FINRA’s document retention requirements are a critical aspect of the compliance obligations for FINRA-member organizations. As with any violations, failure to comply with appropriate records retention rules can result in costly investigations and fines.
The relevant rules include:
On October 12, 2022, the Securities and Exchange Commission (SEC) amended SEA Rule 17a-4 to modify the requirements regarding the maintenance and preservation of electronic records, the use of third-party recordkeeping services to hold records, and the prompt production of records.
The effective date and compliance date for the amended rule are January 3, 2023, and May 3, 2023, respectively. Following the amendments, FINRA has prepared a comprehensive summary of the most significant changes.
Several Letters of Acceptance, Waiver, and Consent (AWC) submitted to FINRA by large global brokerages highlight the issues that any broker-dealer must consider. We’re highlighting four main takeaway points as an important update for Chief Compliance Officers of digital broker-dealers:
- Retain records in a compliant manner for electronic communications of all senior management.
- Compliance and administrative alerts must be retained in a non-erasable, non-rewritable format or in a system that maintains an audit trail.
- FINRA Document Retention Requirements also include customer account notices and consolidated reports.
- Records must be maintained in ways that prevent loss, alteration, or deletion.
Let’s examine each of these in more detail below.
1. Retain records in a compliant manner for electronic communications of all senior management.
Senior management may not have a direct role in securities activities. Even an indirect role in decision-making that affects securities activities (including client transactions, hedging strategies, and deal approval) can fall under the rule to monitor and retain electronic communications.
Practical Example: One broker-dealer received both censure and a $40,000 fine because it excluded some senior management from electronic communication. It did so intentionally, believing that FINRA rules did not apply. This exclusion turned out to be a costly error.
CCO Takeaway: Make sure to err on the side of caution in monitoring and retaining communications, especially for senior management. Regardless of their role, their communications may ultimately influence securities activities.
CCOs are required to review and strengthen policies. The largely automated nature of communications monitoring tools (including flagged terms, information classification, and sampling methodologies) makes compliance easier to maintain, provided that people have not been erroneously excluded from the policy.
2. Compliance and administrative alerts must be retained in a non-erasable, non-rewritable format or in a system that maintains an audit trail.
This requirement stems from the Securities Exchange Act of 1934. While the original concept applied to paper records, today’s world has changed, and alerts are now digital and disseminated at high volume. The digital world has the same rules, however. Therefore, brokers that use an electronic recordkeeping system to preserve required records have the following options:
- The records may be preserved in a non-rewritable, non-erasable format (also known as a write once, read many (“WORM”) format) (WORM Requirement); or, alternatively
- The records may be preserved on an electronic recordkeeping system that maintains a complete time-stamped audit trail that includes:
- All modifications to and deletions of the record or any part of it;
- The date and time of actions that create, modify or delete the record;
- If applicable, the identity of the individual creating, modifying or deleting the record; and
- Any other information needed to maintain an audit trail of each distinct record.
We note, however, that this rule does not prohibit firms from choosing to adopt the AuditTrail Requirement for certain electronic records and continue to rely on the WORM Requirement for their other electronic records.
Practical Example: Another broker-dealer had to address its failure to maintain over 18.3 million electronic internal compliance alerts over a five-year period. This failure resulted in a censure and a fine of $750,000.
FINRA also considers a firm’s prior history of failures to establish and maintain compliance. It examines factors such as written procedures and a supervisory system “reasonably designed” to achieve compliance with record retention obligations.
CCO Takeaway: Closely scrutinize all procedures and systems related to electronic communications and alerts to ensure they meet FINRA’s definition of “reasonably designed” controls.
3. FINRA Document Retention Requirements also include customer account notices and consolidated reports.
Broker-dealers must retain essentially all records related to account activity and supervise the distribution of such materials. Rules apply to internal and client communications.
Practical Example: For one larger broker-dealer, non-compliance came at a very significant cost—a fine of $900,000 in the case of account notices and a fine of $10,000,000 with restitution of over $1.6 million in the case of reports.
CCO Takeaway: A compliance policy must be designed to demonstrate a serious intent to comply. It must also be in a written form, communicated to relevant staff, and supervised for potential violations.
This approach mitigates the risks and costs of long, multi-year periods of violation (which in turn can suggest an endemic culture of non-compliance to regulators).
4. Records must be maintained in ways that prevent loss, alteration, or deletion.
Digital records are easily modified or lost. Just think of how many times in your life you have accidentally deleted or lost work. It happens to all of us, but FINRA is unlikely to show much sympathy. In today’s world, risks like ransomware attacks add additional concerns.
- An AWC relating to this issue, including censure and a $1,000,000 fine, highlights the impact of failing to comply with regulations. Specifically, a broker-dealer must maintain certain records relating to its business, including trade blotters, asset and liability ledgers, order tickets, and trade confirmations.
- In a similar situation, a separate broker-dealer submitted an AWC and paid a $2,500,000 fine for records maintenance failures for nearly 20 years.
CCO Takeaway: When records are digital, additional rules apply. Firms should meet, among others, the following requirements:
- Be ready at all times to provide at all times have available facilities for immediately producing the digitally preserved records and for producing copies of those records that the SEC, self-regulatory organizations, or any State securities regulator with jurisdiction over the firm may request; and
- Be ready at all times to provide any digitally stored records that the SEC, the self-regulatory organizations, or any State securities regulator may request.
Many digital broker-dealers will simply not have been in business long enough to rack up a high number of years of violations, but the point is clear: electronic records retention is a common area of regulatory scrutiny.
Bookmark and keep handy our practical
FINRA Record Retention Requirements Checklist
In addition to retaining records, adequacy or reasonableness of efforts and controls also plays a significant role. Planning and continuous review are critical.
Questions about how your organization can stay on top of FINRA document retention requirements? Contact InnReg for help at firstname.lastname@example.org.
Relevant FINRA Document Retention Rules, if you want to learn more:
- FINRA Rule 451: States that any capital acquisition broker must maintain records of customers name and residence, legal age status, and named individuals authorized to transact business on behalf of the customer, for each customer.
- SEA Rule 17a-3 and SEA Rule 17a-4 specify minimum requirements with respect to the records that broker-dealers must make, how long those records and other documents relating to a broker-dealer’s business must be kept and in what format they may be kept.
The Author: InnReg is a team of over 20 Regulatory Compliance and Innovation Consulting experts helping fintechs succeed in highly regulated markets since 2013. InnReg - Compliance and Operations for Technology-Based BDs is listed in the FINRA Compliance Vendor Directory.