Books and Records

Regulatory Obligations

Several SEC and FINRA rules address firms’ obligations with regards to maintaining and preserving required books and records—for example, SEA Rules 17a-3 and 17a-4 and FINRA Rules 2210(b)(4) (Recordkeeping), 3110(b)(1) (Written Procedures), 3110.09 (Retention of Correspondence and Internal Communications) and 4511 (General Requirements).

SEA Rules 17a-3 and 17a-4 specify minimum requirements with respect to the records that broker-dealers must make, how long those records must be kept and the formats in which they may be kept. FINRA Rule 4511(a) (General Requirements) also requires firms to make and preserve books and records as provided under the FINRA rules, the SEA and applicable SEA rules. 

Among other records, firms are required to maintain and preserve specified financial records and records of business-related communications. For example, SEA Rules 17a-3(a)(11) and 17a-4(b)(5) address the recordkeeping requirements related to monthly trial balances, computations of aggregate indebtedness and net capital computations. In addition, SEA Rule 17a-4(b)(4) and FINRA Rules 3110.09 (Retention of Correspondence and Internal Communications) and 2210(b)(4) (Recordkeeping) address the recordkeeping requirements pertaining to business-related communications, including those received and sent via email, instant message, text message, chat message and interactive blog.

FINRA Rule 3110(b)(1) (Written Procedures) also requires firms to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules. This requirement includes procedures relating to firms’ recordkeeping obligations.

SEA Rule 17a-4(f) also sets forth format requirements for broker-dealers that wish to maintain and preserve required books and records on an electronic recordkeeping system. Specifically, such records must be preserved consistent with the non-rewritable, non-erasable (i.e., WORM) requirement, or consistent with the audit-trail requirement, as described under SEA Rule 17a-4(f).

Findings

• Discrepancies in Financial and Operational Combined Uniform Single (FOCUS) Reports, Net Capital and Reserve Formula Reporting: Inaccurate books and records (e.g., general ledger, trial balance) resulting in discrepancies with firms’ net capital and the reserve formula computations. Firms have reported inaccurate FOCUS Reports due to inaccurate calculations of the firm’s net capital, aggregate indebtedness, revenue, liabilities and reserve formula computation (where applicable), resulting in violations of SEA Rules 17a-3, 17a-4 and 17a-5, and FINRA Rule 4511.
• Failure to Maintain Certain Electronic Communications: Not retaining, archiving and reviewing non-email electronic communications conducted through firm-approved channels.
• Failure to Maintain Electronic Correspondence of Part-Time CCOs or FINOPs: Not capturing, reviewing and archiving electronic correspondence of associated persons—including part-time Chief Compliance Officers (CCOs) and Financial and Operations Principals (FINOPs)—conducting firm business via third-party vendor email addresses.
• Failure to Maintain Converted Records: Not maintaining policies and procedures and related controls to protect the integrity of records for the duration of the applicable retention period, and to confirm physical books and records converted to electronic records were accurate, complete and readable.
• Inadequate Due Diligence of Third-Party Vendors: Not performing adequate due diligence to verify third-party vendors’ ability to comply with recordkeeping requirements; or not confirming that service contracts and agreements comply with applicable recordkeeping requirements, including records stored by third-party vendors.
• Inadequate Supervision:
  • Not reviewing electronic communications for indications of associated persons’ potential use of off-channel communications for business-related communications.¹
  • Not establishing procedures and controls to retain and review written, business-related electronic communications made through non-firm-approved email accounts and other communication tools.
  • Not retaining and reviewing business-related text messages.
  • Not properly supervising third-party vendors that support firms’ monitoring of their associated persons’ electronic communications, resulting in firms not capturing, retaining or supervising communications.
• Inadequate WSPs: Relying on policies and procedures that were overly general and did not adequately specify:
  • permitted and prohibited business communication platforms;
  • methods to determine if associated persons are engaging in business communications on unapproved platforms; and
  • corrective action for associated persons if they violate firm policy and engage in business communication using unapproved platforms.
• Contacting Firm Customers Through Off-Channel Platforms: Associated persons using personal email accounts or other off-channel platforms to communicate with customers regarding firm business without the firm’s knowledge.
• Inadequate Reviews: Reviewing electronic communications without selecting adequate samples or using targeted key word searches; and failing to review electronic communications in non-English languages in which the member conducts business.

Effective Practices

• Testing and Verification: Testing third-party recordkeeping vendors’ capabilities to fulfill regulatory obligations by, for example, simulating a regulator’s examinations by requesting records to confirm compliance with the recordkeeping requirements.
• Providing Appropriate Access to Books and Records: If the firm uses a part-time FINOP, contracted CCO or part-time employee or contractor for other roles, ensuring there is a process in place to provide appropriate access to the firm’s books and records to allow for the individuals to fulfill their regulatory obligations.
• Supervisory Procedures:
  • Monitoring for indications that associated persons are using off-channel communications (e.g., a decrease or absence of activity on certain previously used firm-approved communication channels or tools).
  • Frequently revising key words used to surveil for associated persons’ potential use of off-channel communications, and tailoring keyword searches to the business models.

Additional Resources

• FINRA
  • Books and Records Key Topics Page
  • Books and Records Requirements Checklist
  • Exchange Act Rule 17a-4 Amendments: Chart of Significant Changes
  • Regulatory Notice 18-31 (SEC Staff Issues Guidance on Third-Party Recordkeeping Services)
  • Frequently Asked Questions about the 2001 Amendments to Broker-Dealer Books and Records Rules Under the Securities Exchange Act of 1934
  • Regulatory Notifications – Failure to Make and Keep Current Books and Records (Updated April 27, 2024)

1 In the context of the Report, “Off-Channel Communications” are defined as business-related communications sent or received on a communication tool that has not been authorized for business use. Off-Channel Communications can include, but is not limited to, electronic messaging services such as instant messaging applications, text messages, personal email, direct messaging applications, chat services, and messaging features through third-party vendor applications or social media platforms that are not routinely captured, supervised or retained by an associated person’s member firm systems.