Books and Records
Regulatory Obligations and Related Considerations
Exchange Act Rules 17a-3 and 17a-4, as well as FINRA Rule 3110(b)(4) (Review of Correspondence and Internal Communications) and FINRA Rule Series 4510 (Books and Records Requirements) (collectively, Books and Records Rules) require a firm to, among other things, create and preserve, in an easily accessible place, originals of all communications received and sent relating to its “business as such.”
Such records must be immediately produced or reproduced and may be maintained and preserved for the required time on electronic storage media (ESM) subject to the conditions set forth in Exchange Act Rule 17a-4(f)(2) (ESM Standards), including “non-rewriteable and non-erasable format.” Firms must also provide notification to FINRA as required by Exchange Act Rule 17a-4(f)(2)(i), including a representation that the selected storage media meets the conditions of Exchange Act Rule 17a-4(f)(2) and a third-party attestation as set forth in Exchange Act Rule 17a-4(f)(3)(vii) (collectively, ESM Notification Requirements).
- What kind of vendors, such as cloud service providers (Cloud Vendors), does your firm use to comply with Books and Records Rule requirements, including storing required records on ESM? How does it confirm compliance with the Books and Records Rules, ESM Standards and ESM Notification Requirements?
- Has your firm reviewed its Books and Records Rule policies and procedures to confirm they address all vendors, including Cloud Vendors?
Exam Findings and Effective Practices
- Misinterpreted Obligations – Not performing due diligence to verify vendors’ ability to comply with Books and Records Rules requirements if they use that vendor; or not confirming that service contracts and agreements comply with ESM Notification Requirements, because they did not understand that all required records must comply with the Books and Records Rules, including records stored using Cloud Vendors’ storage services.
- No ESM Notification – Not complying with the ESM Notification Requirements, including obtaining the third-party attestation letters required by Exchange Act Rule 17a-4(f)(3)(vii).
- Contract Review – Reviewing vendors’ contracts and agreements to assess whether firms will be able to comply with the Books and Records Rules, ESM Standards and ESM Notification Requirements.
- Testing and Verification – Testing all vendors’—including Cloud Vendors’—capabilities to fulfill regulatory obligations by, for example, simulating a regulator’s examinations by requesting records, and engaging regulatory or compliance consultants to confirm compliance with the Books and Records Rule, ESM Standards and ESM Notification Requirements (and, in some cases, engaging the consultant to provide the third-party attestation).
- Attestation Verification – Confirming with vendors, including Cloud Vendors, whether the firms or the vendors will provide the third-party attestation.