WhatsApp, WeChat, Facebook, Slack or Teams. The ways in which we can communicate these days are growing in number and changing at lightning speed. In fact, it can be hard to keep track of it all. And that is where trouble can start, if not managed properly. SEA Rule 17a-4 as called by FINRA – or SEC Rule 17a-4 as called by SEC – sets recordkeeping requirements for broker-dealers, including which documents need to be preserved, how to store them, and for how long those records must be kept.
In 2001, the rule was amended to:
- Require that a broker-dealer maintain a record of advertisements and other “communications with the public;
- Clarify definitions; and
- Set additional recordkeeping and retention standards.
Record Retention Standards
In view of these requirements, it can be challenging to figure out what exactly needs to be saved and how to save it all. It is a comprehensive list that includes, but is not limited to the following:
| Record Type | Retention Period |
|---|---|
| Communications with public | 3 years, first 2 in an easily accessible location |
| Organizational documents | Life of enterprise and any successor |
| Special reports(examinations, or other reports requested by regulators) | 3 years after the report date |
| Compliance, supervisory, & procedure manuals | 3 years after use termination |
| Exception reports | 18 months after the generation of report |
Communications Best Practices
Compliance challenges can arise when reviewing “communications with public” considering all the various forms of communications and ways in which to record them.
If a company uses a method for communicating with customers, the firm must find a way to retain the records of business-related communications and supervise and audit those records to ensure compliance of applicable laws and regulations.
Due to the complicated nature of preserving various app-based messaging platforms, many firms have found that that it is easiest to prohibit these types of communications altogether. While this may be one way to manage compliance, it only works if management enforces these policies and takes appropriate action when exceptions or red flags have been indicated.
In any case, firms should establish controls around the use of all forms of digital communication to ensure compliance, including comprehensive policies, procedures, and training programs.
Policies and procedures should clearly detail permissible and blocked digital channels based on the firm’s ability to supervise activity and apply the appropriate recordkeeping regulatory requirements.
Furthermore, for every new digital channel, there should be a process that oversees and manages the security and compliance along various business lines such as information technology, marketing, third-party vendors and senior management.
How to Preserve it All
Unless you want to deal with microfilm or microfiche, you’ll want to store all of your documents via Electronic Storage Media (ESM). SEA 17-a4 (f) defines ESM as any digital storage medium or system that meets the following 5 conditions.
1. Firm Notification
Firms must notify regulators that they intend to use ESM. If something other than an “optical disk” (i.e. CD-ROM), this must be done at least 90 days in advance.
2. ESM Representation
Firms must attest to regulators (themselves or via a third-party vendor) the following regarding their Electronic Storage Media:
- Records are preserved in a WORM (write once, read many) format – meaning non-writeable and non-erasable;
- A verification that recording process is of good quality and accuracy;
- It serializes the original and any duplicates with time-dates for the required retention periods;
- Records can be readily downloaded as requested/required by regulators.
3. Audit Systems
Firms must have an audit system that can verify when records are stored and when – if any – changes are made to records. Audit results must be stored and preserved according to regulations. Regulators must be able to review the audit system during examinations.
4. Access to Records and Indexes
Firms must always be able to access records and download them to any medium, especially for regulators upon request. Records must be in readable formats.
5. Third-Party Access Representation
If some or all of the records are only stored via ESM, firms must have a third-party file with regulators to verify the ability to provide access to records as requested.
SEA Rule 17a-4 Compliance in Summary
There’s a lot to consider when reviewing your firm’s compliance to record retention and preservation guidelines. However, once an adequate system has been established, compliance will fall in line if using the guidelines listed above.
So, even though you can’t predict the next big thing when it comes to digital communication or apps, you’ll be armed and ready to move right along with the changing times.
