I am not an expert in financial instituion regulations, but I believe government standards define a specific amount of time that e-mails must be retained. You should check with your compliance department to see what requirements you must follow. You can also take a look at PoliVec's Builder product, which help you build security policies. They have a template that follows the standards necessary to adhere to the requirements of the Gramm-Leach-Bliley Act for financial institutions.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Securing Financial Services/Banking
Best Web Links: Secure Messaging
This was first published in October 2002