Books and Records
Regulatory Obligations and Related Considerations
Exchange Act Rules 17a-3 and 17a-4, as well as FINRA Rule 3110(b)(4) (Review of Correspondence and Internal Communications) and FINRA Rule 4511 (General Requirements) (collectively, Books and Records Rules) require member firms to, among other things, create and preserve, in an easily accessible place, originals of all communications received and sent relating to their “business as such” (e.g., emails, instant messages, text messages, chat messages, interactive blogs). This obligation applies to all member firms, including those that permit staff to use a non-firm or third-party digital communications channels to conduct firm business.
Recent Amendments to Exchange Act Rule 17a-4’s Electronic Recordkeeping Requirements
The SEC has recently adopted amendments to Exchange Act Rule 17a-4 that modernize electronic recordkeeping requirements for broker-dealers and make them adaptable to new technologies in electronic recordkeeping.
Notably, the SEC is adding an audit-trail alternative to the existing requirement that firms preserve electronic records exclusively in a non-rewriteable, non-erasable format—allowing firms to retain these records in a manner that permits the recreation of an original record if it is altered, over-written or erased.
Other amendments to Exchange Act Rule 17a-4 include:
- allowing firms to designate an executive officer, rather than an independent third party, to execute an undertaking that provides regulators with access to the firm’s electronic records;
- allowing an alternative undertaking for cloud service providers that is tailored to how they retain electronic records;
- eliminating the requirement that a broker-dealer notify its designated examining authority before employing an electronic recordkeeping system for the first time; and
- requiring that broker-dealers be able to produce electronic records in a reasonably usable electronic format that allows regulators to search and sort information on the records.
Firms should be aware that the amendments modify the language of the required undertakings under Exchange Act Rule 17a-4(f). As a result, all firms relying on Rule 17a-4(f) to preserve required records electronically must file new undertakings that include the new language with FINRA, including firms that elect to continue using their current third-party access arrangements.
For additional guidance, please see the “Exchange Act Rule 17a-4 Amendments: Chart of Significant Changes” link in this section’s Additional Resources.
- Does your firm’s digital communication policy address all permitted and prohibited digital communication channels and features available to your customers and associated persons, including:
- procedures and controls to retain all correspondence by staff conducting firm business via third-party digital communications channels;
- processes and procedures to monitor for new communications methods available to customers and associated persons; and
- training and guidance your firm’s associated persons have to complete before they are permitted access to firm-approved communication channels?
- Does your firm review for red flags that may indicate a registered representative is communicating through an unapproved communication channel, and does your firm follow up on such red flags (e.g., email chains that copy unapproved representative email addresses, references in emails to communications that occurred outside approved firm channels or customer complaints mentioning such communications)?
- If your firm emails its clients and customers links to Virtual Data Rooms (VDRs)—online data repositories that secure and distribute confidential information—does your firm retain and store documents embedded in those links once the VDRs are closed?
- If your firm is converting paper records to electronic records, does it maintain procedures and controls to verify the conversion process (i.e., comparing electronic and original records) to confirm that the electronic records are accurate, complete and readable?
Findings and Effective Practices
- Misinterpreted Obligations: Not performing due diligence to verify vendors’ ability to comply with Books and Records Rules requirements; or not confirming that service contracts and agreements comply with the recordkeeping requirement because firms did not understand that all required records must comply with the Books and Records Rules, including records vendors store.
- Failure to Maintain Email Correspondence: Failing to maintain email correspondence of registered representatives, or outside or part-time CCOs and Financial and Operations Principals (FinOps), conducting firm business via third-party vendor email addresses, because vendors failed to automatically archive this correspondence, and staff failed to follow firms’ procedures to copy their firm email addresses on all business-related email correspondence.
- Failure to Maintain Converted Records: Failing to maintain policies and procedures and related controls to protect the integrity of records from the time the records were created or received throughout the applicable retention period and confirm physical books and records converted to electronic records were accurate, complete and readable.
- Contract Review: Reviewing vendors’ contracts and agreements to assess whether firms will be able to comply with the recordkeeping requirements.
- Testing and Verification: Testing recordkeeping vendors’ capabilities to fulfill regulatory obligations by, for example, simulating a regulator’s examinations by requesting records and engaging regulatory or compliance consultants to confirm compliance with the recordkeeping requirements.