Regulators' IM Crackdown May Increase Cyber Risk

American Banker

In April, the Office of the Comptroller of the Currency issued a bulletin specifically aimed at banks' use of internal messaging software. The bulletin was issued to "remind" banks of their obligations related to the maintenance of records, records retention and examiner access to records.

The reminder came on the heels of earlier guidance from the New York State Department of Financial Services last year as regulators have attempted to crack down on messaging data deletion and encryption features that can be used to impede regulatory investigations and supervision of banks.

In the bulletin, the OCC said it is entitled to complete access to records of bank's internal correspondence. The agency warned that data deletion and encryption features in IM software should not be "used to prevent or impede OCC access to a bank's books and records" and "may result in enforcement action."

But given the heavy reliance by bank personnel on IM as a communication tool for everything from back office operations to trading, the OCC's recent guidance could impose significant hardships. Moreover, the guidance runs contrary to prevailing guidance on cybersecurity, which counsels against retention of data that could be accessible to hackers but that serves no current business purpose or need.

Indeed, the OCC's recent guidance resurrects past debates that followed the emergence of emails regarding what messages need to be saved, how to monitor the messages for relevance, how long a message should be retained, the proper method to delete or destroy the record and more.

But although the issues are not new, a new challenge arises because of the informal nature of instant messaging, the sheer volume that is created by bank personnel, and the often times private nature of the messages.

Retention of data — including customers' personal data — that serves no business purpose exposes a bank to unnecessary risk in the event of a cybersecurity attack and data breach. Moreover, the retention of instant messages greatly increases a bank's overhead, from storage costs to specialized and expensive monitoring software to internal auditing to ensure compliance with various regulations and policies to destruction of the records.

Banks typically take a risk-based approach to cybersecurity threats, which counsels against retention of large amounts of data based on the particular business needs of the bank. And over the past two years in particular, the OCC has repeatedly advised banks of the risks posed by cybersecurity risks.

Given the OCC's focus on cybersecurity risks, the recent guidance regarding the duty to retain IM's is particularly confounding because, on its face, this guidance appears to overrule a risk-based approach in favor of a sweeping retention program for all IM communications.

Indeed, the OCC gave no clear signal as to an appropriate retention period of IMs, stating only that "[t]he permanent deletion of internal communications, especially if occurring within a relatively short time frame, conflicts with OCC expectations on sound governance, compliance, and risk management practices as well as safety and soundness principles."

While it is rather obvious that IMs relevant to any current litigation and regulatory action or review should be retained, banks and their counsel are pretty much left scratching their heads for the time being concerning retention of IM data that would be deemed appropriate by the OCC.

Until more specific guidance comes from the OCC, bankers and their counsel should exercise informed discretion through dialogue with their OCC representative before deleting en masse IM data.

To view this article online, please click here.

“Regulators' IM Crackdown May Increase Cyber Risk,” by Michelle Gitlitz Courtney, William R. Cruse, and Shirley M. Leung was published in American Banker on July 21, 2016. Reprinted with permission.