Today, President Obama will sign into law the most sweeping financial regulatory reform in generations.  A response to the financial panic of 2008 and global recession it spawned, the scope of the Dodd/Frank financial reform bill (aka “FinReg”) is incredibly broad and will be felt for decades to come – by both regulators and the companies scooped up in its mandate.  Checking in at more than 2,300 pages long, the mammoth bill hands off creation of hundreds of new rules and regulations over the next year and a half to the 10 regulators chartered with implementing its mandate, which will touch nearly all sectors of the US economy – and beyond our shores – including automobiles, credit cards, housing and even farming.

FinReg’s closest ancestors appear to be Sarbanes Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA): all three laws were created in the wake of massive implosions of US enterprises, in the case of SOX and GLBA entities like Enron and Worldcom while in FinReg’s case Lehman Brothers, Bear Stearns, Fannie Mae, Freddie Mac and AIG (although the latter three still exist as shadows of their former selves).  And like SOX and GLBA before it, FinReg is intended to prevent such ijavascript:void(0);mplosions from happening again, especially the so called “too big to fail” issue amongst financial behemoths.  However, this is where the similarities end and the dramatic differences begin (and the information management nightmare commences – more to come on this).

FinReg and its implementation differ from SOX and GLBA in several important ways, which will have a significant impact on all companies subject to its regulations – which extend far beyond the largest banks operating in the US:

• Prevention vs. Deterrence.  SOX and GLBA sought to prevent fraud mainly through deterrence: CFOs and CEOs were put “on the hook” to not only implement internal reporting safeguards, but by certifying their company’s financial filings they were and are subject to criminal indictment for their company's fraudulent activity.  However, SOX and GLBA only work as a deterrent as any company would not (and could not) be physically prevented from undertaking any sort of fraudulent activity, thereby becoming the next Enron (although ithis would admittedly be much harder due to more extensive internal controls).  By contrast, FinReg goes far beyond deterrence in mandating that regulators actually prevent potentially harmful activity from taking place.  Put another way, FinReg’s biggest “stick” is the ability to step in unannounced and stop things before they happen – not after the fact.
• Proactive External Regulation.  Similarly, SOX and GLBA relied on the regulation of companies by those who know them best: the companies themselves.  FinReg takes the opposite approach, mandating that regulators actively manage potential risk as intrusively as may be necessary.  This is a critical difference, as the onus of preventing the next financial meltdown is clearly now on regulators.  How this will be done won’t be known until regulators implement the myriad rules mandated by FinReg over the next year and a half.
• Prohibiting Legal Activity.  In stark contrast to SOX and GLBA, FinReg takes the rather unusual step of requiring regulators to prevent or stop even legal activities if they present “systemic risk.”  It is rare that legal activity can be selectively outlawed by any authority in the US, including federal regulators…but we live in unusual times.  This makes FinReg look like a Mack truck compared to SOX and GLBA’s relatively “tricycle-like” approach, and will lead to…
• Regulatory Access and Control from the Inside.  Under FinReg, regulators must have rapid access to information near real-time so they can see what’s happening in a timely fashion and make decisions accordingly.  This will essentially mean regulators must operate from the inside, without enterprises always (or possibly  ever) having the ability to assess and “filter” information before regulators see it.
• Breadth of Controls and Informational Access.  Unlike SOX and GLBA, not just financial controls and filings are relevant to FinReg; indeed, any activity undertaken by any firm which might be interpreted as “systemically threatening” is likely implicated.  Thus, not just the JP Morgans and Wells Fargos of the world are affected by it, but the Rio Tintos , Allianzes and Mitsubishis are as well.  Additionally, within these entities the information that must be analyzed by regulators will extend far beyond SOX and GLBA’s focus of financial filings to sales and marketing activities, strategic planning, and operations, exploding the universe of data regulators must sift through.

Needless to say, the eye-opening breadth and brute force of FinReg will have a tremendous impact on regulators and regulated alike.  How significant will this change be?  By our estimation, most entities to be regulated (and even some regulators) don’t yet  grasp just how challenging FinReg compliance will be. Here are just a few of the ramifications to come with FinReg and the information management crisis it will surely bring: 

• Traversing oceans of unmanaged data.  Enterprises are already drowning in content, the vast majority of which is not classified, indexed or searchable.  Now with FinReg, these same enterprises will be forced to comb through oceans of content on veritable wild goose chases led by regulators who may not even know what they are looking for…all of which is supposed to happen in a matter of days, not weeks or months.  This is simply a practical impossibility for most enterprises today, especially with the rudimentary search and ECA tools many still use.
• Hunting in the darkness without a flashlight.  Think keyword search is bad in the eDiscovery context?  What if data volumes were increased by 10x - 1,000x and timelines were shrunk to days or  a few weeks instead of months?  That’s what FinReg could very well bring, which would expose keyword-only searchas the ridiculously outdated and ineffective approach it really is.  Regulators aren’t (and won’t be) using keyword-only search, and those they regulate won’t either unless they want to see their businesses subject to enormous risk from having no clue what a regulator might see until it’s too late.
• Say goodbye to privilege and ECA as we know them?  Heavily regulated enterprises are quite accustomed to searching, assessing, collecting and reviewing ESI before turning it over to regulators, both to ensure that privileged material is not shared and that the enterprise understands how bad things might be before the regulator does.  But if terabytes of ESI must be turned over to regulators within days or just a few weeks, only the most advanced concept search and automated classification eDiscovery and compliance tools will be able to give enterprises any kind of instant insight.  The days of using simplistic “ECA” pizza boxes to cull down a few GBs of ESI will clearly be over, replaced once and for all (for FinReg-covered companies, at least) by robust integrated preservation/ECA/collection/processing/culling solutions.
• Over-collection will explode cost and risk.  Over-collection of ESI (i.e. preserving and collecting far more ESI than is necessary) is still commonplace in eDiscovery, as people either don’t know about or are not using the far more effective targeted collection approach.  But given the aforementioned ESI volumes and tight timelines inherent with FinReg, over-collection will quickly balloon the cost of any regulatory response – and its risk, as the enterprise won’t have time to analyze much, if any, ESI before regulators begin to do the same (with sophisticated tools).

How can regulators and – more particularly – those companies they regulate prepare for FinReg?  Here are 4 “must haves” for survival in a FinReg world:

• Classify content as it is created.  A huge challenge is the ability to know where and how to look for and find  relevant content.  For most enterprises, the vast majority of their content sits unclassified in myriad different places, making “findability” exceedingly difficult, costly and time consuming.  Classifying enterprise content up front not only makes regulatory response much quicker, easier and less expensive, it allows everyone else in the company – including the ones who are trying to actually make money for the company – to use information much more effectively.  Regulators have already begun doing this, and enterprises must do the same.
• Be able to search, collect and assess ESI instantly.  Self-collection and forensic imaging simply won’t work in FinReg responses; what is required is the ability to conduct targeted collections using sophisticated search tools that can index hundreds of different file types; such sophisticated search capabilities must be part and parcel of the collection capabilities.  Additionally, ECA must be conducted at this stage (not weeks after) as there simply won’t be enough time to wade through mountains of ESI to find the key set of materials that will make or break a case.
• Do not rely on keyword search alone.  Concept search is ready for prime-time, and FinReg may just force it on stage.  Keyword only search has always been extremely inaccurate; now with large volumes and short turnarounds, regulated companies will have no choice but to employ more powerful search capabilities.  And regulators will have neither the time nor the incentive to negotiate keyword search terms, so companies will be on their own to find a better way.
• Use technology that quickly hones in on the 5-10% that matters.  This may be the most critical element, as companies will face a stark choice: either use powerful analytics tools (like Predictive Analytics™ or Predictive Coding™) to find key documents quickly, or see risk skyrocket by flying blind.  For large enterprises, this is one risk that shouldn’t be worth taking.

At Recommind we’ve already seen a huge spike in eDiscovery, information management and compliance-related projects amongst large enterprises, many of them subject to FinReg and some of which are even focused on automated content classification at the front end of the process in addition to the myriad collection/ECA and Predictive Coding projects.  FinReg is likely to expedite this trend, as companies will see the threat looming on the horizon.  Regulators are already deploying the most sophisticated technology available; the enterprises subject to their regulation should take note and do the same.