By the end of 2008, Canadian financial services firms were expected to become subject to tough, new email storage, retrieval and archiving laws. Those companies who were in non-compliance could face fines into the millions of dollars and face penalties that could land them into prison.

The Canadian Securities Administrators (CSA) organization had proposed legislation that would force securities dealers and portfolio managers to abide by stricter rules designed to force more secure archiving of emails. The costs of non-compliance included multi-million dollar fines, criminal indictments, and exorbitant e-discovery costs.

Canadian financial services firms – including securities dealers and portfolio managers – could incur these in the not to distant future if they violated the pending legislation proposed by the Canadian Securities Administrators (CSA).

Thirteen securities regulators of Canada’s provinces and territories make up the CSA forum that coordinates and regulates the Canadian capital markets.

The new, stricter proposal for e-mail storage and retrieval rules is known as National Instrument 31-103 (NI 31-103).

Registered firms must keep their records and electronic messages in a durable form such that a request for a record must be promptly provided to regulators within two years of its creation according to NI 31 -103. If after the two year creation date then the requested record must be delivered within a reasonable period of time. Records must be kept up to seven years after the departure of a client.

Concerns have been expressed about the costs of keeping the necessary amount of email archives to satisfy the requirements of NI 31-103. Some have said it is too difficult to develop the needed archival and retrieval system.

Simply maintaining backup copies of email servers may not be enough to satisfy the new archival laws.

There are scenarios where backup tapes do not include all email messages. It is possible for both a sender and a receiver of email to delete the emails before a backup can be initiated. The result is that the email thread can occur without ever being backed up on the servers. An additional burden on IT staff is that they have to produce specific emails on demand. The additional costs of e-discovery and having to prove the integrity of the e-mails retrieved can also add an extra burden to an already overburdened IT staff.