Skip to main content

Books and Records

Regulatory Obligations and Related Considerations

Regulatory Obligations:

Exchange Act Rules 17a-3 and 17a-4, as well as FINRA Rule 3110(b)(4) (Review of Correspondence and Internal Communications) and the FINRA 4510 Rule Series (Books and Records Requirements) (collectively, Books and Records Rules) require a firm to, among other things, create and preserve, in an easily accessible place, originals of all communications received and sent relating to its “business as such.”6

Additionally, firms must file a Financial Notification when selecting or changing an archival service provider, and are reminded to document the review of correspondence and confirm that individuals are not conducting supervisory reviews of their own correspondence.

Related Considerations:

  • What kind of vendors, such as cloud service providers (Cloud Vendors), does your firm use to comply with Books and Records Rules requirements, including storing required records on electronic storage media (ESM)? How does it confirm compliance with the Books and Records Rules, ESM Standards and ESM Notification Requirements?
  • Has your firm reviewed its Books and Records Rules policies and procedures to confirm they address all vendors, including Cloud Vendors?
  • If your firm emails its clients and customers links to Virtual Data Rooms (VDRs)—online data repositories that secure and distribute confidential information—does the firm retain and store documents embedded in those links once the VDRs are closed?

Exam Findings and Effective Practices

Exam Findings:

  • Misinterpreted Obligations – Not performing due diligence to verify vendors’ ability to comply with Books and Records Rules requirements if they use that vendor; or not confirming that service contracts and agreements comply with ESM Notification Requirements because firms did not understand that all required records must comply with the Books and Records Rules, including records stored using Cloud Vendors’ storage services.
  • No ESM Notification – Not complying with the ESM Notification Requirements, including obtaining the third-party attestation letters required by Exchange Act Rule 17a-4(f)(3)(vii).

Effective Practices:

  • Contract Review – Reviewing vendors’ contracts and agreements to assess whether firms will be able to comply with the Books and Records Rules, ESM Standards and ESM Notification Requirements.
  • Testing and Verification – Testing all vendors’—including Cloud Vendors’—capabilities to fulfill regulatory obligations by, for example, simulating a regulator’s examinations by requesting records and engaging regulatory or compliance consultants to confirm compliance with the Books and Records Rules, ESM Standards and ESM Notification Requirements (and in some cases engaging the consultant to provide the third-party attestation).
  • Attestation Verification – Confirming with vendors, including Cloud Vendors, whether the vendors will provide the third-party attestation.

Additional Resources

Direct Mutual Fund Business Risk

FINRA observed that some firms did not adequately supervise their direct mutual fund business (i.e., selling mutual fund shares via “check and app” that are held directly by the mutual fund companies) because, for example, they were:

  • maintaining blotters that did not include sufficient information to adequately supervise direct mutual fund transactions (e.g., not all transactions are captured or key information is missing, such as customer name, fund symbol and share class);
  • miscoding new mutual fund transactions as reinvestments or recurring contributions, which prevented them from going through firms’ surveillance and supervision systems; and
  • relying on ad hoc supervisory reviews by an insufficient number of designated principals.

As a result of these arrangements, many firms were unaware of, or had inadequate information about, direct mutual fund transactions that their registered representatives recommended or processed, and were not able to supervise them adequately. In some cases, this inability to supervise direct mutual fund business effectively resulted in firms not being able to identify inappropriate sales charge discounts, unsuitable share class recommendations and short-term mutual fund switching.

As part of their obligations under FINRA Rules 2010 (Standards of Commercial Honor and Principles of Trade), 2110 (Recommendations), 3110 (Supervision) and Reg BI, firms must supervise all activity of their registered representatives related to direct mutual fund transactions. Additionally, Exchange Act Rules 17a-3 and 17a-4 require firms to maintain and keep current purchase and sale blotters that contain relevant information for all direct mutual fund transactions, including redemptions. When evaluating your firm’s supervision of its direct mutual fund business, consider these questions:

  • What portion of your firm’s mutual fund business is application-based directly with mutual fund companies (in terms of dollar volume and number of accounts)?
  • How do your firm’s policies and procedures address supervision of your firm’s direct mutual fund business? What processes (e.g., regularly reviewing exception reports) does your firm use to review direct mutual fund transactions for compliance with applicable FINRA rules and securities regulations? Are such policies and procedures reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules?
  • What information does your firm gather from mutual fund companies or clearing entities (e.g., National Securities Clearing Corporation, Depository Trust and Clearing Corporation) to support its ability to adequately supervise its direct mutual fund business?

For additional guidance, please refer to Regulatory Notice 21-07 (FINRA Provides Guidance on Common Sales Charge Discounts and Waivers for Investment Company Products).


6 The SEC is proposing amendments to 17a-4 to allow for electronic records to be preserved in a manner that permits the recreation of an original record if it is altered, over-written, or erased. See the SEC’s Proposed Rule: Electronic Recordkeeping Requirements for Broker-Dealers, Security-Based Swap Dealers, and Major Security-Based Swap Participants.