Books and Records
The SEC amended Rule 17a-4 on October 12, 2022 to modify the requirements regarding the maintenance and preservation of electronic records, the use of third-party recordkeeping services to hold records, and the prompt production of records. The effective date and compliance date for the amendments are January 3, 2023, and May 3, 2023, respectively. FINRA has prepared a chart that summarizes the most significant changes.
Section 17(a)(1) of the Securities Exchange Act of 1934 ("Exchange Act") requires registered broker-dealers to make, keep, furnish and disseminate records and reports prescribed by the Securities and Exchange Commission ("SEC"). The SEC's books and records rules applicable to broker-dealers, Exchange Act Rules 17a-3 and 17a-4, specify minimum requirements with respect to the records that broker-dealers must make, how long those records and other documents relating to a broker-dealer’s business must be kept and in what format they may be kept. The SEC requires that broker-dealers create and maintain certain records so that, among other things, the SEC, self-regulatory organizations ("SROs") and state securities regulators may conduct effective examinations of broker-dealers.
FINRA has also adopted specific recordkeeping rules applicable to its members and their associated persons. In addition, FINRA is responsible for, among other things, enforcing compliance by its members and their associated persons with the SEC books and records rules applicable to broker-dealers, the Municipal Securities Rulemaking Board ("MSRB") recordkeeping rules, as well as the recordkeeping rules of FINRA.
There are numerous rules and requirements in this area as well as firm-specific guidance that dictate the capture and retention of electronic communications, such as email and instant messages, as well as hard copy records. Registered representatives, supervisors and compliance officers need to understand these rules and adhere to them and their firm's relevant policies and procedures, when conducting their business. Maintaining complete and accurate books and records is required in order to operate in the securities industry.
ON THIS PAGE
- What Are Books and Records?
- Electronic Recordkeeping System ("ERS")
- Outsourcing
- Electronic Communications
- Contact OGC
I. WHAT ARE BOOKS AND RECORDS?
In general, books and records are those books, accounts, records, memoranda, correspondence and other documentation or information that broker-dealer firms have to make and preserve in accordance with the federal securities laws, MSRB rules, FINRA rules and all other applicable laws, rules and regulations (collectively, the “recordkeeping rules”). The recordkeeping rules require firms to retain, among other records, communications relating to their "business as such," trade blotters, asset and liability ledgers, income and expense ledgers, capital account ledgers, customer account ledgers, securities records, order tickets and trade confirmations. The recordkeeping rules are intended, in part, to provide regulators with the ability to access and review such records. This overview focuses only on certain SEC and FINRA books and records requirements.
A. General Requirements
FINRA Rule 4511 (General Requirements) requires firms to: (1) make and preserve books and records as required under the rules of FINRA, the Exchange Act and the applicable Exchange Act rules; and (2) preserve the books and records required to be made pursuant to the FINRA rules in a format and media that complies with Exchange Act Rule 17a-4. In addition, FINRA Rule 4511 requires firms to preserve for a period of at least six years those FINRA books and records for which there is no specified retention period under the FINRA rules or applicable Exchange Act rules. This six-year retention period is a default retention period for those FINRA rules that require firms to preserve certain books and records, but do not specify a retention period, and where there is no retention period specified under the Exchange Act rules. In the absence of contrary guidance in a rule, if the books and records pertain to an account, the retention period is for six years after the date the account is closed; otherwise, the retention period is for six years after such books and records are made.
1. Integrity of Books and Records
Firms are required to store legible, true, accurate and complete copies of their books and records and to protect the integrity of the books and records from the time the books and records are created or received throughout the applicable retention period. Alteration, falsification and destruction of required books and records are serious violations of FINRA and SEC rules.
2. Recordkeeping Format or Medium
Firms may store their books and records in one of three formats or media:
- paper form;
- on micrographic media (microfilm, microfiche or any similar medium); or
- on an electronic recordkeeping system.
Micrographic media and electronic recordkeeping systems are subject to specific requirements, which are discussed under Exchange Act Rule 17a-4(f).
3. Retention Period
The retention period for firms’ books and records varies. All firms must adopt policies and procedures that address applicable recordkeeping obligations, including retention periods. Firms and their associated persons must follow the SEC and FINRA books and records requirements, and the individual firm’s policies, which may require longer retention periods.
4. SEC and FINRA Books and Records Requirements
Exchange Act Rules 17a-3 and 17a-4 contain some of the books and records that broker-dealers are required to create and retain.
In addition to the recordkeeping requirements of FINRA Rule 4511, the following are some of the other FINRA recordkeeping rules:
- FINRA Rule 2210(b)(4): Communications with the Public
- FINRA Rule 2241(d)(3): Research Analysts and Research Reports; Disclosure in Public Appearances
- FINRA Rule 2360(b)(23)(C)(iii): Options; Requirements; Tendering Procedures for Exercise of Options; Allocation of Exercise Assignment Notices
- FINRA Rule 5130(b): Restrictions on the Purchase and Sale of Initial Equity Public Offerings; Preconditions for Sale
B. Supervision
FINRA Rules 3110 (Supervision) and 3120 (Supervisory Control System) require firms to establish, maintain and enforce supervisory systems and written supervisory procedures reasonably designed to comply with their recordkeeping obligations. In addition, firms are required to periodically review and update their recordkeeping written supervisory procedures and to have appropriate written supervisory control procedures to test and verify that those recordkeeping supervisory procedures are reasonably designed to comply with applicable recordkeeping laws and regulations and FINRA rules and to update or amend them if necessary.
C. Consequences
Failure to meet FINRA, SEC and firm recordkeeping requirements may result in serious consequences for firms and their associated persons, including fines and other disciplinary actions.
II. ELECTRONIC RECORDKEEPING SYSTEM ("ERS")
A. Exchange Act Rule 17a-4(f) Compliant ERS
The records required to be maintained and preserved pursuant to Exchange Act Rules 17a-3 and 17a-4 may be immediately produced or reproduced by means of an ERS (a system that preserves records in a digital format in a manner that permits the records to be viewed and downloaded).
An ERS must meet the following technical requirements:
- Records Preservation Format
The ERS must preserve a record for the duration of its applicable retention period:
- In a manner that maintains a complete time-stamped audit trail that includes:
- all modifications to and deletions of the record or any part thereof;
- the date and time of actions that create, modify or delete the record;
- if applicable, the identity of the individual creating, modifying or deleting the record; and
- any other information needed to maintain an audit trail of the record in a way that maintains security, signatures and data to ensure the authenticity and reliability of the record and will permit re-creation of the original if it is modified or deleted; or
- Exclusively in a non-rewriteable, non-erasable (i.e., WORM) format.
- Verification
The ERS must verify automatically the completeness and accuracy of the processes for storing and retaining records electronically. This requirement is designed to ensure that when an original record is added to the ERS it is completely and accurately captured in the system;
- Serialization
For those ERSs that use optical discs to meet the WORM requirement, the ERS must serialize the original and duplicate units of the storage media (i.e., the optical disc), and time-date for the required retention period the information placed on such storage media (i.e., the optical disc);
- Download and Transfer
The ERS must have the capacity to: (1) readily download and transfer copies of a record and its audit trail (if applicable) in both a human readable format and in a reasonably usable electronic format; and (2) readily download and transfer the information needed to locate the electronic record. A reasonably usable electronic format is a format that is common and compatible with commonly used systems for accessing and reading electronic records. This will allow regulators to search and sort information on the records using a computer; and
- Backup System or Redundancy Capabilities
Firms that use an ERS to preserve required records have the following options:
- Have a backup ERS that meets the requirements of Rule 17a-4(f) and that retains the records in a manner that will serve as a redundant set of records if the original ERS is temporarily or permanently inaccessible; or
- Have other redundancy capabilities that are designed to ensure access to the records (with a level of redundancy that is at least equal to the level that is achieved through using a backup ERS).
Broker-dealers that use an ERS must also meet the following requirements:
1. Production Facilities
The broker-dealer must have at all times available facilities for immediately producing the records preserved by means of the ERS and for producing copies of those records.
2. Production Ability
The broker-dealer must be ready at all times to provide, and immediately provide, any record stored by means of the ERS upon request.
3. Audit System
For broker-dealers using an ERS that maintains and preserves required records exclusively in WORM format, the broker-dealer must have an audit system providing for accountability regarding inputting of records into the ERS and of any changes made to every original and duplicate record maintained and preserved on such ERS. In addition, SEC and SRO staffs must be able to examine the results of such audit system, and the broker-dealer must retain the audit results for the same amount of time required for the audited records.
4. Accessing and Locating Records
The broker-dealer must organize, maintain, keep current and provide promptly upon request by the SEC or SRO staffs all information necessary to access and locate records preserved by means of the ERS.
5. Designated Executive Officer and Designated Third-Party Access Undertakings
If the broker-dealer stores some or all of its required records on an ERS, the broker-dealer must also have at all times filed with the broker-dealer’s designated examining authority (“DEA”) an undertaking(s) with respect to such records signed by either a designated executive officer (DEO) or designated third party (D3P) (in the express form specified in Exchange Act Rule 17a-4(f)(3)(v)(A)) .
A DEO must be a member of the broker-dealer’s senior management who has access to and the ability to provide records maintained on the ERS either directly or through a designated specialist (DS) who reports directly or indirectly to the DEO. The DEO may also appoint in writing upon to three designated specialists. A DS must be an employee of the broker-dealer who has access to, and the ability to provide records maintained and preserved on, the ERS. The DEO may also appoint in writing up to two designated officers (DOs) who will take the steps necessary to fulfill the DEO’s obligations as specified in the undertakings in the event the DEO is unable to fulfill those obligations. A DO must be an employee of the broker-dealer who reports directly or indirectly to the DEO and who has access and the ability to provide records maintained and preserved on the ERS either directly or through a DS who reports directly or indirectly to the DO.
In any event, the appointment of, or reliance on, a DO(s) or DS(s) does not relieve the DEO of the obligations set forth in the undertaking(s).
A broker-dealer also has the option of submitting to its DEA an undertaking(s) signed by a D3P. A D3P is a person that is not affiliated with the broker-dealer who has access to and the ability to provide records maintained and preserved on the ERS.
The SEC has designated a broker-dealer’s examining authority (e.g., FINRA) as a Commission designee for the purposes of Rule 17a-4(f).
Broker-dealers may engage the services of third parties in order to prepare or maintain the broker-dealer’s required books and records. If a broker-dealer’s required records are prepared or maintained by a third-party service provider, such third-party service provider must file with the SEC either a “Traditional Undertaking” or an “Alternative Undertaking” pursuant to SEA Rule 17a-4(i).
- Traditional Undertaking
Where a broker-dealer’s required records are prepared or maintained by a third-party service provider (in either paper or electronic form), that third-party service provider must file with the SEC a written undertaking signed by a duly authorized person in the express form specified in Exchange Act Rule 17a-4(i)(1)(i) (“Traditional Undertaking”). The Traditional Undertaking must provide that the records in question are the property of, the broker-dealer, and such records will be surrendered promptly on request of the respective broker-dealer. The third party must also undertake to permit examination of the records by representatives or designees of the SEC, and to promptly furnish to the Commission or its designee true, complete and current had copies of any or all or any part of such books and records.
- Alternative Undertaking
A third-party service provider (including an affiliate of a broker-dealer) may, instead of a Traditional Undertaking, file with the SEC a written undertaking signed by a duly authorized person in the express form specified in Exchange Act Rule 17a-4(i)(1)(ii) (“Alternative Undertaking”). A third party may submit an Alternative Undertaking if the third party maintains and preserves a broker-dealer’s required records by means of an ERS that utilizes servers or other storage devices that are owned or operated by the third party and the broker-dealer has “independent access” to the records, as defined in Exchange Act Rule 17a-4(i)(1)(ii)(B). The ability to provide the Alternative Undertaking does not apply when the third party maintains records in a paper format or on micrographic media.
In the Alternative Undertaking, the third-party service provider must acknowledge that the records are the property of the broker-dealer, and that the broker-dealer has represented to the recordkeeping service that the broker-dealer: (1) is subject to the SEC rules governing the maintenance and preservation of certain records; (2) has independent access to the records maintained by the third party; and (3) consents to the third party fulfilling the obligations set forth in the Alternative Undertaking.
In addition, the third-party service provider must undertake to facilitate within its ability, and not impede or prevent: (1) the examination, access, download or transfer of records by a representative or designee of the SEC as permitted under the law; or (2) a trustee appointed under the Securities Investor Protection Act of 1970 to liquidate the broker-dealer in accessing, downloading or transferring the records as permitted under the law.
Rule 17a-4(i) provides that an agreement with an outside entity does not relieve the broker-dealer from the responsibility to prepare and maintain required records.
A broker-dealer that uses another person, firm or organization to maintain its records also must provide the appropriate disclosures regarding such an arrangement on its Form BD (Uniform Application for Broker-Dealer Registration).
III. OUTSOURCING
As noted above, a broker-dealer may use a third-party recordkeeping service to prepare or maintain the broker-dealer's required records. However, firms have a continuing responsibility to oversee, supervise and monitor the recordkeeping service’s performance of covered activities, and they must have in place specific policies and procedures to monitor the third-party recordkeeping service's compliance with the terms of any agreements and assess the recordkeeping service's continued fitness and ability to perform the activities being outsourced. Firms should also ensure that their policies and procedures provide for the due diligence analysis of the recordkeeping service provider to determine whether the recordkeeping service is capable of performing these functions, particularly in light of the risks of cyberattacks. Further, outsourcing a recordkeeping function to a third party does not relieve the broker-dealer of its ultimate responsibility for compliance with applicable FINRA and SEC rules. For a detailed discussion of additional outsourcing issues and effective cybersecurity practices, see Regulatory Notice 21-29 (August 2021) (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors), Report on Selected Cybersecurity Practices – 2018 and Report on Cybersecurity Practices (February 2015).
IV. ELECTRONIC COMMUNICATIONS
Books and Records Rules Pertaining to Electronic Communications
Exchange Act Rule 17a-4(b)(4) requires that a broker-dealer retain originals of all communications received and copies of all communications sent by the broker-dealer relating to its "business as such" for at least three years, the first two years in an easily accessible place. See also FINRA Rule 3110.09 (Retention of Correspondence and Internal Communications). This requirement applies to all electronic communications relating to the firm’s business, including all communications that are subject to rules of the self-regulatory organization of which the broker-dealer is a member regarding communications with the public. This would include emails, instant messages and business-related social media posts. See Notice to Members 03-33 (July 2003) (Clarification for Members Regarding Supervisory Obligations and Recordkeeping Requirements for Instant Messaging) and Regulatory Notice 17-18 (Guidance on Social Networking Websites and Business Communications).
Significantly, this requirement covers both external and internal electronic communications relating to the firm's business. An email between registered representatives in the same firm is one example of an internal electronic communication. Furthermore, the requirement equally applies whether the electronic communication was received or sent through a member’s or a third-party's platform or system. Firms may not permit the use of any type of electronic communication if they are unable to satisfy the applicable recordkeeping requirements with respect to that particular type of electronic communication.
In general, FINRA and SEC rules do not prohibit the use of non-firm email systems or accounts to conduct firm business provided that the firm captures and retains the emails as it would with emails emanating from its own email system or account.
Firms also have an obligation to supervise electronic communications relating to their business and ensure the privacy of such communications. See:
Guidance
- Notice to Members 05-49 (Safeguarding Confidential Customer Information) (July 2005)
- Regulatory Notice 10-06 (Guidance on Blogs and Social Networking Web Sites) (January 2010)
- Regulatory Notice 11-39 (Guidance on Social Networking Websites and Business Communications) (August 2011)
- Regulatory Notice 17-18 (Guidance on Social Networking Websites and Business Communications) (April 2017)
- Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection With Potential Account Takeovers and New Account Fraud)
- Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors) (August 2021)
Reports and Other Materials
- Report on Cybersecurity Practices (February 2015)
- Report on Selected Cybersecurity Practices – 2018
- Small Firm Cybersecurity Checklist
CONTACT OGC
FINRA's Office of General Counsel (OGC) staff provides broker-dealers, attorneys, registered representatives, investors and other interested parties with interpretative guidance relating to FINRA’s rules. Please see Interpreting the Rules for more information.
OGC staff contacts:
Afshin Atabaki, Nicholas Vitalo and Carrie Jordan
FINRA, OGC
1700 K Street, NW
Washington, DC 20006
(202) 728-8000
- FINRA Rules
- Guidance on Social Networking Websites and Business Communications04/25/2017
- FINRA Announces Updates of the Interpretations of Financial and Operational Rules03/24/2014
- FINRA Announces Updates of the Interpretations of Financial and Operational Rules02/07/2014
- FINRA Announces Updates of the Interpretations of Financial and Operational Rules12/23/2013
- SEC Approves Amendments to Rule 821001/25/2013
- FINRA Requests Comment on a Proposed New Rule Requiring Carrying/Clearing Member Firms to Maintain and Keep Current Certain Records in a Central Location10/21/2011
- Guidance on Social Networking Websites and Business Communications08/18/2011
- SEC Approves Consolidated FINRA Rules Governing Books and Records04/27/2011
- Guidance on Blogs and Social Networking Web Sites01/25/2010
- SEC Approves Amendments to NASD Rule 2220 to Update the Standards for Options Communications Effective Date: March 4, 200912/05/2008
- FINRA Announces the Publication of Consolidated Interpretations of SEC Rules Governing Financial Responsibility, Customer Protection and Books and Records10/15/2008
- SEC Approves Amendment to NASD Rule 2210 to Create an Exception to the Principal Approval Requirements for Certain Filed Sales Material03/26/2008
- SEC approves amendments to NASD Rule 3010(g)(1) to Exempt Locations that Solely Conduct Final Approval of Research Reports12/19/2007
- SEC Approves Amendments to NASD Rule 2211 to Require Principal Pre-Use Approval of Certain Member Correspondence Sent to 25 or More Existing Retail Customers within a 30 Calendar-Day Period08/24/2006
- NASD Reminds Members of Their Obligations Relating to the Protection of Customer Information07/28/2005
- Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers07/22/2005
- NASD Requests Comment on Proposal to Require Principal Pre-Use Approval of Member Correspondence to 25 or More Existing Retail Customers within a 30-Calendar-Day Period (Comment Period Expired May 27, 2005)04/13/2005
- NASD Issues Guidance on Section 1031 Tax-Deferred Exchanges of Real Property for Certain Tenants-in-Common Interests in Real Property Offerings03/02/2005
- Clarification for Members Regarding Supervisory Obligations and Recordkeeping Requirements for Instant Messaging06/18/2003
- Amendments To Broker/Dealer Books And Records Rules Under The Securities Exchange Act Of 193412/01/2001
- SEC Approves Rules Regarding Supervision, Review, And Record Retention Of Correspondence01/01/1998
- NASD Regulation Solicits Comment On Proposed Rules Governing Supervision, Review, And Record Retention Of Correspondence12/01/1996
- GuidanceThe Books and Records topic of the 2024 FINRA Annual Regulatory Oversight Report (the Report) informs member firms’ compliance programs by providing annual insights from FINRA’s ongoing regulatory operations, including (1) regulatory obligations and related considerations, (2) findings and effective practices, and (3) additional resources.January 09, 2024
- GuidanceOn October 12, 2022, the SEC amended Rule 17a-4. FINRA has prepared a chart that summarizes the most significant changes.October 12, 2022
- GuidanceTwo important regulatory developments relate to obtaining customer information: the Anti-Money Laundering Customer Identification Rule and the SEC's Books and Records Customer Account Records Rule. These rules require that important customer identification be obtained. However, these rules have critical differences including their purposes, their definitions, and their timing requirements. We created this document to assist our member firms. It contains brief summaries of the rules' relevant provisions.September 01, 2003
- GuidanceThe following checklist helps identify the basic requirements for members under the new and amended recordkeeping requirements to the SEC broker/dealer books and records rules.May 02, 2003
- FAQOn October 25, 2001, the SEC adopted amendments to Rules 17a-3 and 17a-4. The purpose of this Notice is to address some frequently asked questions about the SEC requirements.May 02, 2003
- Interpretive LetterRule 2210 does not require member to approve, file or maintain as advertising records certain statistical information that is regularly updated on firm's web site.January 28, 2002
- December 21, 2016
- October 18, 2016
- November 16, 2015
- December 26, 2013
- July 11, 2013
- May 21, 2013
- February 19, 2013
- May 24, 2010