Wall Street Firms Curb Access to Personal E-Mail
An increasing number of financial-services firms are blocking their workers from accessing personal e-mail accounts from America Online, Yahoo Inc., Hotmail and others. In the latest move, Merrill Lynch & Co. last week told employees that it was barring them from accessing their personal e-mail accounts while at work. In a memo, Merrill said it was putting in place the new policy "to help ensure that electronic communications to and from Merrill Lynch facilities are subject to proper monitoring and surveillance."
Goldman Sachs Group Inc. and Morgan Stanley have had similar policies for several years, according to company representatives, and Raymond James Financial Inc. is instituting a similar one. Credit Suisse First Boston and U.S. Bancorp Piper Jaffray declined to comment on their policies.
Investment banks and brokerages are responding to regulations that require them to monitor and archive every e-mail that pertains to their business. These rules have taken on new urgency as e-mail records figure more prominently in Wall Street investigations. Last December, the Securities and Exchange Commission fined five Wall Street firms for inadequate e-mail retention.
While regulators have made it clear that longstanding rules on archiving communications covers work e-mail accounts and instant messages, the line on personal e-mail is fuzzier. They point to the SEC's rules 17a-3 and 17a-4, which require the preservation of all records of communication "relating to its business as such." Because business-related communication could conceivably go through personal e-mail accounts, companies are choosing to turn off access rather than try to monitor messages.
Raymond James's vice president of information security, Gene Fredriksen, spoke to the Online Journal about why his firm is going to start blocking personal e-mail accounts next month, how he'll do it and what the new rules cost.
WSJ.com: What do the regulations say regarding personal e-mail accounts?
Mr. Fredriksen: The regulations say that any communications relating to business as such, must be archived. That tells me that if I'm going to allow business use of an e-mail system, I must archive it. On our internal e-mail system, I archive everything.
Since I can't effectively archive those outside mail accounts because they all are just Web traffic, that's where the New York Stock Exchange and some others have come up and said, "You have to either control those, or curtail their use." We are going to curtail the use, probably in the September time frame.
Q: How are you curtailing?
A: We are modifying and upgrading our systems so we will absolutely block access to those mail services, so you don't use personal mail accounts for company business.
There has to be some kind of monitoring and enforcement in place for it to be an effective policy.
We have already put the word out to our employees to let us know if they need access to personal e-mail. We haven't heard anything.
Q: Is it possible to just monitor the e-mail traffic?
A: It's very difficult to differentiate that Web traffic and reconstruct it into a message that you could send to an archive system.
Q: Why only now are you doing this? Does this relate to Merrill's announcement?
A: The timing is really coincidental. We do have a policy going back, on the acceptable use of e-mail. But we've never had a policy that says, you cannot access Hotmail accounts within our company network. This is something we have been planning to do for quite a few months now.
Q: Was your decision prompted by the fines assessed against Wall Street firms for not archiving e-mails?
A: There's nothing specifically to do with Raymond James regarding that. But the whole subject of e-mail archival has gotten a lot more publicity in the financial-services sector because of those fines.
Raymond James has been completely archiving e-mail for over two years.
We use a system from Syntegra [a unit of BT Group PLC]. We're in the process of evaluating requests for proposals to look at the next generation of those systems.
It goes beyond e-mail. Now we're also retaining and archiving instant messages, and there are a number of other things we're looking at, so I can respond to [a request from investigators] for all types of electronic communication [an employee] did last month.
Q: What else is there, besides e-mail and instant messages?
A: For instance, sometimes a broker or analyst will go online and give a video clip of their opinion of something. It's our intent to start archiving those.
The spirit of what the SEC is asking is for us to keep track of all communications to clients related to business. We're just trying to position ourselves to have a robust system that can handle all these different types of media.
Q: How do you block all Web e-mail systems?
A: We're going to use our Web-filtering system. So if you're a customer of Websense or SurfControl or any of a number of companies out there, there are various categories of Web content you can block. One of those is online e-mail. As part of the service, they monitor and send you a daily updated list that is your current block list, and they watch for additional ones that come up online.
We will also put in some internal sensors that look for things like e-mail traffic.
I have a very high confidence level that by using some of these firms like SurfControl we'll be able to effectively block all of the traffic.
Q: Are you concerned that this takes away a valuable communications outlet for your employees?
A: No, I'm not concerned. My hard line on that is, you're here on business, and the resources are for business use. The message we put out to all employees is, don't put anything in e-mail that you don't want archived and stored for many years. And we inform all of our employees of that in our acceptable-use policy.
Q: What's the added expense of the filtering systems?
A: It's probably an additional expense to us of, in the neighborhood of $40,000 to $50,000, as a one-time cost. We are having to re-architect the way we do scanning and blocking, because of the increased load that will be put on the system. The cost will be maybe 10% ongoing incrementally, so less than $10,000 per year.
Q: Do you also monitor phone calls?
A: We don't do that. We do have some recorded lines, but we don't monitor normal phone traffic. I believe that's standard practice. There are some lines you do want to record, if you're talking about major deals.
Q: Why do phone calls have a different standard?
A: That's a great question. We have had that discussion among ourselves many times. That's a sleeping dog that most are willing to let lie for now. The overhead of monitoring phone conversations would be huge and expensive, much more so than e-mail. What's expensive isn't the archiving, but the resources to index and make it retrievable and searchable.
Q: Are these regulations and considerations good for the industry?
A: To the extent that they put the focus back on corporate governance, yes. Right now we're all paying the penalty for firms that abused the latitude they had. When we get back to a position that the government trusts companies do an appropriate job, we'll see the deluge of new regulations back off a little bit.
Q: What are the costs of the regulations?
A: That would be tough to estimate, but if you just look at the drive to archive e-mails, most financial services firms are spending millions of dollars implementing those systems. For the consumer a lot of this is good, but there are costs that have to be passed along to them.
华尔街公司限制员工使用私人邮箱
越来越多的金融服务公司开始限制雇员接收美国在线(America Online)
