E-mail: One of the most useful business tools to come along in decades can also be one of the most troublesome bits of technology in your bank. E-mail is fraught with perils, ranging from spam of the vicious to the innocuous types, viruses hidden in innocent-Looking attachments, and even the beginnings of sexual harassment and other lawsuits when misused. We asked bankers if their institutions maintain an official policy on e-mail, and what elements the policies include.
All three banks featured here have agreed to allow ABA Banking Journal to post their policies in the "Pass the Aspirin" section on our website, www.ababj.com/headaches.html. You can download them as a springboard to develop your own policy from--they are not intended to be adopted wholesale. (You can also have a Look at a free template for such policies available through www.messagerite.com) Bankers should consult with professional advisors regarding e-mail issues.
E-mail retention and archiving appear to be a gray area for many banks, at least at the federal level. State laws generally govern document retention issues, but federal laws and regulations sometimes have something to say on the matter.
Some experts indicate that the Sarbanes-Oxley Act's Section 404, dealing with internal controls, would imply that such a retention system should be in place. Broker-dealer firms are subject to SEC and NASD regulations dealing directly with the issue.
(An ABA expert recommends the following website for a primer on brokers' duties: www.ziplip.com/solutions/SEC.html.)
We plan to take a closer look at e-mail retention and archiving issues for banks in a future Compliance Clinic.
Al Smith, vice-president, technology, United Bank, $270 million-assets, Atmore, Ala. E-mail is a valuable tool when used properly. But we believe that employees should be trained on the security implications when e-mail is used for other than non-business-related correspondence.
We maintain a format written e-mail usage policy. Our e-mail policy includes a formal policy on retention and archiving as well as proper employee usage of e-mail The policy was set up based on several different policies obtained from other banks, external auditors, consultants, etc. I took the pieces of the various policies and chose the information that was most applicable to our needs. The policy includes a sheet the employee fills out to acknowledge that they have read and understand the policy.
Enforcement is handled via semi-annual audits of employees' internet and e-mail usage. Our e-mail system allows the network administrator to generate e-mail usage reports by user and for a specific time period. The report shows all incoming and outgoing e-mail Based on the subject tines of the e-mail, we are pretty much able to determine which e-mails are business, personal, or spam. Audit reports are created and sent to our Audit Department and to the Board.
Our e-mail system will accept attachments. It should be noted, however, that our e-mail filtering software will also automatically delete any incoming e-mail with a virus attachment.
Barbara Brock, vice-president, Alaska First Community Bunk & Trust, N. …