January 25, 2011 – Broker-dealers caught unaware have paid millions in fines for failure to comply with the Securities and Exchange Commission’s requirements to preserve books and records.
For instance, a large brokerage firm in 2006 agreed to pay a $15 million settlement for allegedly failing to produce e-mails and electronic records in a timely manner during the course of two separate SEC investigations. In 2009, the brokerage arm of a large commercial bank agreed to pay several million dollars in fines for, among other things, failure to retain electronic records pertaining to its business, following hearings before the New York Stock Exchange and the Financial Industry Regulatory Authority.
Now comes computing in the cloud, which should save firms big bucks by placing their applications and data on servers and systems maintained by other parties. Already, many broker-dealers take advantage of third party service providers in the “cloud” to archive email, text messages, and other electronic documents, including financial transaction data, trade confirmations, and net capital records.
Fortunately, outsourcing of record-keeping is an area for which the SEC provides reasonably clear guidance, principally through Rule 17a-4(f), under the Securities Exchange Act of 1934.
Prior to relying on a third party for electronic record-keeping, a broker-dealer is required to notify the SEC and a designated examining authority (“DEA”) such as FINRA of its intention to do so. Under Rule 15b3-1, the broker-dealer must amend its Form BD to identify to the SEC and self-regulatory organizations of which it is a member, like FINRA, “any arrangements” with third parties who maintain the broker-dealer’s books or records. FINRA has adopted both NASD Rule 3110 and NYSE Rule 440, which reiterate the need to preserve books and records in compliance with Rule 17a-4.
Next, the broker-dealer must make a representation, or obtain one from a storage vendor or other third party “with appropriate expertise,” that the broker-dealer’s selected storage media meets the conditions set forth in Rule 17a-4(f).
The broker-dealer or third party expert must attest that the electronic storage media will:
(1) preserve the records exclusively in a non-rewriteable, non-erasable format (subsequent interpretive guidance from the SEC states that media itself need not be physically rewriteable and non-erasable, and that “non-rewriteable, non-erasable” can be achieved using “integrated hardware and software control codes”);
(2) verify automatically the quality and accuracy of the storage media recording process;
(3) serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and
(4) have the capacity to readily download indexes and records preserved on the electronic storage media to “any medium acceptable” under Rule 17a-4(f) as required by the SEC or the self-regulatory organizations of which the broker-dealer is a member.
In addition, every broker-dealer exclusively using electronic storage media for any of its record preservation must make arrangements with at least one third party who has access, and the ability, to download information from the broker-dealer’s electronic storage media to “any medium acceptable” under Rule 17a-4. The third party downloading service provider, which may or may not be the same service-provider that is storing the electronic records, must file with the SEC and the broker-dealer’s DEA two undertakings with respect to the electronically maintained records.
The service provider must undertake to:
(1) “furnish promptly” to the SEC or its designee “upon reasonable request,” such information as “is deemed necessary” by the SEC or its designee by downloading the information from the broker-dealer's electronic storage media to the “acceptable” medium; and
(2) “take reasonable steps” to provide access to information contained on the broker-dealer's electronic storage media, including arrangements for downloading any record required to be maintained and preserved by the broker-dealer “in a format acceptable” to the SEC or its designee. In the event of a failure on the part of the broker-dealer to download the records “into a readable format,” and, after “reasonable notice” to the broker-dealer, upon request of the SEC the third party service provider must provide the records to the SEC or its designee.
The SEC also requires the broker-dealer to put in place an audit system that provides “accountability regarding inputting of records required to be maintained and preserved” on electronic storage media and “inputting of any changes made to every original and duplicate record maintained and preserved.” At all times, the broker-dealer must be able to have the results of such audit system available for examination by the SEC and the self-regulatory organizations of which the broker or dealer is a member. The audit results must be preserved for the same amount of time as the underlying records being audited.
Despite the relative clarity of Rule 17a-4, some ambiguity remains. For example, Rule 17a-4 does not expressly describe the “acceptable” download medium, but presumably the medium must preserve the accuracy, indexing, and serialization of the records otherwise required for storage of the records under Rule 17a-4. The second undertaking requirement states that the downloaded information must be in a “readable format,” but it is not clear whether this adds an additional requirement to change the format of the records beyond the indexing and serialization of the stored data. It is also not clear whether the download medium must also be non-erasable and non-rewriteable.
Recently, some examiners at FINRA have questioned whether the audit requirements under 17a-4 might be interpreted to require the preservation of all intermediary drafts of all records or even all metadata relating to the records. Such an interpretation calls into question when a draft becomes a “record” under the rules. Though the rules do not explicitly require such a burdensome undertaking, what might have been unthinkable ten years ago is now possible in the cloud’s ever increasing storage capacity, and may soon be required.
Rule 17a-4 also includes default preferences for anachronisms like microfilm, microfiche, and “optical disk technology (including CD-ROM)” which have, for the most part, been replaced in practice by optical tape technology. Specifically, Rule 17a-4(f)(2)(i) requires a broker-dealer employing any electronic storage media other than optical disk technology (including CD-ROM) to notify its DEA at least ninety (90) days prior to employing such storage media.
Future revisions to the rules should address such relics. Going forward, the challenge for regulators will be to strike the balance of providing clear guidance, while leaving enough flexibility in the rules to keep up with advances in technology.
This story originally appeared on Securities Technology Monitor.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access