPING AND IMPLEMENTING ELECTRONIC RECORD RETENTION SYSTEMS
Both appropriate planning and due diligence are advised prior to acquiring or developing an electronic record retention system. The planning process should include representation from all affected areas in the bank: management, personnel from the relevant business lines; information technology; operations; audit; legal; and compliance. The electronic system should be fully consistent with the bank's general corporate records management program. Management should assess the risks and objectives associated with an electronic system and consider the potential effect on current business processes and internal controls.
In assessing risks, bank management should consult with competent legal counsel to ensure that electronic records comply with E-SIGN Act provisions, relevant state and federal laws and regulations, as well as applicable standards for admissibility into evidence. Bank management should consult with audit and compliance personnel in planning and developing an electronic system.
Security– failure to properly secure and protect bank electronic record retention systems that contain confidential customer information violate minimum security standards under § 501(b) of the Gramm-Leach-Bliley Act (See, 12 C.F.R. Part 30, Appendix B), but any security device must not preclude record accessibility to parties legally entitled to it, including bank examiners. The OCC advises that bank management should confirm that its record systems are properly secure from unauthorized access and data alteration and that the systems are adequately tested. The record systems architecture should be fully documented and the systems adequately indexed.
Internal controls– a bank must have effective internal controls ( such as segregation of duties, physical and logical access controls, retention requirements, documentation of changes to records, elimination of write-access to records after capture, encryption for transmission and storage, software integrity checks, and equipment and record media disposal procedures), subject to audit review, to protect electronic record retention systems from unauthorized access and alteration, including associated business and information management practices.
Back-up and recovery– without adequate back-up and recovery processes, a bank may find that its records are inaccessible following an emergency. Electronic records must be sufficiently backed up so that recovered records will meet the same accuracy and integrity standards as the primary electronic versions (including a consistent process for periodic record back-up that stores the records in a secure off-site location with proper access controls and the periodic testing of the ability to recover records).
Record destruction and disposal– record destruction and disposal procedures must be systematic, documented and subject to an approved records retention and disposition schedule. Disposal of electronic records procedures should provide for the suspension of records destruction due to litigation or regulatory requests. Procedures must also comply with guidelines and rules on the safeguarding customer information, implementing § 501(b) of the Gramm-Leach-Bliley Act and § 216 of the Fair and Accurate Credit Transactions (FACT) Act which provides that “any person that maintains or otherwise possesses consumer information, derived from consumer reports, to properly dispose of any such information or compilation.”
Retention periods and content– bank management is responsible that record retention schedules are established that are appropriate to the specific records and consistent with legal, regulatory, fiscal and administrative requirements. Bank management should also determine which electronic messages and communications to retain, depending upon whether a particular e-mail or electronic message content is a “record” for purposes of particular record retention requirements or whether the bank may need such record for business or litigation purposes. The OCC advises that “if an e-mail were considered a ‘record’ or would be retained for business purposes because of its content if it had been received or sent in paper, then it should also be retained as a ‘record’ even though it is in electronic form.” According to the Advisory Letter, doing so “is consistent with the general approach in developing law to impose ‘record’ requirements that are technology neutral (See, e.g., E-SIGN Act and Sarbanes-Oxley Act of 2002, § 802 on retention of auditor work papers). The process should ensure that both message content and sufficient information about its attributes (e.g., source, destination, date and time) are retained for authenticity purposes.
Change management– a bank’s electronic records systems plan should provide for continuing accessibility realizing that future technological changes will require such systems be updated and records be migrated to updated systems. A bank should assess and test the impact on the integrity and accessibility of their electronic records that may be caused by any changes in their systems or those of their service provider and should consider change management controls that address risks to electronic record systems before, during and following a change.