The Securities and Exchange Commission has voted to adopt amendments to the electronic recordkeeping, prompt production of records, and third-party recordkeeping service requirements applicable to broker-dealers. These amendments make significant changes to SEC Rule 17a-4 and address regulations which apply to write-once, read-many (“WORM”) and the requirement for a Designated 3rd Party (“D3P”) (Rule 17a-4(f)(3)(vii)).
The SEC adopted certain changes to SEC Rule 17a-4, including the following:
- Eliminating the requirement that a broker-dealer notify its designated examining authority (“DEA”) before using an electronic recordkeeping system.
- Allowing for alternative undertakings tailored to how certain third-party recordkeeping services (such as cloud-based providers) hold electronic records, subject to certain conditions including that the broker-dealer have access to the records without the intervention of the third-party provider.
- Requiring records maintained by a firm to be provided to the SEC in a reasonably usable electronic format.
- Permitting the examination of records at any time or from time to time during business hours by representatives or designees of the SEC; each broker-dealer’s DEA is a SEC designee under the adopted rules.
Major Changes: New Options for Broker-Dealers
The amendments provide broker-dealers with options on electronic storage and 3rd Party Undertakings:
Audit-Trail Alternative to the WORM Storage Requirement
The amendments add an audit-trail alternative to WORM storage requirement whereby electronic records may be preserved in a manner that permits the re-creation of an original record if the original record is altered, overwritten, or erased. Firms may now use retention platforms in which the institutional electronic recordkeeping system maintains and preserves the records for the duration of their applicable retention periods in a manner that maintains a complete time-stamped audit trail that includes:
(1) all modifications to and deletions of a record or any part thereof;
(2) the date and time of operator entries and actions that create, modify, or delete the record;
(3) the individual(s) creating, modifying, or deleting the record; and
(4) any other information needed to maintain an audit trail of each distinct record in a way that maintains security, signatures, and data to ensure the authenticity and reliability of the record and will permit re-creation of the original record and interim iterations of the record.
Designated Executive Officer or a Designated 3rd Party
The amendments also allow firms to designate an executive officer (Designated Executive Officer or “DEO”) who will take on the responsibilities of a Designated 3rd Party. The DEO must be a member of senior management of the broker-dealer who has access to and the ability to provide the records of the firm which are maintained and preserved on the firm’s electronic recordkeeping system.
Under the final amendments, the Designated Executive Officer either must have the knowledge, credentials, and information necessary to access and provide the records without having to rely on other individuals at the firm or have appointed in writing up to three designated specialists who have such knowledge, credentials, and information and that are direct or indirect reports to the officer. In this way, the Designated Executive Officer’s access can be achieved through the officer’s ability to direct a designated specialist to access and provide the records.
In addition, the DEO is responsible for managing the production of records requested by a regulator through the steps of:
(1) Search and promptly furnish to the Commission or its designee a true, correct, complete, and current hard copies of any or all or any part of such books and records.
(2) Review, if applicable, for privileged records and subsequent production of the necessary Privilege Logs.
(3) Produce records in the format required by the SEC or other regulator. These electronic records must be produced in a format that allows the regulator or its designee to search and sort the responsive records.
(4) Produce the audit log showing verifying the necessary authenticity and ‘chain of custody’ of the records in an electronic format.
Filing New Letters with the Designated Examining Authority
Broker-dealers have until approximately June 2023 to decide whether to convert to the in-house DEO option or continue to use a D3P. In either case, new Letters of Undertaking will need to be filed with its Designated Examining Authority. The amendments no longer require the archive Notification Letter under Rule 17a-4(f)(2)(i).
Our Take: 17a-4, LLC has provided D3P services since 2003 and responded to the proposed amendments in our Dec. 2021 letter (s71921-20111144-264790.pdf (sec.gov)). As we have discussed with many of our clients, these storage regulations have been outdated and clarity was required as to the process and procedures for Undertaking providers. We applaud the SEC for making a major step to update the technology requirements and to clarify these issues. We look forward to continuing to serve our Designated 3rd Party Clients. Please contact us to see how we may be able to assist.