Risk & Compliance

Compliance Systems Eye the Inbox

E-mail management, filtering, and archiving systems help companies retain messages and perform the appropriate compliance audits.
Esther SheinApril 10, 2006

“Loose lips sink ships,” a familiar warning to servicepeople and civilians during World War II, counseled Americans against the dangers of careless talk. Similar admonitions apply in Corporate America today, except that the “talk” very often takes place on a company’s E-mail servers, and the “ship” that is imperiled is the business itself.

Parker Mabry is in charge of keeping things sailing smoothly at brokerage Morgan Keegan, which employs some 2,800 people and receives perhaps 1.2 million E-mails a month. The senior vice president of IT, Mabry turned to ZipLip, an E-mail management, archiving, and content-filtering system from ZipLip Inc., to help the financial-services company retain messages and perform the appropriate compliance audits.

Capturing messages, indexing them, and offering search capability and scalability are essentials for an effective E-mail archiving system, says Michael Osterman, president of consultancy Osterman Research. One consideration that can be overlooked, he adds, is that “not all E-mails get generated by your messaging server.” Notes Osterman, “ZipLip captures E-mail at the gateway as well as at the server level,” so it preserves messages from other systems, such as a company’s customer-relationship-management software.

For financial firms, observes Osterman, a key area of scrutiny is the communication between broker-dealers and their clients. At Morgan Keegan, these emails are analyzed by ZipLip’s policy engine, which according to Mabry comprises not only the typical “dirty word” dictionary but also a set of rules governing prohibited financial communications. Most competing systems rely on keyword-based search engines, according to Steve Chan, ZipLip’s vice president of business development, but ZipLip “understands grammar and context; it understands when to trap an email.” And once a message is flagged, adds Mabry, it’s not released until a compliance reviewer decides how it should be handled.

Businesses that use ZipLip’s flagship product (or competing compliance software from companies including EMC, Symantec, Computer Associates, and Zantaz) can choose to review E-mails after the fact &#8212 so-called post-review analysis. Indeed, says Osterman, a primary driver behind the adoption of archiving systems has been the requirement that compliance officers take random samples of company communications and check them for violations. Even when that’s not a specific compliance obligation, proper data preservation is a best practice, he says, adding that “if you get sued, increasingly email is going to be included as part of discovery.”

On Morgan Keegan’s behalf, Mabry says that the brokerage prefers pre-review analysis, so “anything and everything” goes through the ZipLip system before it leaves the (electronic) premises. Mabry wishes that he didn’t have to be an E-mail watchdog, “but it’s part of the business. So we comply.”