Compliance and Regulation: Impacting on the Global Business Community

Compliance and Regulation: Impacting on the Global Business Community

Following the fallout from major corporate crashes such as Enron and Worldcom, stricter compliance legislation has been introduced around the world to ensure that business managers and principals are more accountable for their actions.

The latest compliance standards focus on greater accountability and control in key business processes – most importantly document flows and data management.

There are two central aspects to enforcing compliance:

•The corporate duty of care in enforcing standards
•The need for legal protection in the event of litigation or a dispute

Non-compliance is not an option, companies risk stiff fines and executives can be held personally liable if information is not in order. Therefore, it is important that the business examines all regulations, not just those affecting their specific area of operation, but also generic legislation affecting general business activities.

The consequences of non-compliance are extremely serious; in December 2002 the SEC fined five Wall Street brokerages a total of $8.25m for improperly storing e-mail communications (Forrester Research).

Distributing documents for approval, whether in hard copy or electronic form, raises security issues. Who is authorised to access documents, and what information can they access within them? This is particularly important to ensure compliance with legislation such as the Sarbanes Oxley Act, which applies to US companies and their foreign subsidiaries; and in the UK, the Data Protection Act and the Freedom of Information Act.

Document processing software such as Tokairo’s TokOpen system addresses these challenges and automatically enforces compliance. Every action relating to individual document access is audited, access is limited to specified personnel, and actions they can undertake are also controlled. Software can also restrict access to different information within a document, to different specified users or groups within an organisation.

This ability to allow different information in a document to be seen by different users means that the divergent needs of the Data Protection Act and the Freedom of Information Act can both be met automatically, without the need to make copies of documents.

This flexibility can also extend to the hierarchy of approval based on the value of an invoice. So if a member of staff is not allowed to approve payment of an invoice of over £500 for example, it can still be checked by them, but then can automatically be escalated to a superior for payment sign-off.

The following are some of the most recent regulations, and the effects they can have on corporate document management strategies:

Sarbanes Oxley Act 2002

This is a key driver of compliant corporate document management systems. In the US non-compliance is now a Federal offence, carrying a penalty of up to 20 years in prison. US subsidiaries in the UK are also required to comply with this legislation. The European Union is expected to introduce similar rulings for member countries.

Under section 302, the CEO and CFO must certify that reports accurately show the company’s financial condition and results. In addition, they must certify that they have established and evaluated internal controls to ensure accurate recording and reporting of performance. Any deficiencies in these controls as well as any fraud at management level must be reported.

Section 404 requires annual reports to detail internal controls that are in place to ensure accurate financial reporting, as well as an assessment of their effectiveness.

This can have a significant impact on a document management system. For example, a company without clear control and visibility of approving invoices for payment could be in breach of the Sarbanes Oxley Act.

Data Protection Act 1998

Regardless of what document management system may be in place, personal information for business use needs to be handled in compliance with the Data Protection Act 1998. A secure document management system such as TokOpen can help with compliance, as it reduces the scope for theft or accidental loss of personal and confidential data. It can also facilitate the execution of valid requests for such data.

The Act enshrines eight principles:

1.Personal data shall be processed fairly and lawfully.

2.It shall be obtained only for specified lawful purposes, and shall not be further processed in any manner incompatible with those purposes.

3.It shall be adequate, relevant and not excessive in relation to the purposes for which it is being processed.

4.It shall be accurate and, where necessary, kept up to date.

5.It shall not be kept for longer than is necessary.

6.It shall be processed in accordance with the rights of data subjects under the Act.

7.Appropriate technical and organisational measures shall be taken to prevent unauthorised or unlawful processing of personal data, and to prevent accidental loss, destruction or damage to personal data.

8.Personal data shall not be transferred to a country or territory outside the EU unless an adequate level of protection for the rights and freedoms of data subjects is ensured.

Freedom of Information Act

This gives people a general right of access to information held by, or on behalf of, public authorities. It is intended to promote a culture of openness and accountability amongst public sector bodies, and to increase public understanding of how public authorities work, why they make the decisions they do, and how they spend public money.

Good document management should be a key objective for all organisations, public and private, in the drive to achieve business efficiency, and ensure that information is easily retrievable and properly documented. As a result of this, public authorities will then be able to comply more easily with legislation that affects them, such as the Freedom of Information Act.

The principles underlying records management – creation, retention, identification and retrieval – apply equally to both electronic and paper media. This means that procedures for e-mail and other information held on shared and personal hard drives have to be as robust and detailed as those for other records.

Conflictions in Compliance

Document management systems are challenged when different data in the same document relates to both the Data Protection Act and the Freedom of Information Act, since one is geared for confidentiality, the other for accessibility.

Leading document management systems such as TokOpen, control who can view different parts of a document, meeting the conflicting needs of both pieces of legislation.

In a typical document, such as a Wire Transfer Application form, some of the information falls under the Freedom of Information Act, and other parts of the document are private meaning access must be restricted and audited in accordance with the Data Protection Act. Certain data must not be disclosed to anyone outside the bank as it is private and for internal use only.

Document management software overcomes this problem by hiding the internal information when the document is viewed by someone outside the bank. Users with authorised access are still able to view the whole document.

In the same example, the applicant’s name and address are protected by the Data Protection Act, and should therefore only be seen by the staff members dealing with that client, such as HR or Accounts. Remaining staff do not have access to these specific document details. TokOpen document management software can ensure compliance with this.

Document Management: the Way Forward

The increasingly complex demands of legislation underline the need for businesses to implement document capture and document management systems. However, even though a document management system is an important component, alone it will not ensure compliance. A wider view is needed to ensure businesses maintain their compliance with changing legislation.

In a court of law, the judge will consider the evidence based on several criteria:

•Are procedures clear and consistent, with a requirement to document procedures? This is often referred to as a document policy.

•Are the procedures enforced? This is a shared responsibility between management and the selected document management system's access and privilege controls.

•Can the claims be substantiated? This relies heavily on the document management system’s audit trail.

Compiling a Document Policy

After establishing which regulations have to be complied with, a document policy is required covering the following:

oScope of information covered
oSecurity classifications
oStorage media
oFile format and version control
oStandards (compliance and regulations)
oRetention and destruction
oResponsibilities

A document policy defines how information is stored, and is therefore central to ensuring compliance. It should serve these main purposes:

oEnsure everyone knows what they can do
oDefine the business practice at the time
oDemonstrate why a given action was undertaken, e.g. explains why a document was destroyed
oReinforce documents’ evidential weight
oHelp authenticate documents to increase legal weighting
oImprove the court’s view of the evidence presented

Consideration also needs to be given to how long documents should be stored. This depends on the type of document and industry-specific regulations.

This raises an interesting question. What is the legal position if the original document is electronic? This can best be answered in three steps.

•Civil Evidence Act 1995

oAuthenticated copies will be accepted with equal weighting to the original
oLater revisions are given greater weight than superseded revisions

•Admissibility

oDoes the court accept this evidence?
oWith what weight?

•Appropriate procedures must be followed if documents are to be taken to court

Therefore, when considering compliance, the legal weight given to a document also needs to be taken into account. In addition to ensuring that documents and information are managed in accordance with compliance legislation, document management software also plays a key role in ensuring that optimised legal weighting is given to documents, should they be presented in a court.

Improving documents’ legal weighting depends on three key factors:

•Information management

oSystem management (duty of care, audits, etc.)
oOperational issues (good management practice)

•Legal issues

oGeneral (e.g. Data Protection Act, invoice storage, etc.)
oIndustry-specific (compliance/regulations etc.)
oOrganisation-specific (internal regulations etc.)

•Need for clearance permissions

Companies therefore have a duty of care responsibility to ensure they are compliant with legislation. This is best described as information security and can be summarised with the following questions:

•Can a court be assured that information (evidence) has not been inadvertently or maliciously altered, or some of it lost?

oi.e. due care has been taken of the data

•Basic criteria can be met

oConfidentiality (who has had access?)
oIntegrity (is it reliable?)
oAvailability (can it be retrieved?)

Summary

Ensuring compliance with legislation is a responsibility shared between:

•The staff, following clearly defined document procedures
•The management enforcing these procedures
•The document management system policing and enforcing duty of care responsibilities