Section 17(a)(1) of the Securities Exchange Act of 1934 ("Exchange Act" or "SEA") requires registered broker-dealers to make, keep, furnish and disseminate records and reports prescribed by the Securities and Exchange Commission ("SEC"). The SEC books and records rules applicable to broker-dealers, SEA Rules 17a-3 and 17a-4, specify minimum requirements with respect to the records that broker-dealers must make, how long those records and other documents relating to a broker-dealer’s business must be kept and in what format they may be kept. The SEC requires that broker-dealers create and maintain certain records so that, among other things, the SEC, self-regulatory organizations ("SROs") and state securities regulators may conduct effective examinations of broker-dealers.
FINRA also has specific recordkeeping rules. In addition, FINRA is responsible for, among other things, enforcing compliance by its members and their associated persons with the SEC books and records rules applicable to broker-dealers, the Municipal Securities Rulemaking Board ("MSRB") recordkeeping rules, as well as the recordkeeping rules of FINRA.
Maintaining complete and accurate books and records is required in order to operate in the securities industry. There are numerous rules and requirements in this area as well as firm-specific guidance that dictate the capture and retention of electronic communications, such as email and instant messages, as well as hard copy records. Registered representatives, supervisors and compliance officers need to understand these regulations and adhere to them and their firm's guidance when conducting their business.
In general, books and records are the books, accounts, records, memoranda, correspondence and other documentation or information that firms have to make and preserve in accordance with the federal securities laws, MSRB rules, FINRA rules and all other applicable laws, rules and regulations. The recordkeeping rules require firms to retain, among other records, communications relating to their "business as such," and include trade blotters, asset and liability ledgers, income and expense ledgers, capital account ledgers, customer account ledgers, securities records, order tickets and trade confirmations. These recordkeeping requirements are intended, in part, to provide regulators with the ability to access and review such records. As noted, this overview only focuses on some of the applicable SEC and FINRA books and records requirements.
A. General Requirements
FINRA Rule 4511 (General Requirements) requires firms to: (1) make and preserve books and records as required under the rules of FINRA, the SEA and the applicable SEA rules; and (2) preserve the books and records required to be made pursuant to the FINRA rules in a format and media that complies with SEA Rule 17a-4. In addition, FINRA Rule 4511 requires firms to preserve for a period of at least six years those FINRA books and records for which there is no specified retention period under the FINRA rules or applicable SEA rules. This six-year retention period is a default retention period for those FINRA rules that require firms to preserve certain books and records, but do not specify a retention period, and where there is no retention period specified under the SEA rules. In the absence of contrary guidance in a rule, if the books and records pertain to an account, the retention period is for six years after the date the account is closed; otherwise, the retention period is for six years after such books and records are made.
1. Integrity of Books and Records
Firms are required to store legible, true, accurate and complete copies of their books and records and to protect the integrity of the books and records from the time the books and records are created or received throughout the applicable retention period. Alteration, falsification and destruction of required books and records are serious violations.
2. Recordkeeping Format or Medium
Firms may store their books and records in one of three formats or media:
on micrographic media (microfilm, microfiche or any similar medium); or
on electronic storage media.
Micrographic media and electronic storage media are subject to specific conditions, which are discussed under SEA Rule 17a-4(f).
3. Retention Period
The retention period for firms’ books and records varies. All firms must have policies and procedures that address recordkeeping obligations, including retention periods. You must follow the SEC and FINRA books and records requirements, and your individual firm’s policies, which may require longer retention periods.
4. SEC and FINRA Books and Records Requirements
SEA Rules 17a-3 and 17a-4 contain some of the books and records that broker-dealers are required to create and retain.
In addition to the recordkeeping requirements of FINRA Rule 4511, the following are some of the other FINRA recordkeeping rules:
FINRA Rules 3110 (Supervision) and 3120 (Supervisory Control System) require firms to establish, maintain and enforce supervisory systems and written supervisory procedures reasonably designed to comply with their recordkeeping obligations. In addition, firms are required to periodically review and update their recordkeeping written supervisory procedures and to have appropriate written supervisory control procedures to test and verify that those recordkeeping supervisory procedures are reasonably designed to comply with applicable recordkeeping laws and regulations and FINRA rules and to update or amend them if necessary.
Failure to meet FINRA, SEC and firm recordkeeping requirements may result in serious consequences for firms and their associated persons, including fines and other disciplinary actions.
The records required to be maintained and preserved pursuant to SEA Rules 17a-3 and 17a-4 may be immediately produced or reproduced on micrographic media (microfilm or microfiche, or any similar medium) or ESM (any digital storage medium or system) that meet the conditions set forth in SEA Rule 17a-4(f) and may be maintained and preserved for the required time on such media.
ESM must meet the following conditions:
1. Firm Notification
The broker-dealer must notify its Designated Examining Authority ("DEA") that it will use ESM before using ESM for the first time. If the broker-dealer plans to use ESM that is not optical disk technology, SEA Rule 17a-4(f) requires the broker-dealer to notify its DEA at least 90 days before its first use of such storage media. An optical disk is a direct-access disk written and read by light, such as a CD-ROM.
2. ESM Representation
The broker-dealer must provide to its DEA a representation that the selected ESM meets the following conditions:
preserves the records exclusively in a non-rewriteable, non-erasable format
verifies automatically the quality and accuracy of the storage media recording process
serializes the original and, if applicable, duplicate units of the storage media and also time-dates for the required retention period the information stored on it
has the capacity to readily download stored records and indexes to any medium acceptable under SEA Rule 17a-4(f) as required by the SEC or SROs of which the broker-dealer is a member.
This representation may come from the broker-dealer or from a storage medium vendor or other third party with the appropriate level of expertise.
3. Audit System
The broker-dealer must have an audit system that identifies when original and duplicate records are input on to the storage medium and when any changes to existing records are made. In addition, SEC and SRO staffs must be able to examine the results of such audit system, and the broker-dealer must retain the audit results for the same amount of time required for the audited records.
4. Access to Records and Indexes
The broker-dealer is required to retain, keep current and surrender upon request by the SEC or SRO staffs all the information needed to download stored records and indexes. Alternatively, the broker-dealer may place in escrow and keep current a copy of the physical and logical file format of the storage medium, the field format of all different information types written on the storage medium and the source code, together with the appropriate documentation and information necessary to access records and indexes.
5. Third-Party Access Representation
If the broker-dealer stores some or all of its required records exclusively on ESM, the broker-dealer also must have a third-party file an undertaking (exactly as specified in SEA Rule 17a-4(f)(3)(vii)) with the broker-dealer’s DEA to the effect that the third party can provide access to records stored on the broker-dealer’s ESM.
In addition, both ESM and micrographic media must meet conditions 6 through 9 below:
6. Retrieval Facilities
The broker-dealer must have available facilities that allow SEC and SRO staffs to locate or readily access the appropriate records, read them and produce or download them.
7. Facsimile Enlargements
The broker-dealer must be able to immediately provide any facsimile enlargement of the record that the SEC, SRO or state securities regulator may request. For instance, if a record is stored in a scaled-down size, the broker-dealer must be able to provide an exact enlargement of the record upon request.
8. Duplicate Copy
The broker-dealer must store a duplicate copy of the record separately from the original. The duplicate copy may be stored on any of the three formats or media acceptable under SEA Rule 17a-4 (i.e., paper form, micrographic media or electronic storage media). The duplicate copy must be stored for the same amount of time as the original record.
The broker-dealer must accurately organize and index all information maintained on both the original and any duplicate storage media. The broker-dealer must be able to have such indexes available for examination by the SEC and SRO staffs. The broker-dealer also must store a duplicate copy of the index separately from each original index. The original and duplicate indexes must be stored for the same amount of time as the underlying indexed record.
A broker-dealer may use a recordkeeping service to maintain the broker-dealer's required records. However, firms have a continuing responsibility to oversee, supervise and monitor the recordkeeping service’s performance of covered activities, and they must have in place specific policies and procedures to monitor the recordkeeping service's compliance with the terms of any agreements and assess the service's continued fitness and ability to perform the activities being outsourced. Firms should also ensure that their policies and procedures provide for the due diligence analysis of the recordkeeping service provider to determine whether the recordkeeping service is capable of performing these functions, particularly in light of the risks of cyberattacks. Further, ultimate responsibility lies with the firm. For a detailed discussion of additional outsourcing issues and cybersecurity practices, see Notice to Members 05-48 (July 2005) (Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers) and Report on Cybersecurity Practices (February 2015).
In addition, if a broker-dealer's required records are maintained by a recordkeeping service, the recordkeeping service must file with the SEC a written undertaking pursuant to SEA Rule 17a-4(i) and the broker-dealer must provide the appropriate disclosures regarding such an arrangement on its Form BD (Uniform Application for Broker-Dealer Registration).
Significantly, this requirement covers both external and internal electronic communications relating to the firm's business. An email between registered representatives in the same firm is one example of an internal electronic communication. Furthermore, the requirement equally applies whether the electronic communication was received or sent through a member’s or a third-party's platform or system. Firms may not permit the use of any type of electronic communication if they are unable to satisfy the applicable recordkeeping requirements with respect to that particular type of electronic communication.
In general, FINRA and SEC rules do not prohibit the use of non-firm email systems or accounts to conduct firm business provided that the firm captures and retains the emails as it would with emails emanating from its own email system or account.
Firms also have an obligation to supervise electronic communications relating to their business and ensure the privacy of such communications. See:
Two important regulatory developments relate to obtaining customer information: the Anti-Money Laundering Customer Identification Rule and the SEC's Books and Records Customer Account Records Rule. These rules require that important customer identification be obtained. However, these rules have critical differences including their purposes, their definitions, and their timing requirements. We created this document to assist our member firms. It contains brief summaries of the rules' relevant provisions.