Company Blog Support

Email Archiving Blog

Compliance, eDiscovery and Email Management

Guidelines for FINRA, SEC 17a-4 (email compliance): Designated Third Party (D3P) Compliance Provider

Electronically saved information (ESI) guidelines are not only difficult to understand but the amount of electronic email documents being produced by organizations is staggering.

Since the SEC17a-4 regulations regarding archiving all electronic data, email and correspondence for e-Discovery, the securities broker-dealers financial industry faces enormous compliance issues. Locating emails that are saved by hundreds of employees and stored in various departments uses the company’s valuable resources and time.

Due to the Financial Institution Regulatory Authority (FINRA) and SEC 17a-4 (email compliance) by the Securities and Exchange Commissioner, broker-dealers are archiving electronically stored emails to comply with SEC guidelines, implementing third party D3P archiving solutions for instant and secure access to records.

Watch our 15-minute demo to see how we’re helping businesses meet compliance standards.


In order for broker-dealers to comply with the Securities and Exchange Commission regulations under Rule 17a-4, they must retain electronic communications with customers and those that are germane to their business for at least three years on non-rewriteable and non-erasable storage (WORM). The rule also states that broker-dealers can store files using a digital storage system that inhibits alterations, erasure and loss of electronic files for the required archiving period.

These communications must be easily accessible, indexed, and stored on non-erasable, non-rewriteable media. While this is a long-standing requirement, only recently has it been enforced with any regularity by federal regulators. What was once a choice for some broker-dealers is now a necessity. The tightened regulations make it important to identify and choose a designated third party provider.

Rule 17a-4 also requires that a duplicate copy of each record must be kept on write-once media. The broker-dealer must store these duplicate files in a separate location from the original.

Brokers-dealers must comply with SEC Rule 17a-3, along with 17a-4. These combined SEC rules require documented retention policies, the storage media must be properly indexed, all records must be instantly accessible, store electronic files offsite according to the D3P requirement (designated third party compliance provider).

SEC 240.17a-4 and NASD 3010/3110

The Securities Exchange Act was instituted in 1934 to protect investors from fraudulent or misleading claims. The Act requires that records be kept for the purposes of review and auditing of securities transactions. In 1997, the SEC amended the primary rule 17a-4 to let broker-dealers store records (including email and instant messages) electronically. NASD 3010/3110 enforces SEC 17a-4.

Who is affected by SEC 240.17a-4 and NASD 3010/3110?

These regulations primarily apply to broker-dealers and others who trade securities or act as brokers for traders, including banks, securities firms, stock brokerage firms, and any other entity under the jurisdiction of the National Association of Securities Dealers (NASD).

What are the requirements of SEC 240.17a-4 and NASD 3010/3110?

For brokerage firms and others subject to these regulations, SEC 240.17a-3 (the requirement to make records) and SEC 240.17a-4 (the requirement to keep records) are the most relevant. Other rules that apply to retention, nonrewriteable storage, and ease of retrieval and viewing are found in 240.17a-4 and NASD 3010 and 3110.

When were SEC 240.17a-4 and NASD 3010/3110 effective?

All updated aspects of SEC 240.17a-4 and NASD 3010/3110 were effective as of May 12, 2003.

What are the penalties for non-compliance to  SEC 240.17a-4 and NASD 3010/3110?

The criteria for compliance are strict and the penalties for violation severe.

The SEC already has fined five of the largest investment banks in the world more than $8,000,000 for inadequate policies and procedures. Goldman, Sachs & Co., Citigroup Inc.’s Salomon Smith Barney, Morgan Stanley & Co., Deutsche Bank Securities Inc., and U.S. Bancorp Piper Jaffray Inc. all agreed to pay and to review and report on procedures for email retention.

In March 2004, Banc of America Securities agreed to pay a $10 million civil penalty to settle alleged violations of recordkeeping and access requirements under federal securities laws. (The SEC also censured the firm.) The SEC said that BofA Securities repeatedly failed to furnish documents requested by its staff, provided misinformation concerning the availability of records, and engaged in tactics that delayed the investigation. The SEC said the delays were in obtaining e-mail, compliance reviews, and compliance and supervision records.


Since the onset of the D3P compliance regulation, broker-dealers have become proactive in complying with this rule. FINRA asks broker-dealers for the D3P “Letter of Undertaking” and all documentation and service agreement that proves D3P compliance. Reports that show the D3Ps can instantly access electronic documents, records and books must be supplied to FINRA.

Broker-dealers cannot sit idly by anymore. They must comply with the D3P requirement or face enforcement action by FINRA examiners.

Are you looking for a D3P email compliance provider? Download our eBook on evaluating the best archiving solution.

HOW DO FIRMS COMPLY WITH SEC 240.17a-4 and NASD 3010/3110?

Here is a simplified list of requirements, which include policies firms must enact or technologies they must implement:

  • Have written and enforceable retention policies
  • Store data on non-erasable, non-rewriteable media
  • Maintain a searchable index of all stored data
  • Have readily retrievable and viewable data
  • Maintain storage of data offsite


Are you looking for an email archiving solutions for FINRA and SEC 17a-4 compliance? Contact us today to learn more about Intradyn’s solutions.

FINRA Compliance Checklist
Avoid Hefty Penalties With Our FINRA/SEC 17a-4 Compliance Checklist.
Download Now