Books and Records

The SEC amended Rule 17a-4 on October 12, 2022 to modify the requirements regarding the maintenance and preservation of electronic records, the use of third-party recordkeeping services to hold records, and the prompt production of records. The effective date and compliance date for the amendments are January 3, 2023, and May 3, 2023, respectively. FINRA has prepared a chart that summarizes the most significant changes.

Section 17(a)(1) of the Securities Exchange Act of 1934 ("Exchange Act") requires registered broker-dealers to make, keep, furnish and disseminate records and reports prescribed by the Securities and Exchange Commission ("SEC"). The SEC's books and records rules applicable to broker-dealers, Exchange Act Rules 17a-3 and 17a-4, specify minimum requirements with respect to the records that broker-dealers must make, how long those records and other documents relating to a broker-dealer’s business must be kept and in what format they may be kept. The SEC requires that broker-dealers create and maintain certain records so that, among other things, the SEC, self-regulatory organizations ("SROs") and state securities regulators may conduct effective examinations of broker-dealers.

FINRA has also adopted specific recordkeeping rules applicable to its members and their associated persons. In addition, FINRA is responsible for, among other things, enforcing compliance by its members and their associated persons with the SEC books and records rules applicable to broker-dealers, the Municipal Securities Rulemaking Board ("MSRB") recordkeeping rules, as well as the recordkeeping rules of FINRA.

There are numerous rules and requirements in this area as well as firm-specific guidance that dictate the capture and retention of electronic communications, such as email and instant messages, as well as hard copy records. Registered representatives, supervisors and compliance officers need to understand these rules and adhere to them and their firm's relevant policies and procedures, when conducting their business. Maintaining complete and accurate books and records is required in order to operate in the securities industry.

ON THIS PAGE

• What Are Books and Records?
• Electronic Recordkeeping System ("ERS")
• Outsourcing
• Electronic Communications
• Contact OGC
   

I. WHAT ARE BOOKS AND RECORDS?

In general, books and records are those books, accounts, records, memoranda, correspondence and other documentation or information that broker-dealer firms have to make and preserve in accordance with the federal securities laws, MSRB rules, FINRA rules and all other applicable laws, rules and regulations (collectively, the “recordkeeping rules”). The recordkeeping rules require firms to retain, among other records, communications relating to their "business as such," trade blotters, asset and liability ledgers, income and expense ledgers, capital account ledgers, customer account ledgers, securities records, order tickets and trade confirmations. The recordkeeping rules are intended, in part, to provide regulators with the ability to access and review such records. This overview focuses only on certain SEC and FINRA books and records requirements.

A. General Requirements

FINRA Rule 4511 (General Requirements) requires firms to: (1) make and preserve books and records as required under the rules of FINRA, the Exchange Act and the applicable Exchange Act rules; and (2) preserve the books and records required to be made pursuant to the FINRA rules in a format and media that complies with Exchange Act Rule 17a-4. In addition, FINRA Rule 4511 requires firms to preserve for a period of at least six years those FINRA books and records for which there is no specified retention period under the FINRA rules or applicable Exchange Act rules. This six-year retention period is a default retention period for those FINRA rules that require firms to preserve certain books and records, but do not specify a retention period, and where there is no retention period specified under the Exchange Act rules. In the absence of contrary guidance in a rule, if the books and records pertain to an account, the retention period is for six years after the date the account is closed; otherwise, the retention period is for six years after such books and records are made.

1. Integrity of Books and Records

Firms are required to store legible, true, accurate and complete copies of their books and records and to protect the integrity of the books and records from the time the books and records are created or received throughout the applicable retention period. Alteration, falsification and destruction of required books and records are serious violations of FINRA and SEC rules.

2. Recordkeeping Format or Medium

Firms may store their books and records in one of three formats or media:

• paper form;
• on micrographic media (microfilm, microfiche or any similar medium); or
• on an electronic recordkeeping system.

Micrographic media and electronic recordkeeping systems are subject to specific requirements, which are discussed under Exchange Act Rule 17a-4(f).

3. Retention Period

The retention period for firms’ books and records varies. All firms must adopt policies and procedures that address applicable recordkeeping obligations, including retention periods. Firms and their associated persons must follow the SEC and FINRA books and records requirements, and the individual firm’s policies, which may require longer retention periods.

4. SEC and FINRA Books and Records Requirements

Exchange Act Rules 17a-3 and 17a-4 contain some of the books and records that broker-dealers are required to create and retain.

In addition to the recordkeeping requirements of FINRA Rule 4511, the following are some of the other FINRA recordkeeping rules:

• FINRA Rule 2210(b)(4): Communications with the Public
• FINRA Rule 2241(d)(3): Research Analysts and Research Reports; Disclosure in Public Appearances
• FINRA Rule 2360(b)(23)(C)(iii): Options; Requirements; Tendering Procedures for Exercise of Options; Allocation of Exercise Assignment Notices
• FINRA Rule 5130(b): Restrictions on the Purchase and Sale of Initial Equity Public Offerings; Preconditions for Sale

B. Supervision

FINRA Rules 3110 (Supervision) and 3120 (Supervisory Control System) require firms to establish, maintain and enforce supervisory systems and written supervisory procedures reasonably designed to comply with their recordkeeping obligations. In addition, firms are required to periodically review and update their recordkeeping written supervisory procedures and to have appropriate written supervisory control procedures to test and verify that those recordkeeping supervisory procedures are reasonably designed to comply with applicable recordkeeping laws and regulations and FINRA rules and to update or amend them if necessary.

C. Consequences

Failure to meet FINRA, SEC and firm recordkeeping requirements may result in serious consequences for firms and their associated persons, including fines and other disciplinary actions.

II. ELECTRONIC RECORDKEEPING SYSTEM ("ERS")

A. Exchange Act Rule 17a-4(f) Compliant ERS

The records required to be maintained and preserved pursuant to Exchange Act Rules 17a-3 and 17a-4 may be immediately produced or reproduced by means of an ERS (a system that preserves records in a digital format in a manner that permits the records to be viewed and downloaded).

An ERS must meet the following technical requirements:

1. Records Preservation Format

The ERS must preserve a record for the duration of its applicable retention period:

1. In a manner that maintains a complete time-stamped audit trail that includes:
   1. all modifications to and deletions of the record or any part thereof;
   2. the date and time of actions that create, modify or delete the record;
   3. if applicable, the identity of the individual creating, modifying or deleting the record; and
   4. any other information needed to maintain an audit trail of the record in a way that maintains security, signatures and data to ensure the authenticity and reliability of the record and will permit re-creation of the original if it is modified or deleted; or
2. Exclusively in a non-rewriteable, non-erasable (i.e., WORM) format.

2. Verification

The ERS must verify automatically the completeness and accuracy of the processes for storing and retaining records electronically. This requirement is designed to ensure that when an original record is added to the ERS it is completely and accurately captured in the system;

3. Serialization

For those ERSs that use optical discs to meet the WORM requirement, the ERS must serialize the original and duplicate units of the storage media (i.e., the optical disc), and time-date for the required retention period the information placed on such storage media (i.e., the optical disc);

4. Download and Transfer

The ERS must have the capacity to: (1) readily download and transfer copies of a record and its audit trail (if applicable) in both a human readable format and in a reasonably usable electronic format; and (2) readily download and transfer the information needed to locate the electronic record.  A reasonably usable electronic format is a format that is common and compatible with commonly used systems for accessing and reading electronic records. This will allow regulators to search and sort information on the records using a computer; and

5. Backup System or Redundancy Capabilities

Firms that use an ERS to preserve required records have the following options:

1. Have a backup ERS that meets the requirements of Rule 17a-4(f) and that retains the records in a manner that will serve as a redundant set of records if the original ERS is temporarily or permanently inaccessible; or
2. Have other redundancy capabilities that are designed to ensure access to the records (with a level of redundancy that is at least equal to the level that is achieved through using a backup ERS).

Broker-dealers that use an ERS must also meet the following requirements: 

1. Production Facilities

The broker-dealer must have at all times available facilities for immediately producing the records preserved by means of the ERS and for producing copies of those records.

2. Production Ability

The broker-dealer must be ready at all times to provide, and immediately provide, any record stored by means of the ERS upon request.

3. Audit System

For broker-dealers using an ERS that maintains and preserves required records exclusively in WORM format, the broker-dealer must have an audit system providing for accountability regarding inputting of records into the ERS and of any changes made to every original and duplicate record maintained and preserved on such ERS. In addition, SEC and SRO staffs must be able to examine the results of such audit system, and the broker-dealer must retain the audit results for the same amount of time required for the audited records.

4. Accessing and Locating Records

The broker-dealer must organize, maintain, keep current and provide promptly upon request by the SEC or SRO staffs all information necessary to access and locate records preserved by means of the ERS.

5. Designated Executive Officer and Designated Third-Party Access Undertakings

If the broker-dealer stores some or all of its required records on an ERS, the broker-dealer must also have at all times filed with the broker-dealer’s designated examining authority (“DEA”) an undertaking(s) with respect to such records signed by either a designated executive officer (DEO) or designated third party (D3P) (in the express form specified in Exchange Act Rule 17a-4(f)(3)(v)(A)) .

A DEO must be a member of the broker-dealer’s senior management who has access to and the ability to provide records maintained on the ERS either directly or through a designated specialist (DS) who reports directly or indirectly to the DEO. The DEO may also appoint in writing upon to three designated specialists. A DS must be an employee of the broker-dealer who has access to, and the ability to provide records maintained and preserved on, the ERS. The DEO may also appoint in writing up to two designated officers (DOs) who will take the steps necessary to fulfill the DEO’s obligations as specified in the undertakings in the event the DEO is unable to fulfill those obligations. A DO must be an employee of the broker-dealer who reports directly or indirectly to the DEO and who has access and the ability to provide records maintained and preserved on the ERS either directly or through a DS who reports directly or indirectly to the DO.

In any event, the appointment of, or reliance on, a DO(s) or DS(s) does not relieve the DEO of the obligations set forth in the undertaking(s).

A broker-dealer also has the option of submitting to its DEA an undertaking(s) signed by a D3P. A D3P is a person that is not affiliated with the broker-dealer who has access to and the ability to provide records maintained and preserved on the ERS.

The SEC has designated a broker-dealer’s examining authority (e.g., FINRA) as a Commission designee for the purposes of Rule 17a-4(f).

Broker-dealers may engage the services of third parties in order to prepare or maintain the broker-dealer’s required books and records. If a broker-dealer’s required records are prepared or maintained by a third-party service provider, such third-party service provider must file with the SEC either a “Traditional Undertaking” or an “Alternative Undertaking” pursuant to SEA Rule 17a-4(i).

1. Traditional Undertaking

Where a broker-dealer’s required records are prepared or maintained by a third-party service provider (in either paper or electronic form), that third-party service provider must file with the SEC a written undertaking signed by a duly authorized person in the express form specified in Exchange Act Rule 17a-4(i)(1)(i) (“Traditional Undertaking”). The Traditional Undertaking must provide that the records in question are the property of, the broker-dealer, and such records will be surrendered promptly on request of the respective broker-dealer. The third party must also undertake to permit examination of the records by representatives or designees of the SEC, and to promptly furnish to the Commission or its designee true, complete and current had copies of any or all or any part of such books and records.

2. Alternative Undertaking

A third-party service provider (including an affiliate of a broker-dealer) may, instead of a Traditional Undertaking, file with the SEC a written undertaking signed by a duly authorized person in the express form specified in Exchange Act Rule 17a-4(i)(1)(ii) (“Alternative Undertaking”). A third party may submit an Alternative Undertaking if the third party maintains and preserves a broker-dealer’s required records by means of an ERS that utilizes servers or other storage devices that are owned or operated by the third party and the broker-dealer has “independent access” to the records, as defined in Exchange Act Rule 17a-4(i)(1)(ii)(B). The ability to provide the Alternative Undertaking does not apply when the third party maintains records in a paper format or on micrographic media.

In the Alternative Undertaking, the third-party service provider must acknowledge that the records are the property of the broker-dealer, and that the broker-dealer has represented to the recordkeeping service that the broker-dealer: (1) is subject to the SEC rules governing the maintenance and preservation of certain records; (2) has independent access to the records maintained by the third party; and (3) consents to the third party fulfilling the obligations set forth in the Alternative Undertaking.

In addition, the third-party service provider must undertake to facilitate within its ability, and not impede or prevent: (1) the examination, access, download or transfer of records by a representative or designee of the SEC as permitted under the law; or (2) a trustee appointed under the Securities Investor Protection Act of 1970 to liquidate the broker-dealer in accessing, downloading or transferring the records as permitted under the law.

Rule 17a-4(i) provides that an agreement with an outside entity does not relieve the broker-dealer from the responsibility to prepare and maintain required records.

A broker-dealer that uses another person, firm or organization to maintain its records also must provide the appropriate disclosures regarding such an arrangement on its Form BD (Uniform Application for Broker-Dealer Registration).

III. OUTSOURCING

As noted above, a broker-dealer may use a third-party recordkeeping service to prepare or maintain the broker-dealer's required records. However, firms have a continuing responsibility to oversee, supervise and monitor the recordkeeping service’s performance of covered activities, and they must have in place specific policies and procedures to monitor the third-party recordkeeping service's compliance with the terms of any agreements and assess the recordkeeping service's continued fitness and ability to perform the activities being outsourced. Firms should also ensure that their policies and procedures provide for the due diligence analysis of the recordkeeping service provider to determine whether the recordkeeping service is capable of performing these functions, particularly in light of the risks of cyberattacks. Further, outsourcing a recordkeeping function to a third party does not relieve the broker-dealer of its ultimate responsibility for compliance with applicable FINRA and SEC rules. For a detailed discussion of additional outsourcing issues and effective cybersecurity practices, see Regulatory Notice 21-29 (August 2021) (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors), Report on Selected Cybersecurity Practices – 2018 and Report on Cybersecurity Practices (February 2015).

IV. ELECTRONIC COMMUNICATIONS

Books and Records Rules Pertaining to Electronic Communications

Exchange Act Rule 17a-4(b)(4) requires that a broker-dealer retain originals of all communications received and copies of all communications sent by the broker-dealer relating to its "business as such" for at least three years, the first two years in an easily accessible place. See also FINRA Rule 3110.09 (Retention of Correspondence and Internal Communications). This requirement applies to all electronic communications relating to the firm’s business, including all such communications that are subject to rules of the self-regulatory organization of which the broker-dealer is a member regarding communications with the public. This would include emails, instant messages and business-related social media posts. See Notice to Members 03-33 (July 2003) (Clarification for Members Regarding Supervisory Obligations and Recordkeeping Requirements for Instant Messaging) and Regulatory Notice 17-18 (Guidance on Social Networking Websites and Business Communications).

Significantly, this requirement covers both external and internal electronic communications relating to the firm's business. An email between registered representatives in the same firm is one example of an internal electronic communication. Furthermore, the requirement equally applies whether the electronic communication was received or sent through a member’s or a third-party's platform or system. Firms may not permit the use of any type of electronic communication if they are unable to satisfy the applicable recordkeeping requirements with respect to that particular type of electronic communication.

In general, FINRA and SEC rules do not prohibit the use of non-firm email systems or accounts to conduct firm business provided that the firm captures and retains the emails as it would with emails emanating from its own email system or account.

Firms also have an obligation to supervise electronic communications relating to their business and ensure the privacy of such communications. See:

Guidance

• Notice to Members 05-49 (Safeguarding Confidential Customer Information) (July 2005)
• Regulatory Notice 10-06 (Guidance on Blogs and Social Networking Web Sites) (January 2010)
• Regulatory Notice 11-39 (Guidance on Social Networking Websites and Business Communications) (August 2011)
• Regulatory Notice 17-18 (Guidance on Social Networking Websites and Business Communications) (April 2017)
• Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection With Potential Account Takeovers and New Account Fraud)
• Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors) (August 2021)

Reports and Other Materials

• Report on Cybersecurity Practices (February 2015)
• Report on Selected Cybersecurity Practices – 2018
• Small Firm Cybersecurity Checklist

CONTACT OGC

FINRA's Office of General Counsel (OGC) staff provides broker-dealers, attorneys, registered representatives, investors and other interested parties with interpretative guidance relating to FINRA’s rules. Please see Interpreting the Rules for more information.

OGC staff contacts:

Afshin Atabaki, Nicholas Vitalo and Carrie Jordan
FINRA, OGC
1735 K Street, NW
Washington, DC 20006
(202) 728-8000