The Financial Industry Regulatory Authority assessed a total of US $14.4 million in fines against 12 firms for “significant deficiencies” in their retention of required books and records on electronic storage media. In general, when broker-dealers use electronic storage media to retain books and records, the media must be in a “write once, read many” format (so-called “WORM format”). In addition, applicable Securities and Exchange Commission and FINRA rules require that each broker-dealer maintain an audit system “providing for accountability” regarding the input of books and records required to be preserved to electronic storage media and to retain a third-party vendor who has access and the ability to download data from the firm’s storage media and commits through an attestation that they will provide records to the SEC, FINRA or other regulator if the firm is unable to provide such records. (Click here to access the SEC’s requirements regarding acceptable electronic storage media at 17 CFR 240.17a-4(f).) FINRA claimed that the sanctioned firms typically did not retain electronic records in WORM format, failed to have a required audit system, did not obtain or maintain a required attestation from a third-party vendor, and did not have adequate written supervisory procedures reasonably designed to ensure compliance with applicable requirements. Firms (or affiliated firms) agreed to settle FINRA’s charges for individual fines ranging from US $4 million to US $500,000.
Compliance Weeds: All principal international regulators have rules related to the generation and retention of records by registrants in the futures and securities industry. These rules typically describe the type of records that must be prepared in the first instance; how long and in what format such records must be retained; and to whom and in what time period such records must be produced when requested by an authorized regulator. Unfortunately, given the large number of records that even a small size registrant generates in a given day, it is easy for a firm to run afoul of applicable requirements. This is why each registrant should (1) ensure it is fully familiar with applicable requirements, (2) design a comprehensive system that ensures compliance with these requirements in the first instance (including the development and implementation of written supervisory procedures), and most importantly, (3) routinely test that all required records are being retained and in the correct format. This testing should be two-fold: (1) from front to back, to ensure that the system is set up and functions according to requirements; and (2) back to front, to ensure that a wide variety sampling of documents (and with electronic communications, include attachments and so-called “bcc’s”) generated from different sources can be produced completely (and within time periods) as expected by regulators. Firms should periodically also ensure (1) that documents stored in electronic media are in non-rewritable and non-erasable format in accordance with local requirements and (2) that internal systems designed to capture electronic communications from different sources, capture and retain all aspects of those communications including attachments and bcc’s, as well as prior drafts. The Commodity Futures Trading Commission has similar rules as the SEC regarding the maintenance of required books and records on electronic storage media (click here to access CFTC Rule 1.31(b)).