Books and Records

The SEC amended Rule 17a-4 on October 12, 2022 to modify the requirements regarding the maintenance and preservation of electronic records, the use of third-party recordkeeping services to hold records, and the prompt production of records. The effective date and compliance date for the amendments are January 3, 2023, and May 3, 2023, respectively. FINRA has prepared a chart that summarizes the most significant changes.

Section 17(a)(1) of the Securities Exchange Act of 1934 ("Exchange Act" or "SEA") requires registered broker-dealers to make, keep, furnish and disseminate records and reports prescribed by the Securities and Exchange Commission ("SEC"). The SEC books and records rules applicable to broker-dealers, SEA Rules 17a-3 and 17a-4, specify minimum requirements with respect to the records that broker-dealers must make, how long those records and other documents relating to a broker-dealer’s business must be kept and in what format they may be kept. The SEC requires that broker-dealers create and maintain certain records so that, among other things, the SEC, self-regulatory organizations ("SROs") and state securities regulators may conduct effective examinations of broker-dealers.

FINRA also has specific recordkeeping rules. In addition, FINRA is responsible for, among other things, enforcing compliance by its members and their associated persons with the SEC books and records rules applicable to broker-dealers, the Municipal Securities Rulemaking Board ("MSRB") recordkeeping rules, as well as the recordkeeping rules of FINRA.

Maintaining complete and accurate books and records is required in order to operate in the securities industry. There are numerous rules and requirements in this area as well as firm-specific guidance that dictate the capture and retention of electronic communications, such as email and instant messages, as well as hard copy records. Registered representatives, supervisors and compliance officers need to understand these regulations and adhere to them and their firm's guidance when conducting their business.

ON THIS PAGE

• What Are Books and Records?
• Electronic Storage Media ("ESM")
• Outsourcing
• Electronic Communications
• Contact OGC
   

I. WHAT ARE BOOKS AND RECORDS?

In general, books and records are the books, accounts, records, memoranda, correspondence and other documentation or information that firms have to make and preserve in accordance with the federal securities laws, MSRB rules, FINRA rules and all other applicable laws, rules and regulations. The recordkeeping rules require firms to retain, among other records, communications relating to their "business as such," and include trade blotters, asset and liability ledgers, income and expense ledgers, capital account ledgers, customer account ledgers, securities records, order tickets and trade confirmations. These recordkeeping requirements are intended, in part, to provide regulators with the ability to access and review such records. As noted, this overview only focuses on some of the applicable SEC and FINRA books and records requirements.

A. General Requirements

FINRA Rule 4511 (General Requirements) requires firms to: (1) make and preserve books and records as required under the rules of FINRA, the SEA and the applicable SEA rules; and (2) preserve the books and records required to be made pursuant to the FINRA rules in a format and media that complies with SEA Rule 17a-4. In addition, FINRA Rule 4511 requires firms to preserve for a period of at least six years those FINRA books and records for which there is no specified retention period under the FINRA rules or applicable SEA rules. This six-year retention period is a default retention period for those FINRA rules that require firms to preserve certain books and records, but do not specify a retention period, and where there is no retention period specified under the SEA rules. In the absence of contrary guidance in a rule, if the books and records pertain to an account, the retention period is for six years after the date the account is closed; otherwise, the retention period is for six years after such books and records are made.

1. Integrity of Books and Records

Firms are required to store legible, true, accurate and complete copies of their books and records and to protect the integrity of the books and records from the time the books and records are created or received throughout the applicable retention period. Alteration, falsification and destruction of required books and records are serious violations of FINRA and SEC rules.

2. Recordkeeping Format or Medium

Firms may store their books and records in one of three formats or media:

• paper form;
• on micrographic media (microfilm, microfiche or any similar medium); or
• on electronic storage media.

Micrographic media and electronic storage media are subject to specific requirements, which are discussed under SEA Rule 17a-4(f).

3. Retention Period

The retention period for firms’ books and records varies. All firms must have policies and procedures that address recordkeeping obligations, including retention periods. You must follow the SEC and FINRA books and records requirements, and your individual firm’s policies, which may require longer retention periods.

4. SEC and FINRA Books and Records Requirements

SEA Rules 17a-3 and 17a-4 contain some of the books and records that broker-dealers are required to create and retain.

In addition to the recordkeeping requirements of FINRA Rule 4511, the following are some of the other FINRA recordkeeping rules:

• FINRA Rule 2210(b)(4): Communications with the Public
• FINRA Rule 2241(d)(3): Research Analysts and Research Reports; Disclosure in Public Appearances
• FINRA Rule 2360(b)(23)(C)(iii): Options; Requirements; Tendering Procedures for Exercise of Options; Allocation of Exercise Assignment Notices
• FINRA Rule 5130(b): Restrictions on the Purchase and Sale of Initial Equity Public Offerings; Preconditions for Sale

B. Supervision

FINRA Rules 3110 (Supervision) and 3120 (Supervisory Control System) require firms to establish, maintain and enforce supervisory systems and written supervisory procedures reasonably designed to comply with their recordkeeping obligations. In addition, firms are required to periodically review and update their recordkeeping written supervisory procedures and to have appropriate written supervisory control procedures to test and verify that those recordkeeping supervisory procedures are reasonably designed to comply with applicable recordkeeping laws and regulations and FINRA rules and to update or amend them if necessary.

C. Consequences

Failure to meet FINRA, SEC and firm recordkeeping requirements may result in serious consequences for firms and their associated persons, including fines and other disciplinary actions.

II. ELECTRONIC STORAGE MEDIA ("ESM")

A. SEA Rule 17a-4(f) Compliant ESM

The records required to be maintained and preserved pursuant to SEA Rules 17a-3 and 17a-4 may be immediately produced or reproduced on micrographic media (microfilm or microfiche, or any similar medium) or ESM (any digital storage medium or system) that meet the conditions set forth in SEA Rule 17a-4(f) and may be maintained and preserved for the required time on such media.

ESM must meet the following conditions:

1. Firm Notification

The broker-dealer must notify its Designated Examining Authority ("DEA") that it will use ESM before using ESM for the first time. If the broker-dealer plans to use ESM that is not optical disk technology, SEA Rule 17a-4(f) requires the broker-dealer to notify its DEA at least 90 days before its first use of such storage media. An optical disk is a direct-access disk written and read by light, such as a CD-ROM.

2. ESM Representation

The broker-dealer must provide to its DEA a representation that the selected ESM meets the following conditions:

• preserves the records exclusively in a non-rewriteable, non-erasable format;
• verifies automatically the quality and accuracy of the storage media recording process;
• serializes the original and, if applicable, duplicate units of the storage media and also time-dates for the required retention period the information stored on it; and
• has the capacity to readily download stored records and indexes to any medium acceptable under SEA Rule 17a-4(f) as required by the SEC or SROs of which the broker-dealer is a member.

This representation may come from the broker-dealer or from a storage medium vendor or other third party with the appropriate level of expertise.

3. Audit System

The broker-dealer must have an audit system that identifies when original and duplicate records are input on to the storage medium and when any changes to existing records are made. In addition, SEC and SRO staffs must be able to examine the results of such audit system, and the broker-dealer must retain the audit results for the same amount of time required for the audited records.

4. Access to Records and Indexes

The broker-dealer is required to retain, keep current and surrender upon request by the SEC or SRO staffs all the information needed to access and download stored records and indexes. This includes the information required to access a storage system and any further information or credentials required to access the records stored on it. Alternatively, the broker-dealer may place in escrow and keep current a copy of the physical and logical file format of the storage medium, the field format of all different information types written on the storage medium and the source code, together with the appropriate documentation and information necessary to access records and indexes.

5. Third-Party Access Representation

If the broker-dealer stores some or all of its required records exclusively on ESM, the broker-dealer also must have a third-party file an undertaking (exactly as specified in SEA Rule 17a-4(f)(3)(vii)) with the broker-dealer’s DEA to the effect that the third party can provide access to records stored on the broker-dealer’s ESM.

In addition, both ESM and micrographic media must meet conditions 6 through 9 below.

6. Retrieval Facilities

The broker-dealer must have available facilities that allow SEC and SRO staffs to locate or readily access the appropriate records, read them and produce or download them.

7. Facsimile Enlargements

The broker-dealer must be able to immediately provide any facsimile enlargement of the record that the SEC, SRO or state securities regulator may request. For instance, if a record is stored in a scaled-down size, the broker-dealer must be able to provide an exact enlargement of the record upon request.

8. Duplicate Copy

The broker-dealer must store a duplicate copy of the record separately from the original. The duplicate copy may be stored on any of the three formats or media acceptable under SEA Rule 17a-4 (i.e., paper form, micrographic media or ESM). The duplicate copy must be stored for the same amount of time as the original record.

9. Indexes

The broker-dealer must accurately organize and index all information maintained on both the original and any duplicate storage media. The broker-dealer must be able to have such indexes available for examination by the SEC and SRO staffs. The broker-dealer also must store a duplicate copy of the index separately from each original index. The original and duplicate indexes must be stored for the same amount of time as the underlying indexed record.

III. OUTSOURCING

A broker-dealer may use a recordkeeping service to maintain the broker-dealer's required records. However, firms have a continuing responsibility to oversee, supervise and monitor the recordkeeping service’s performance of covered activities, and they must have in place specific policies and procedures to monitor the recordkeeping service's compliance with the terms of any agreements and assess the service's continued fitness and ability to perform the activities being outsourced. Firms should also ensure that their policies and procedures provide for the due diligence analysis of the recordkeeping service provider to determine whether the recordkeeping service is capable of performing these functions, particularly in light of the risks of cyberattacks. Further, outsourcing a recordkeeping function to a third party does not relieve the broker-dealer of its ultimate responsibility for compliance with applicable FINRA and SEC rules. For a detailed discussion of additional outsourcing issues and cybersecurity practices, see Regulatory Notice 21-29 (August 2021) (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors), Report on Selected Cybersecurity Practices – 2018 and Report on Cybersecurity Practices (February 2015).

In addition, if a broker-dealer's required records are maintained by a recordkeeping service, the recordkeeping service must file with the SEC a written undertaking pursuant to SEA Rule 17a-4(i) and the broker-dealer must provide the appropriate disclosures regarding such an arrangement on its Form BD (Uniform Application for Broker-Dealer Registration).

IV. ELECTRONIC COMMUNICATIONS

Books and Records Rules Pertaining to Electronic Communications

SEA Rule 17a-4(b)(4) requires that a broker-dealer retain originals of all communications received and copies of all communications sent by the broker-dealer relating to its "business as such" for at least three years, the first two years in an easily accessible place. See also FINRA Rule 3110.09 (Retention of Correspondence and Internal Communications). This requirement applies to all electronic communications relating to the firm’s business, including emails and instant messages. See Notice to Members 03-33 (July 2003) (Clarification for Members Regarding Supervisory Obligations and Recordkeeping Requirements for Instant Messaging).

Significantly, this requirement covers both external and internal electronic communications relating to the firm's business. An email between registered representatives in the same firm is one example of an internal electronic communication. Furthermore, the requirement equally applies whether the electronic communication was received or sent through a member’s or a third-party's platform or system. Firms may not permit the use of any type of electronic communication if they are unable to satisfy the applicable recordkeeping requirements with respect to that particular type of electronic communication.

In general, FINRA and SEC rules do not prohibit the use of non-firm email systems or accounts to conduct firm business provided that the firm captures and retains the emails as it would with emails emanating from its own email system or account.

Firms also have an obligation to supervise electronic communications relating to their business and ensure the privacy of such communications. See:

Guidance

• Notice to Members 05-49 (Safeguarding Confidential Customer Information) (July 2005)
• Regulatory Notice 10-06 (Guidance on Blogs and Social Networking Web Sites) (January 2010)
• Regulatory Notice 11-39 (Guidance on Social Networking Websites and Business Communications) (August 2011)
• Regulatory Notice 17-18 (Guidance on Social Networking Websites and Business Communications) (April 2017)
• Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection With Potential Account Takeovers and New Account Fraud)
• Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors) (August 2021)

Reports and Other Materials

• Report on Cybersecurity Practices (February 2015)
• Report on Selected Cybersecurity Practices – 2018
• Small Firm Cybersecurity Checklist

CONTACT OGC

FINRA's Office of General Counsel (OGC) staff provides broker-dealers, attorneys, registered representatives, investors and other interested parties with interpretative guidance relating to FINRA’s rules. Please see Interpreting the Rules for more information.

OGC staff contacts:

Afshin Atabaki and Nicholas Vitalo
FINRA, OGC
1735 K Street, NW
Washington, DC 20006
(202) 728-8000