As more organizations adopt collaboration applications like Microsoft Teams, companies in the Financial Services industry must ensure they keep up to date with the multiple data retention complexities that these collaboration applications introduce. To date, the SEC has not published guidance on Teams data archiving requirements (or any other collaboration platform), so to be safe, regulated companies should assume that all Teams-related data for broker/traders must be captured and managed.
Some organizations have argued that since Microsoft Teams is part of Office 365 and Office 365 is configurable to be SEC Rule 17 compliant via geographic replication and immutable storage (Preservation Lock), some FinServ customers will rely solely on Office 365 archiving with in-place legal hold or preservation lock (WORM) to ensure SEC Rule 17 compliance. But, one of the often-overlooked challenges for SEC Rule 17a-4 compliance is that of FinServ organizations being required to set up designated third-parties (D3P) which can access and download regulated data when requested by the SEC. The D3P requirement makes it very difficult to meet the law utilizing only the Office 365 platform.
SEC Rule 17 compliance is not just data retention
In 1997, Financial Services (FinServ) companies were approved by the Securities and Exchange Commission (SEC) to store their regulated "books and records" in electronic format (referred to as Electronically Stored Information, or ESI). Those broker-dealers who elected to store their records electronically were required by SEC Rule 17a-4(f) to retain a third party ("Designated Third Party") who had the technical and contractual ability to independently access the archive and download specific regulated books & records for the SEC's review. This requirement was included just in case a broker-dealer went out of business or refused to cooperate with an SEC information request. Today, this requirement includes access to financial services cloud repositories as well as all encryption keys used for data security.
With the new ESI capability and to ensure regulated communications were captured and stored in an unaltered format, FinServ companies began utilizing the Microsoft Exchange Server journaling capability – a capability within Exchange that copies every sent and received email/attachment in a targeted mailbox and secures it in a hidden folder to which end-users do not have access. This capability ensured that email was the unedited, unchanged copy of record. To better enable service provider access and meet the designated third-party requirement, D3P providers were granted direct access to the on-premises journal, so if and when the SEC asked the D3P to provide data from the FinServ compliance archive, they could do so without the FinServ’s approval.
With the move to the cloud, many FinServ organizations set up comparable journaling capabilities from their Office 365 tenancies to a third-party SaaS-cloud email archiving provider. As part of the requirement, the SEC is given access rights to the FinServ organization's third-party SaaS journal. But with the accelerating adoption of Microsoft Teams, many third-party SaaS cloud vendors have not been able to keep up with Teams archiving requirements, specifically the need to capture and retain all regulated Teams data. Because of this, many FinServ organizations have either paused their adoption of Teams or have defaulted to relying on Office 365/Teams data retention.
Considerations for Archiving Microsoft Teams Content
Read more about how you can archive Teams content to meet the most stringent regulatory requirements.
This whitepaper provides recommendations for Compliance executives to meet archiving challenges.
Teams to eventually replace email for business?
Changes in workplace communication and the rapid adoption of collaboration platforms, such as Microsoft Teams, call into question the long-term viability of standalone business email platforms. In the last couple of years, Microsoft has positioned its Office 365 Teams collaboration application as an eventual replacement for standalone Microsoft Exchange environments. However, the continuing challenge for FinServ companies is that the Teams application is architected very differently from Office 365 Exchange Online. Firstly, Microsoft Teams is not a standalone product, but rather bundles elements of Office 365 and other applications, complicating SEC data retention requirements and compliance. Secondly, and most importantly, Teams does not have an equivalent Exchange journaling function to copy, move, and secure regulated Teams content to a consolidated location for easy SEC D3P access and search.
Teams architecture complicates records management
Instead, Teams data is spread across the organization's Office 365 platform. For example, chats are stored in the various Team members’ mailboxes; shared files are stored in Team members’ OneDrive accounts, group conversations in group mailboxes, Wikis and file tab content in SharePoint, meeting recordings in Stream, voice and video calls, contacts, voicemail/call history in the Exchange user's mailboxes, and private chats are stored in the posting user's mailbox. This dispersed Teams data storage (see figure 1 below) complicates the designated third-party accessibility requirements.
Figure 1: Teams data is stored differently depending on the content type –
Table from Microsoft website dated 07/13/2020
All of these storage locations are hidden from normal end-user access and only available to the administrator - making them somewhat equivalent in use to an on-premises Exchange journal. Remember, the SEC does not specify the use of a journal for email (or other communications) capture – only that FinServ companies must adopt a technological process that protects the broker/trader email and other communications from alteration or deletion, thereby guaranteeing an original copy of record.
It could be argued that Teams data capture and storage into hidden folders, inaccessible by the average employee, meets the copy of record SEC Rule 17 requirement. However, there are several issues associated with using the built-in Microsoft Teams retention capabilities for SEC compliance. In fact, the SEC Rule D3P requirement is the toughest to overcome without a separate, consolidated archive.
Again, in the event of discontinuance of business or a refusal to cooperate with an SEC information request, SEC Rule 17a-4(f) stipulates that the D3P must have unfettered access to the FinServ company's regulated data, including emails/attachments and Teams communications for review and download.
This requirement is an important consideration when deciding how to set up a compliant SEC email/Teams archive. Without all communications (Exchange and Teams) consolidated into a single archive, how would a D3P search for and find all-SEC requested data? At the very least, the FinServ would need to provide broad access to the company's Office 365 tenancy through Microsoft Compliance Center. This is an obvious non-starter for FinServ Chief Information Security Officers (CISO). What CISO would accept a designated third party searching through all their company's data?
Additionally, the SEC requirement specifies that regulated data must be stored in a way to allow SEC records to be indexed and be stored in an immutable manner with immediate accessibility for a period of two years. This means that relying on the standard Teams data retention capabilities would probably not meet the "availability/immediacy" requirement.
Collaboration applications and compliance
The Microsoft Teams collaboration application is an excellent tool for FinServ companies, especially in today's pandemic-inspired business models. However, companies need to fully understand the issues and complexities of remaining compliant for given industry data retention/management laws, such as SEC Rule 17a-4. First, Teams functionality offers a great deal more than simple chats. While FinServ organizations will no doubt utilize the one-to-one and one-to-many chat capabilities (which are saved as emails), their employees are communicating through Teams in more ways than just chat. Meeting recordings, video and audio calls, shared files, hyperlinks, wikis, file uploads, emojis, sentiments, and private channel chats are all potentially regulated data for SEC Rule 17 compliance. And, per diagram 1 above, are stored in different formats across multiple applications within Office 365.
Additionally, for a D3P to access and download a long chat string, they would need to manually search for and manually assemble a long series of individual chat emails to represent an entire conversation. Setting aside the complexity and potential for error, this manual process would also leave out other important data such as emoji placement and timing, the files that were shared during the conversation, and when during the chat those files were actually shared.
Most importantly, don't be fooled by cloud archiving vendors that say they are Microsoft Teams SEC-compliant while including tiny footnotes listing all the Teams data objects they don't capture – an immediate disqualifier for SEC compliance.
In the last several months, I have written about the potential challenges for regulated companies in the adoption of the Teams application, including why Microsoft Teams Archiving is More than Capturing Chat and Adoption of Microsoft Teams Creates Tomorrow's Litigation and eDiscovery Issues.
Both blogs discuss the complex nature of Teams data retention architecture with regards to eDiscovery and regulatory compliance. Check them out to get a deeper understanding of Teams archiving.
To address Teams' archiving challenges while reducing compliance risk, check out Archive360 for Microsoft Teams – designed from the ground up to archive and manage all Teams data. And to do so in a way that provides the appropriate level of compliance required by Financial Services organizations regulated by SEC Rule 17.
For more information, check out our article on why Microsoft Teams is more than capturing chat.
| For more information on how Archive360 can help solve your Microsoft Teams archiving needs, Click Here |  |
