Books and Records

Regulatory Obligations and Related Considerations

Regulatory Obligations

Exchange Act Rules 17a-3 and 17a-4 specify minimum requirements with respect to the records that broker-dealers must make, how long those records and other documents relating to a broker-dealer’s business must be kept and in what format they may be kept. Exchange Act Rule 17a-4(b)(4) and FINRA Rules 3110(b)(1) (General Requirements), 3110.09 (Retention of Correspondence and Internal Communications) and 2210(b)(4) (Recordkeeping) require member firms to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to, among other things, create and preserve, in an easily accessible place, originals of all communications received and sent relating to their “business as such” (e.g., emails, instant messages, text messages, chat messages, interactive blogs). In addition, FINRA Rule 3110(b) (Written Procedures) requires member firms to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules.

FINRA Rule 4511(a) (General Requirements) requires members to make and preserve books and records as required under the FINRA Rules, the Exchange Act and applicable Exchange Act Rules. The obligations set forth in Rules 17a-3 and 17a-4 and FINRA Rules 2210(b)(4) and 4511(a) (collectively, Books and Records Rules) apply to all member firms, including those that permit staff to use off-channel communications to conduct firm business.

Effective January 3, 2023, the SEC amended Rule 17a-4 to modify the requirements regarding the maintenance and preservation of electronic records, including the use of third-party recordkeeping services to hold records and the prompt production of records. In part, these amendments impact the required language of the third-party access undertakings applicable to firms that utilize an electronic recordkeeping system to maintain and preserve records required under Rules 17a-3 and 17a-4. As a result, those firms that preserve required records electronically, including those firms that elect to continue using their current third-party access arrangements, must file with FINRA updated third-party access undertakings that reflect the new language specified under Rule 17a-4(f)(3)(v).

Related Considerations

  • If your firm emails its clients and customers links to Virtual Data Rooms (VDRs)—online data repositories that secure and distribute confidential information—does your firm retain and store documents embedded in those links once the VDRs are closed?
  • If your firm is converting paper records to electronic records, does it maintain procedures and controls to verify the conversion process (e.g., comparing electronic and original records) to confirm that the electronic records are accurate, complete and readable?
  • If applicable, has your firm filed with FINRA an updated Third-Party Access Undertaking letter or an undertaking signed by a Designated Executive Officer?

Off-Channel Communications

  • FINRA uses a risk-based approach to review how firms capture, surveil and maintain business-related communications.
  • Because off-channel communications occur on non-firm platforms or devices, there is an increased risk that they are not maintained and preserved as part of the firm’s books and records.
  • This risk has become a particular area of focus for regulators—the SEC has issued fines in 20212022 and 2023 related to firms’ failures to maintain and preserve certain off-channel electronic communications.
  • FINRA will share any helpful observations or effective practices that may emerge from its risk-based reviews of member firms’ practices related to off-channel communications. Firms may also find it helpful to consider the guiding questions below when assessing whether their supervisory systems and compliance programs are reasonably designed to capture, supervise and maintain off-channel communications.
  • Does your firm’s electronic communication policy include:
    • procedures and controls to maintain, preserve and monitor all business-related correspondence by staff, including that which is conducted via off-channel communication methods;
    • processes and procedures to monitor for new electronic communication channels available to customers and associated persons; and
    • required training and guidance that your firm’s associated persons must complete before they are permitted access to firm-approved electronic communication channels?
  • How does your firm communicate to its associated persons, and monitor and surveil for compliance with, the prohibition against using unapproved off-channel communication methods for business communications? For example, does your firm surveil:
    • approved communication channels and customer complaints for indicia of communications occurring through off-channel text or encrypted messaging channels (e.g., email chains that copy a registered representative’s email address from an off-channel domain, references in emails to electronic communications that occurred outside firm-approved channels or customer complaints mentioning such communications); and
    • approved communication channels for signs of underutilization (that could present a red flag that an associated person is utilizing an unapproved channel for business communications)?
  • What corrective or disciplinary measures has your firm implemented to deter its associated persons from circumventing supervisory controls related to off-channel communications?

Findings and Effective Practices

Findings

  • Misinterpreted Obligations: Not performing due diligence to verify vendors’ ability to comply with Books and Records Rules requirements; or not confirming that service contracts and agreements comply with the recordkeeping requirement because firms did not understand that all required records must comply with the Books and Records Rules, including records vendors store.
  • Failure to Maintain Email Correspondence: Failing to capture, review and archive electronic correspondence of:
    • registered representatives (or outside or part-time chief compliance officers and Financial and Operations Principals (FINOPs)) conducting firm business via third-party vendor email addresses (because vendors failed to automatically archive this correspondence and staff failed to follow firms’ procedures to copy their firm email addresses on all business-related email correspondence); or
    • registered representatives’ permitted use of non-firm email addresses to conduct firm business, including domains for “doing business as” (DBA) entities.
  • Failure to Maintain Converted Records: Failing to maintain policies and procedures and related controls to protect the integrity of records from the time the records are created or received throughout the applicable retention period, and confirm physical books and records converted to electronic records were accurate, complete and readable.

Effective Practices

  • Contract Review: Reviewing vendors’ contracts and agreements to assess whether firms will be able to comply with the recordkeeping requirements.
  • Testing and Verification: Testing recordkeeping vendors’ capabilities to fulfill regulatory obligations by, for example, simulating a regulator’s examinations by requesting records and engaging regulatory or compliance consultants to confirm compliance with the recordkeeping requirements.

Additional Resources

Previous:
Outside Business Activities and Private Securities Transactions
Up:
Books and Records
Next:
Regulatory Events Reporting