On the Edge: Records & Information Management in the Post-Bailout World

ARMA International: Information Management Magazine

On the Edge:
Records & Information Management in the Post-Bailout World

Although records and information management (RIM) professionals may have only a passing acquaintance with the Basel II Framework, it undoubtedly has had a serious effect on their personal lives recently because of its relationship to the financial market crisis. For the same reason, it is also bound to have a profound impact on their professional responsibilities in the near future – regardless of the industry in which they work.

John Montaña, J.D.

Regulations issued under the Basel II Accord require financial institutions to maintain a certain level of capital reserves as protection against bad loans. The size of these reserves depends on the value of the institution’s loan portfolio and how risky it is. That risk is determined by analysis of loss experience, changes in portfolio value, and related factors.

A large factor in the recent financial market meltdown was that accounting rules required re-valuation of loan portfolios because of a downturn in housing prices; and this, combined with an uptick in defaults, created additional capitalization requirements under Basel II and its implementing legislation. Acquiring that capital turned out to be a problem for many institutions and forced them into technical insolvency. Thus, a fire sale or shotgun wedding to other, better-capitalized banks, and a government bailout for those in such bad shape no one would buy them.

The fallout is considerable: shareholders in these institutions have lost most or all of their money; the stock market has dropped dramatically; employees of affected institutions find their jobs at risk; and credit has tightened sharply, pinching the overall economy. Institutions in Europe have been similarly affected, and European governments have been forced to take similar steps.

Predictably, investigations and legal actions are part of the landscape. As early as May 2008, there were reports and investigations of irregularities in reporting the London Interbank Loan Offered Rate (or LIBOR, a benchmark interest rate for interbank lending, to which rates for many other financial instruments are pegged). More recently, the Federal Bureau of Investigation reported opening a probe of fraud at Fannie Mae, Freddie Mac, American International Group (AIG) and Lehman Brothers.

Does this all sound distressingly like the Enron, Worldcom, and other recent fiascos? It should, because it is. It also sounds a lot like the savings and loan collapse of the 1980s, the stock market crash of 1929, and many other financial bubbles and collapses. Their common characteristics are:

Absurd, unrealistic optimism about the upside of some market phenomenon
Serious financial negligence and/or irregularities
Collapse of an industry and its major players
Major loss of wealth for shareholders, employees, and others
Investigations and lawsuits
Rushed legislation to fix the mess

The difference this time is that nearly a trillion dollars of taxpayer money is on the line in the United States alone, so that the pressures to “fix” the problem will be even greater than in the past. The pressure for accountability is enormous, so it is reasonable to expect more investigations by both law enforcement and regulatory agencies and, perhaps, criminal charges against institutions and individuals.

RIM Challenges Ahead

Regardless of the outcome of these investigations, civil litigation is inevitable as shareholders and others seek to recoup their losses with allegations of negligence, civil fraud, and breach of fiduciary duty. And, of course, extensive additional regulation is a foregone conclusion. For RIM professionals, the finger-pointing and the fix are likely to pose a series of challenges as a result of investigations, litigation, regulations, and legislation.

Investigations and Litigation

Investigations and litigation will make heavy demands for production of records and data, and these demands will be far-reaching. This isn’t a question of a few improper e-mails. The transactions and instruments underlying this crisis are very complex, and their details not very transparent at all, even to knowledgeable insiders.

So, too, the portfolio analysis and risk calculations are extremely complex. Much of the data needed for forensic examination of analysis, transactions, and decisions will be found in mountains of financial and accounting data deep within the computer systems of the financial institutions being investigated. For custodians of that data (and in the current litigious climate, this includes not only the directly affected institutions, but any organization with significant exposure to any of the many financial instruments subject to bailout, buyout, or default), this is likely to mean prolonged, painful, and repeated demands for that data by multiple parties.

In recent years, discovery issues – at least so-called “cutting edge” discovery – has been focused primarily on unstructured data, for which the poster child is e-mail. The demand for unstructured data in litigation rapidly exposed serious weaknesses in its management in most organizations. E-mail, it turns out, is rarely managed well, often not even rudimentarily. This, combined with the volumes that must be sifted through for litigation or investigation, has proven to be an enormous and costly burden. Recent RIM technology advances have therefore focused heavily on dealing with this unstructured data, and e-mail management schemes are now a prominent feature of any records management or electronic document management software package.

To be sure, e-mail and other unstructured data will be scrutinized extensively by investigators and litigants in coming months and years, but so, too, will structured data. Financial and accounting databases, financial forecasting databases, records of loan portfolios, interbank transactions – all are likely to be the subject of intense focus by forensic investigators. As with unstructured data, sifting through the records associated with very complex, multi-billion-dollar transaction sets will prove equally formidable and costly, perhaps much more so.

The mortgages alone (critical to any inquiry because their terms and conditions and supporting documentation are central to any risk analysis) pose formidable difficulties. They will in many cases be in paper format and widely dispersed. The owners of downstream derivative securities may have little or no record of the mortgages themselves, and no effective access to them.

Securities portfolios related to the mortgages add to the difficulty. Not only will any portfolio contain many millions of individual records, but those records (for example, a mortgage, as well as the string of securities and other derivative instruments that have an interest in it) are interrelated in complex ways; and the entire mass of records and data is subject to complex calculations and analysis over a period of years.

All this must be de-constructed and analyzed forensically for fraud, negligence, or other breach of duty. If audit trails or usage and alteration logs are available, these, too, will be subject to discovery. All this will place a heavy burden upon those responsible for producing the information, and it will severely test the systems they have in place for identifying and producing massive quantities of data and large volumes of paper records.

Legislation and Regulation

Equally predictably, the situation has begun to produce the first of what will undoubtedly be many installments of the legislation and regulation that inevitably arises in a situation like this. In late September and early October, the U.S. Congress produced a $700 billion bailout package in little more than a week, a speed that is unheard of in federal legislative processes.

The pressure for accountability and to protect against a similar occurrence in the future will inevitably lead to more legislation and a corresponding set of regulations, both in the United States and elsewhere. If this sounds like Sarbanes-Oxley, it ought to – the same forces are at work. That means that the legislative and regulatory results are likely to have some predictable characteristics:

Rushed legislation is almost always bad and vague legislation. Sarbanes-Oxley is illustrative of this – it demands accountability, but is quite vague as to how that accountability is to be accomplished, leading to great uncertainty as to exactly what records ought to be created and maintained to demonstrate that accountability, and for how long. Uncertainty led to overkill in compliance efforts and a great deal of time and money expended to build systems that might or might not be actually “Sarbanes-Oxley compliant.” Ultimately, there sprang up an entirely new Sarbanes-Oxley compliance industry trying to deal with this issue.
The net will be cast very wide. Enron was about energy trading. Its progeny, Sarbanes-Oxley, affects every publicly traded company in the United States, and similar legislation affects publicly traded companies elsewhere. It’s also become something of a de facto standard for other organizations, meaning that it has nearly universal effect. Regardless of their industry, RIM professionals should be prepared for regulations on “risk control” or “risk analysis” or something similar.
Current systems and processes may not ensure compliance. If an organization is subject to Sarbanes-Oxley, it has almost certainly had to create an internal audit process (and its associated reports and supporting documentation and records of remediation) to document compliance. It has also likely bought software or other tools to assist it. So, too, with risk control or risk analysis. Unless an organization has a sophisticated system in place, it may need to upgrade.

How to Prepare

All this being the case, it’s worthwhile to consider steps organizations should consider taking to be prepared:

Organizations that hold complex financial instruments may be subject to “risk control” or “risk analysis” requirements of some sort. That means analyzing and quantifying risk and somehow documenting that process and its results. Don’t be surprised if guidance is unclear – any near-term statute will almost certainly contain no details. And detailed, really useful regulations are years in the future, if indeed they ever arrive.
If an organization’s finance and accounting system contains details of records and analysis related to complex financial instruments, it will want to consider what the system should contain and how to go about extracting those contents in various permutations. If the system is doing complex calculations of say, risk factors, consider documenting not only the calculations themselves, but also the process of how and why they were derived or adopted. If it does not currently support a strong audit trail function, consider adding it. If there is not in place a system that quickly and accurately relates derivative instruments underlying documents and transactions, it may be necessary to add one.
Large-scale discovery from structured financial and accounting databases and associated record sets should be part of an organization’s future planning. That means rapid production of very complex data sets for regulators and litigators.
Plan on new rules. The Securities and Exchange Commission may not survive, and if it does, it may be in substantially altered form. Gone, too, will be the current incarnation of U.S. Generally Accepted Accounting Principles (GAAP), further complicating the analysis of just what to do to demonstrate due diligence and reasonableness in risk management activities. There will, however, be replacements for both, and that means not fewer, but different rules.

Of course, the precise scope of the legal remedy and its associated burden remains to be seen. Regardless, be prepared. That means:

Expect the bar to be raised for compliance, systems, and process. There will simply be too much political and popular pressure to “do something” to permit otherwise, and that something will inevitably involve additional RIM responsibilities.
Be prepared initially to go it alone and develop RIM responses in the absence of clear legal standards. That means developing carefully thought-out standards and processes and keeping records to defend those standards and processes.
Be attuned to emerging business or industry standards that may become de facto legal standards. Organizations will need to be at least at this level, and being beyond it isn’t a bad idea.
Be prepared to develop systems and processes responsive to very vague legal standards if and when they finally emerge.

Manage these things and be ahead of the curve – or at least not behind it. You can bet a trillion dollars on it.

John C. Montaña, J.D., can be contacted at jcmontana@pelligroup.com.

From November - December 2008