Electronic Recordkeeping and FINRA Email Retention Requirements – SEC Rule 17a-4(f)
The electronic recordkeeping requirements for broker-dealers are spelled out in SEC Rule 17a-4(f). SEC Rule 17a-4 is known as the broker-dealer record retention rule. In simple terms, it specifies the records that must be maintained by broker-dealers and for how long. SEC Rule 17a-4(b)(4) specifies that a broker-dealer must maintain, “Originals of all communications received and copies of all communications sent (and any approvals thereof) by the member, broker or dealer (including inter-office memoranda and communications) relating to its business as such, including all communications which are subject to rules of a self-regulatory organization of which the member, broker or dealer is a member regarding communications with the public” for a period of not less than three years, the first two in a easily accessible place. This includes emails, social media messages, online chat messages, instant messages, and any other form of written communication.
The rule is not new. So why is it the topic of discussion here? As a consultant to FINRA broker-dealers, Mitch Atkins, FINRA’s former Senior Vice President and South Region Director, frequently notes misunderstandings and misapplications of this requirement. And FINRA disciplinary actions still frequently cite members for violations of this rule.
FINRA is responsible for enforcing SEC books and records requirements for its members. As such, FINRA examiners frequently review for compliance with these requirements during examinations. As a former examiner for FINRA, Mitch Atkins spent plenty of time in the old days looking at information that was imaged on microfiche. In those days, the books and records requirements were simply satisfied by firms maintaining boxes and boxes of paper documents or reducing these to microfiche. If you were to ask someone you work with if they know what microfiche is and you might get a very strange look. Yes, microfiche is so 30 years ago. There were actually several stops along the path from paper (which was the only medium until about 1970) to the cloud. In fact, certain amendments to Rule 17a-4(f) came about after optical disk storage became popular. In February of 1997, the SEC amended its broker-dealer record retention rule (Release 34-38245) to allow broker-dealers to employ electronic storage media if they met certain conditions. But this rule change simply made two SEC no-action positions part of Rule 17a-4. Those no action positions go back to 1979 (for microfiche and microfilm) and 1993 (for optical disk). Later optical disk storage was replaced with simple CD-ROM or DVD technology.
And today, the popularity of electronic mail, instant messaging and social media, have added tremendous complexity to these requirements. But it important to remember that the concepts today are the same as they were back in the days of microfiche. Simply stated, broker-dealer records must be permanent (cannot be changed or erased), must be indexed and must be accessible. The technical term for the permanent part is WORM or Write Once Read Many. Broker-dealer records must be in WORM format, and if you get a FINRA or SEC examination, a broker-dealer must provide the examiners with a way to easily reproduce these records. And the relevant rules require that prior to employing electronic storage for the first time, that broker-dealers file notice with their regulator. Finally, broker-dealers must contract with a third party who has access to the electronic records to provide them if requested by certain parties.
Still, some broker-dealers misunderstand this requirement. When reviewing 17a-4(f) compliance there are many examples of non-compliant recordkeeping systems:
• document storage systems that allow data to be erased or changed
• storage in the “secure” cloud – which is not a permanent record
• email .pst files that are backed up at the end of the day – and can be changed or deleted intra-day
The fact is that no matter how secure your storage may be, if files can be deleted or altered in any way (for example, if your cloud service is terminated for non-payment), then this storage is not compliant with SEC Rule 17a-4. Further, back-ups at the end of the day that allow for email to be deleted intra-day are not acceptable either. Again, electronic records must be written once, read many or WORM. FINRA has traditionally taken a fairly hard line on issues of electronic records non-compliance. So much so that the fine is often significantly more than what it would have cost to employ a 17a-4(f) compliant vendor to preserve your records in the required format. In fact, one vendor offers a special price to small FINRA broker-dealers of $30 per month for a single email user account.
Compliance with the electronic recordkeeping requirements enforced by FINRA is not a matter to be taken lightly. Mitch Atkins, FINRA’s former South Region Director, has extensive experience in compliance with the electronic recordkeeping requirements applicable to broker-dealers.