Regulatory & standards compliance

‘Corporate compliance’ is increasingly raised in IT departments and boardrooms, as industries in all sectors face a growing number of regulatory compliance deadlines. Attention will focus on the IT department. Why? It bears responsibility for enabling organisations to meet legislative requirements, many of which affect how they store and to retrieve data.

Significant pieces of legislation are Sarbanes-Oxley (SOX), Basel II and Markets in Financial Instruments Directive (MiFID or ‘Miffid’). All the requirements for these must be in place as they hit the UK in 2009 and beyond.

IT systems have to be up to the mark or their owners risk penalties. Although the legislation is clear in stating requirements, a very fuzzy area for many is exactly which party must be compliant when it comes to outsourcing.

As companies focus on core activities, it has become more common for support functions like IT to be partly or wholly outsourced. Many advocate that the need for compliance passes to the service provider. But this is not necessarily the case. Certainly, a key objective of outsourcing is effective risk management – passing as much responsibility as possible to the service provider; however, this where the confusion begins, as most corporate compliances still hold the client company responsible.

The Financial Services Authority, FSA, makes it clear that regulated companies cannot outsource responsibility, even if they have outsourced the services that enable them to achieve compliance.

Accordingly, they require that contracts relating to outsourcing contain detailed provisions to enable the regulated company to ensure proactively that the outsourced service provider performs satisfactorily.

Now that the responsibility is clear, is everyone aware of the perils of non-compliance? It seems the majority of companies do understand that there are risks, but not the risks themselves.

A variety of threats faces the non-compliant, including closure of business lines, heavy fines or even imprisonment of executives at the least lenient end of the scale.

For MiFID, sanctions for non-compliance range from a fine to suspension of trading rights; for Basel II, we can expect the FSA to impose sanctions case by case. Senior management must understand that the buck stops with them, especially with SOX. If they don’t make ensure that the company is compliant, they will suffer personally, as there are civil and potentially criminal sanctions.

Further: any company that is non-compliant will face a risk to their reputation, which may affect future business. Ultimately, any penalty will have a long-term effect as the company has to remedy the situation. This will most likely involve new staff, or at least overtime, and additional IT costs.

What the FSA regulations stipulate concerning recordings:
(From Policy Statement 08/1 – Financial Services Authority)

Telephone Recording: recording of voice conversations and electronic communications

Section: 11.8.10 R
A firm must take reasonable steps to retain all records made by it under COBS 11.8.5R:

for a period of at least 6 months from the date the record was created;
in a medium that allows the storage of the information in a way accessible for future reference by the FSA, and so that the following conditions are met:
1. the FSA must be able to access the records readily;
2. it must be possible for any corrections or other amendments, and the contents of the records prior to such corrections and amendments, to be easily ascertained;
3. it must not be possible for the records to be otherwise manipulated or altered.

Gain full compliance with Red Box

Our solutions enable you to exceed FSA and PCI DSS requirements. Voice recordings are stored in a secure authenticated format that cannot be manipulated or altered, ensuring total compliance with FSA regulations. The technology does not permit referencing or searching against payment card details. It also has security and access protection beyond the standards required by the PCI DSS.