Guidelines for FINRA SEC 17a-4 Compliance for Broker-Dealers
According to the Security and Exchange Commission (SEC) Rule 17a-4, broker-dealers in the financial services industry are required to retain and index electronic correspondences, including email, with immediate accessibility for a period of two years and with non-immediate access for at least six years. As a result, broker-dealers need to be able to securely store hundreds of thousands of emails every day and access them at a moment’s notice. Failure to comply with SEC 17a-4 can result in severe penalties, ranging from fines to even the possibility of jail time.
Due to the gravity of an SEC 17a-4 violation, as well as other regulations defined by the Financial Institution Regulatory Authority, broker-dealers are turning to digital archiving solutions for instant and secure access to records.
What is SEC Rule 17a-4?
Instituted in the interest of protecting investors from fraudulent or misleading claims, the original Securities Exchange Act of 1934 authorized the SEC to issue record-keeping rules for broker-dealers, including the retention and furnishing of copies of records “necessary or appropriate in the public interest, for the protection of investors or otherwise in furtherance of the purposes of the Exchange Act.”
Typically listed together, Rules 17a-3 and 17a-4 require broker-dealers to preserve each transaction record and general business records “in an easily accessible manner.” Rule 17a-4 was later amended to include electronic record keeping, meaning broker-dealers could now use digital storage to retain records, provided it did not overwrite or erase records for the required retention period (more on that later).
When Did SEC 17a-4 Go Into Effect?
SEC Rule 17a-4 was originally instated in 1993; it was later amended to include electronic record keeping in 1997.
Who is Affected by SEC 17a-4?
SEC Rule 17a-4 applies to broker-dealers and other relevant parties who trade securities or act as brokers for traders, including banks, securities firms, stock brokerage firms and any other entity that falls under the jurisdiction of the Financial Industry Regulatory Authority (FINRA).
What Are the Basic Requirements of Rule 17a-4?
In a nutshell, SEC Rule 17a-4 requires broker-dealers to store all business records for a period of no less than six years on non-rewriteable and non-erasable media. Firms that store information electronically are also required to maintain a relationship with the third-party provider responsible for storing their records.
What Happened to the NASD?
The National Association of Securities Dealers, or NASD, was founded in 1939 to oversee the operations and activities of the NASDAQ stock market. In 2007, the NASD merged with the New York Stock Exchange to create FINRA.
What Does FINRA Do?
FINRA is an independent regulatory organization that ensures fair financial markets in the U.S. by:
- Deterring misconduct by enforcing rules
- Disciplining those who break those rules
- Detecting and preventing wrongdoing in the U.S. markets
- Educating and informing investors
- Resolving securities disputes
According to Investopedia, “The SEC is responsible for ensuring fairness for the individual investor and FINRA is responsible for overseeing virtually all U.S. stockbrokers and brokerage firms. In the grand scheme of things, FINRA is overseen by the SEC.” The SEC originally used NASD Rules 3010 and 3110 to enforce 17a-4, but those have been superseded by FINRA Rules 3110 and 3170.
What is WORM Compliance?
WORM is short for “write once, read many” and refers a specific data storage format that writes information to a single disk a single time and prevents the erasure or alteration of any data on that disk thereafter. Back in the day, when broker-dealers and firms stored information on physical hardware, such as CD-ROMs and floppy disks, the WORM format made it easy to maintain SEC Rule 17a-4 compliance.
However, now that cloud storage has become the most popular way to store financial records, firms are running into issues with WORM compliance. From Wells Fargo Securities to Hancock Investment Services, a number of securities firms and brokerages have found themselves on the wrong side of WORM compliance and have suffered the consequences — that’s why, when looking for a digital storage system, it’s vital that broker-dealers look for a solution that maintains unalterable, non-rewriteable and non-erasable records.
How Long Do I Have to Preserve Communications for 17a-4 Compliance?
According to the SEC, “Every member, broker and dealer subject to § 240.17a-4 shall preserve [all records] for a period of not less than six years, the first two years in an easily accessible place.” In addition to SEC Rule 17a-4, all broker-dealers subject to SEC Rule 17a-3 must preserve the following materials for a minimum of three years, the first two of which they must be easily accessible:
- Check books, bank statements, cancelled checks and cash reconciliations
- All bills receivable or payable (or copies thereof), paid or unpaid, relating to the business of a member, broker or dealer
- Originals of all communications received and copies of all communications sent by the member, broker or dealer relating to business
- All trial balances, computations of aggregate indebtedness and net capital, financial statements, branch office reconciliations, and internal audit working papers
- All guarantees of accounts and all powers of attorney and other evidence of the granting of any discretionary authority
- Copies of resolutions empowering an agent to act on behalf of a corporation
- All written agreements (or copies of thereof) entered into by a member, broker or dealer relating to business
- Records in support of amounts
- And so on
What Are the Penalties if I Fail to Comply With Rule 17a-4?
The SEC has fined some of the largest investment banks in the world, including Goldman Sachs & Co., Citigroup Inc., Morgan Stanley & Co. and Bank of America for policies and procedures that violate 17a-4 compliance.
In 2017 alone, FINRA fined 12 of its largest member firms a combined $14.4 million for violation of SEC Rule 17a-4, specifically, failure to keep “hundreds of millions of electronic documents in a WORM [format],” as well as Rule 3110. These firms included Wells Fargo & Co., SunTrust Robinson Humphrey and PNC Capital Markets.
As you can see, the criteria for 17a-4 compliance are strict, and the penalties for violation severe.
How Can I Stay Compliant With SEC Rule 17a-4?
As outlined above, in order for broker-dealers to comply with SEC regulations under Rule 17a-4, they must retain electronic communications with customers, as well as all other communications germane to their business, for at least six years on non-rewriteable and non-erasable storage. Rule 17a-4 does allow for broker-dealers to implement digital storage systems that inhibit alterations, erasure and loss of electronic files for the required archiving period.
These communications must be easily accessible, indexed and, per WORM compliance, stored on non-erasable, non-rewriteable media. This long-standing requirement has gained more attention as of late due to increased enforcement from federal regulators.
What is D3P Compliance?
The SEC also enforces a Designed Third Party (D3P) Rule, which, according to Iron Mountain:
“…requires [broker-dealers] who store information electronically to maintain a relationship with an independent third party who can access their records in the event of an audit or request [the broker-dealer] is unable or unwilling to furnish this information.”
Since the onset of D3P compliance regulation, broker-dealers have become proactive in complying with this rule. FINRA requires broker-dealers to present a D3P “Letter of Undertaking” and all documentation and service agreements that prove D3P compliance. These tightened regulations make it important for broker-dealers to choose a D3P for electronic record storage.
Rule 17a-4 also requires that a duplicate copy of each record must be kept on write-once media. The broker-dealer must store these duplicate files in a separate location than the original.
FINRA SEC Rule 17a-4 Compliance in Summary
The following is a summary of how to implement and enforce 17a-4 compliance:
- Have written and enforceable retention policies
- Store data on non-erasable, non-rewriteable media
- Maintain a searchable index of all stored data
- Have readily retrievable and viewable data
- Maintain storage of data offsite
Intradyn designs archiving solutions specifically for the financial services industry that are designed to do all of the above and more in the interest of maintaining FINRA and SEC 17a-4 compliance, as well as other regulations enforced by major agencies. Contact us today to learn more about how our solutions can give you complete peace of mind when it comes to ongoing regulatory compliance.