Skip navigation

Rules & Regulations Summary

17a-4 Bridge

The following are summaries meant to provide brief overviews of rules and regulations that govern financial and other regulated organizations and businesses.  The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.




SEC Rule 17a-4 & 17a-3

The Securities Exchange Act (SEA) Rule 17a-3 specifies the minimum requirements for broker-dealer records, how long records and documents relating to a broker-dealer’s business, and the format they may be kept.

SEC Rule 17a-4 is part of the US Securities Exchange Act of 1934 and outlines requirements for data retention, indexing, and accessibility for companies which deal in the trade or brokering of financial securities such as stocks, bonds, and futures. Records of certain transactions must be retained and indexed on indelible (WORM) media with immediate accessibility for a period of six months, and with non-immediate access for a period of at least two years. Duplicate records must also be kept within the same time frame at an off-site location.

  • Designated Third Party consultant (D3P) requirement.
  • Letters of Notification and Representation filing requirement.
  • Written, enforceable retention policies.
  • Searchable index of all data stored.
  • Data must be viewable and readily retrievable.
  • Storage of data on WORM (write once read many) electronic media.
  • Offsite storage of data.

Link to Rule:

SEC Rule 204-2

Books and records to be maintained by investment advisers.

  • Retention requirement for all books and records relating to written communications received and sent by an investment adviser.
  • Details the types of books and records an Adviser must make and keep true, current and accurate. Email is specifically identified as a business record in the rule.
  • Applies to Hedge Funds and Private Equity firms under the Dodd-Frank Financial Reform Act.
  • Requires Advisers to arrange and index the records in a way that permits easy location, access, and retrieval.
  • Compels Advisers to promptly furnish to the SEC any records requested, electronic or otherwise.

SEC Rule 15a-6

Chaperoning arrangements for international research.

  • Guidance to foreign Broker-Dealers seeking to operate in compliance with U.S. broker-dealer registration requirements.
  • Requires a U.S. broker/dealer to ‘chaperone’ or review research before it is distributed to U.S. investors.


Exchange Act Rule 17a-4 Amendments

Chart of Significant Changes – this chart outlines recent changes to Rule17a-4.

Books & Records

Books and Records |

  • Books, accounts, records, memoranda, correspondence and other documentation or information that firms have to make and preserve in accordance with the federal securities laws, rules and regulations.
  • Covers what are books and records, Electronic Storage Media, Outsourcing and Electronic Communications.

FINRA Rule 3110 & 3120

FINRA Rule 3110 requires firms to have supervisory procedures in place to review electronic correspondence and internal communications relating to its investment banking, securities business and customer complaints as well as maintenance and retention requirements for to chronicle the evidence of review required by Rule 3110(b)(4),

FINRA Rule 3120(a) requires firms to designate and identify to FINRA one or more principals required to create, maintain, and enforce supervisory control procedures and policies.

  • Establishes personnel permitted to act as supervisors and those that may perform office inspections.
  • Requirement for review of certain internal communications.
  • Compels obligations to monitor for insider trading, including the duty to conduct internal investigations and report information related to those internal investigations back to FINRA.

Link to Rule:
Helpful Link:

FINRA Rules 3220

Influencing or Rewarding Employees of Others

  • Guidance on gifts, gratuities and business entertainment compensation related to the sale of securities.
  • Rule 3220 – Gifts and gratuities
  • Rule 3221 – Non-Cash Compensation
  • Rule 3222 – Business Entertainment

FINRA Rule 3270

Outside Business Activities of Registered Persons.

  • Requirement to capture information, documentation and descriptions of outside business activities.
  • Provides for registered persons to agree annually to limitations on such activities.

FINRA Rule 3280

Private Securities Transactions of an Associated Person.

  • Guidance and description of private transactions, associated persons/roles, and compensation requirements.
  • Written Notice requirement and guidance.

FINRA Regulatory Notice 07-59

Guidance Regarding the Review and Supervision of Electronic Communications

  • Written Policies and Procedures
  • Types of Electronic Communications Requiring Review
  • Identification of the Person(s) Responsible for the Review of Electronic Communications
  • Method of Review for Correspondence
  • Frequency of the Review of Correspondence
  • Documentation of the Review of Correspondence


Investment Advisers Act of 1940

Defines the responsibilities and limitations placed on open-end mutual funds, unit investment trusts and closed-end funds that offer investment products to the public

  • Applies to companies that primarily offer, invest or trade in securities.
  • Compels fund registration with the SEC.
  • Requires a board of directors, 75% of whom must be independent.
  • Places limits on investment strategies, such as the use of leverage.
  • Obliges funds to maintain a certain percentage of assets in cash for investors that sell.
  • Requires disclosure to investors of the funds’ structure, financial condition, investment policies and objectives.

Helpful Links:
Documentation on the Investment Advisers Act of 1940


Imposes record-keeping, reporting and disclosure requirements on all Investment Advisers, Broker Dealers, and Major Swap Participants.

  • Registered advisers are required to maintain records relating to business activities as mandated by Rule 17a-4 of the Securities Exchange Act and Rule 204-2 of the Investment Advisors Act.
  • Applies confidential reporting requirements which compels virtually all advisers to disclose to the SEC/CFTC their trading and investment positions, practices, and exposures that relate to systemic risks (assets under management, use of leverage including off balance sheet leverage, exposures to particular counter-parties and types of securities, credit risk exposures, calculation policies and side letters).
  • Requires registered entities to provide any other information the SEC/CFTC and the Financial Stability Oversight Council (FSOC), the new systemic risk regulator, deems necessary and appropriate.

The Dodd-Frank Wall Street Reform and Consumer Protection Act established the Bureau of Consumer Financial Protection (CFPB). The CFPB “regulate[s] the offering and provision of consumer financial products or services under the Federal consumer financial laws.” For more information about the CFPB, click here:

Link to Regulation:
Helpful Link:





CFTC 17 CFR 1.31

Under Title VII of the Dodd-Frank Act, over-the-counter (“OTC”) derivatives regulated as “swaps” and certain other derivative transactions will be subject to new record-keeping and reporting requirements. All swap counter parties, including end users, will be required to keep complete swap records, with data reporting on all swaps required throughout the life of the trade. Books and records; keeping and inspection.

  • All required books and records shall be kept for a period of five years and shall be readily accessible during the first 2 years of the 5-year period
  • Data must be stored in a digital storage medium that exclusively stores records in a non-rewritable, non-erasable format (WORM- Write-Once-Read-Many)
  • Asserts records management system requirements
  • Sets forth original and duplicate record and associated indexes’ properties and formats
  • Designates third party technical consultant and required letter of representation

More Rules & Regulations 

FINRA RULE 4511: General Requirements

FINRA Rule 4511 provides general recordkeeping requirements for FINRA’s financial and operational rules. These recordkeeping requirements clarify that firms are required to:
(1) make and preserve books and records as required byt the Securities Exchange Act (SEA), applicable SEA rules, and FINRA; and
(2) preserve books and records required to be made per FINRA rules in a format complying with SEA Rule 17a-4.

FINRA Rule 4511(b) requires firms to retain FINRA records and books, which do not have a specified retention period under FINRA rules or applicable Exchange Act rules, for at least six years.

FINRA Rule 4511(c) requires firms to retain books and records pursuant to FINRA in a format and media complying with SEA Rule 17a-4.

Link to Rule:
Helpful Link:

FINRA Regulatory Notice 12-29

FINRA Regulatory Notice 12-29, SEC Approves New Rules Governing Communications With the Public, includes details on the new SEC-approved FINRA rules governing broker-dealers’ communication with the public. The rules went into effect on February 4, 2013.

Included in the changes is a reduced number of communication categories from six down to three: retail communication, institutional communication and correspondence.

  • Retail Communication: Any written (including electronic) communication that is distributed or made available to more than 25 retail investors within any 30 calendar-day period.
  • Institutional Communication: Any written (including electronic) communication that is distributed or made available only to institutional investors, but does not include a member’s internal communications.
  • Correspondence: Any written (including electronic) communication that is distributed or made available to 25 or fewer retail investors within any 30 calendar-day period.


Helpful Links:
An executive summary of Regulatory Notice 12-29 from FINRA

PDF of FINRA 12-29

FINRA Regulatory Notice 11-39

FINRA Regulatory Notice 11-39 (guidance on social networking websites and business communications) is a response to January 2010’s FINRA Regulatory Notice 10-06, addressing questions regarding the application of the rules since 10-06’s publication. The notice is presented in Q&A format and covers four sections: recordkeeping, supervision, third-party posts, third-party links and websites, and accessing social media sites from personal devices.

Highlights include:

  • Content is determinative – whether a particular communication is related to the business of the firm (and subsequently if it should be archived or not) depends upon the facts and circumstances. It does not depend on the type of device or technology used to transmit the communication.
  • Firms are required to retain, retrieve and supervise business communications regardless of whether they are conducted from a work-issued device or personal device.
  • Business-related content on personal sites should be addressed via policy.
  • Interactive content may also become static content.

Helpful Links:
Regulatory Notice 11-39 – Guidance on Social Networking Websites and Business Communications from FINR

FINRA Regulatory Notice 11-32

Regulatory Notice 11-32 provides questions and answers from FINRA regarding the application of the new rule to assist member firms in the implementation of new FINRA Rule 4530 requirements (as explained in FINRA Regulatory Notice 11-06). In addition, FINRA Regulatory Notice 11-32 provides the definition of tweets and text messages being “written” material.

Helpful Links:

Summary of the Notice 11-32 from FINRA
The Full PDF of Notice 11-32

FINRA Regulatory Notice 10-59

FINRA Regulatory Notice 10-59 includes amendments to FINRA rule 8210 which requires broker-dealers to:

  • Encrypt electronic data on physical media (CD-ROMs, portable hard drives, flash drives) sent to the self-regulatory organization.
  • Provide FINRA staff with the confidential decryption process or key in a separate communication.

The effective date of these amendments was December 29, 2010. FINRA views industry standards for strong encryption to be 256-bit or higher.

Helpful Links:
FINRA Regulatory Notice 10-59
Full Notice in .pdf format
FINRA Rule 8210

FINRA Regulatory Notice 10-06

Using social media Web sites, such as blogs and social networking sites, for business and personal communications is becoming more frequent. Firms have asked FINRA staff how the FINRA rules governing communications with the public apply to social media sites that are sponsored by a firm or its registered representatives. This Notice provides guidance on blogs and social networking websites to firms regarding these issues.

Helpful Links:
Documentation from FINRA for Regulatory Notice 10-06

FINRA Regulatory Notice 07-59

Similar to FINRA Regulatory Notice 10-06, FINRA Regulatory Notice 07-59 is titled “Supervision of Electronic Communications.” This regulatory notice provides guidance regarding the review and supervision of electronic communications.

Key observations:

“…a member firm’s obligations to supervise electronic communications are based on the content and audience of the message, rather than the electronic form of the communication.”

“FINRA expects a firm to have supervisory policies and procedures to monitor all electronic communications technology used by the firm and its associated persons to conduct the firm’s business.”

Helpful Links:

An executive summary on

Federal Rules of Civil Procedure (FRCP) - Rule 26

A party must, without awaiting a discovery request, provide to the other parties – the name and address of each individual likely to have discoverable information. a copy – or a description by category and location – of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses, unless the use would be solely for impeachment; a computation of each category of damages claimed by the disclosing party – who must also make available for inspection and copying as under Rule 34 the documents or other evidentiary material, unless privileged or protected from disclosure, on which each computation is based, including materials bearing on the nature and extent of injuries suffered; and for inspection and copying as under Rule 34, any insurance agreement under which an insurance business may be liable to satisfy all or part of a possible judgment in the action or to indemnify or reimburse for payments made to satisfy the judgment.

Helpful Links:
FRCP Rule 26 text

FDA 21 CFR Part 11

FDA Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures in the United States. Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data that are:
(1) required to be maintained by the FDA predicate rules or;
(2) used to demonstrate compliance to a predicate rule.

People using closed systems to modify, create, maintain, or transmit electronic records must employ, at a minimum, procedures and controls designed to conduct the following:
(1) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records;
(2) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency;
(3) Record protection enabling accurate and ready retrieval throughout the retention period;
(4) Limiting system access to authorized individuals;
(5) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. This documentation must be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
(6) Use of operational system checks enforcing permitted sequencing of steps and events, as appropriate;
(7) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand;
(8) Use of device checks to determine, as appropriate, the validity of the source of data input or operational instruction;
(9) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks;
(10) Establishing and adhering to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification;
(11) Use of appropriate controls over systems documentation

Link to Regulation:

Fair & Accurate Credit Transactions Act of 2002 (FACTA)

The Fair & Accurate Credit Transactions Act of 2002 (FACTA) amended the Fair Credit Reporting Act. FACTA allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies (Equifax, Experian and Trans Union). In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the website,, to provide free access to annual credit reports. The act also contains provisions to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected, or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult. Further, it requires secure disposal of consumer information.

Link to Act:

Markets in Financial Instruments Directive (MiFID) article 51(3)

Markets in Financial Instruments Directive (MiFID) article 51(3) is a European Union law that provides harmonised regulation for investment services across the 31 member states of the European Economic Area. The main objectives of the Directive are to increase competition and consumer protection in investment services.

If a firm performs investment services and activities, it is subject to MiFID in respect both of these and also of ancillary services (and it can use the MiFID passport to provide them to member states other than its home state). However if a firm only performs ancillary services, it is not subject to MiFID (but nor can it benefit from the MiFID passport).

MiFID covers almost all tradable financial products with the exception of certain foreign exchange trades. This includes commodity and other derivatives such as freight, climate and carbon derivatives, which were not covered by ISD.

MiFID article 51(3) establishes that competent authorities shall draw up and maintain a list of the minimum records investment firms are required to keep under MiFID and its implementing measures. The list of minimum records to be kept includes the following communications items:

  • Marketing communications (except in oral forms)
  • The firm’s business internal communications — includes Records provided for under Art. 5 (1)f of On the business and organization
  • Firm’s Compliance procedures
  • Complaints records
  • Complaints handling
  • Records of prices quoted by systematic internalisers
  • Records of personal transactions
  • Record of the information disclosed to clients regarding inducements
  • Investment advice to retail clients

For more information:

Government in the Sunshine Act

The Government in the Sunshine Act is a 1976 U.S. law intended to create greater transparency in government. It requires all meetings that are conducted by federal agencies be open to the public unless it falls into one of the Sunshine Act’s ten exemptions.

Sunshine Act § 1612.10 outlines the recordkeeping requirements for federal agencies under the Act.

  • 1612.10(a) states that in the case of a meeting or portion of a meeting that is closed to the public, the Executive Secretary of the agency must maintain the following records:
    (1) The certification of the Legal Counsel pursuant to § 1612.9 of the Sunshine Act;
    (2) Statement from the presiding officer of the meeting setting forth the time and place of the meeting, and the people present;
    (3) Complete electronic recording adequate to record fully the proceedings of each meeting closed to the public, except a meeting that falls under one of the exceptions, the agency may maintain minutes in lieu of a recording. Minutes must fully and clearly describe all matters discussed and must provide a full and accurate summary of any actions taken, and the reasons, including a description of each of the views expressed on any item and the record of any roll call vote. All documents considered in connection with any item shall be identified in the minutes.
  • 1612.10(b) states that if the agency has determined that the meeting or meeting portion(s) may properly be closed to the public, the electronic recording or minutes may not be made available to the public until a time, if any, when it is determined by the Commission that the reasons for closing the meeting no longer pertain.
  • 1612.10(c) states that the agency must maintain a copy of electronic recordings or minutes for 2 years after the meeting or until one year after conclusion of the proceeding related to the meeting, whichever is later.

State sunshine laws are the laws in each state that govern public access to governmental records. These laws are sometimes known as open records laws or public records laws, and are also collectively referred to as FOIA laws, after the federal Freedom of Information Act.

Link to Regulation:

Freedom of Information Act (FOIA)

The Freedom of Information Act (FOIA), 5 U.S.C. § 552, is a federal law allowing for the full or partial disclosure of previously unreleased information and documents controlled by the United States government. The Act defines agency records subject to disclosure, outlines mandatory disclosure procedures and grants nine exemptions to the statute.

FOIA applies to any information in an agency record, excluding information encompassed by the nine exemptions, regardless of format.

Agencies must make available for public inspection in an electronic format:
(1) Final judicial opinions, including any dissent and concurrences, and orders made in the adjudication of cases;
(2) Statements of policy and interpretations adopted by the agency and not published in the Federal Register;
(3) Administrative staff manuals and instructions to staff that affect members of the public;
(4) Copies of all records, regardless of format that (a) have been released to someone pursuant to a FOIA records request; (b) because of the subject matter’s nature, the agency has determined the record will likely be requested frequently; or (c) has been requested 3 or more times; and
(5) A general index of all records referred to in point 4 above.

Link to Regulation:

Federal Financial Institutions Examination Council (FFIEC) Guidance on Social Media

The Federal Financial Institutions Examination Council (FFIEC) final guidance (attached and excerpted below) on social media was published on Dec. 11, 2013. The FFIEC is comprised of six supervisory agencies, and guidance applies to all of them. They are:

  • Office of the Comptroller of the Currency (OCC)
  • Board of Governors of the Federal Reserve System (Board)
  • Federal Deposit Insurance Corporation (FDIC)
  • National Credit Union Administration (NCUA)
  • Consumer Financial Protection Bureau (CFPB)
  • State Liaison Committee (SLC)

Banks, credit unions, and mortgage lenders are all required to comply with FFIEC guidelines.

According the guidelines, a financial Institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. An overview of the specific

  • A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities;
  • Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
  • A risk management process for selecting and managing third-party relationships in connection with social media;
  • An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
  • An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
  • Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and
  • Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

For more information:

The Federal Energy Regulatory Commission (FERC): Compliance Order No. 717 & 18 CFR § 35.41

The Federal Energy Regulatory Commission (FERC) Compliance Order No. 717, codified in 18 CFR Part 358, requires that all emails, voicemail, text messages and other communication between transmission providers’ transmission function employees and marketing function employees must be retained for five years.

FERC Regulations 18 CFR Part 35 & Part 284. An electronic data retention policy is required by these regulations for each entity under its jurisdiction. Data must be archived encrypted to WORM (write once read many) media. Based on wholesale vs. retail criteria, this data must be archived and available for a 5 to 6 year time period. Industries affected are Public Utilities, Natural Gas Companies, Electric Producers, Gas & Oil Production and Training.

FERC will put heavy emphasis on whether firms are taking precautionary compliance measures with focuses on:
(1) Senior management’s role in fostering compliance programs
(2) Preventative practices to ensure compliance
(3) Detection and reporting of non-compliant activity
(4) Reactive efforts to remedy compliance violations

Links to CFR Parts:
Part 358:
Part 35.41:

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was adopted to ensure health insurance coverage after leaving an employer and also to provide standards for facilitating health-care–related electronic transactions. To improve the efficiency and effectiveness of the health-care system, HIPAA included administrative simplification provisions that required DHHS to adopt national standards for electronic health-care transactions (2). At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated adoption of federal privacy protections for certain individually identifiable health information. The HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) (3) provides the first national standards for protecting the privacy of health information. The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records.

Helpful Link:
HIPAA Privacy Rule from the HHS website.

FINRA Rule 4514: Authorization Records for Negotiable Instruments Drawn from a Customer's Account

FINRA Rule 4514 requires a firm or associated person to get a customer’s express written authorization before obtaining from the customer, or submitting for payment, a negotiable instrument on the customer’s checking, savings, share, or similar account.

Firms must preserve this written authorization, when the customer’s signature is not on the negotiable instrument. This record must be retained for 3 years following the date the authorization expires.

Link to Rule:

Helpful Link:

FINRA Rule 3170: Tape Recording of Registered Persons by Certain Firms

FINRA Rule 3170 requires firms to establish, enforce, and maintain written procedures supervising telemarketing activities of all its registered persons, including recordings of the conversations.

Link to Rule:

Helpful Link:

Securities Exchange Act of 1934

The Securities Exchange Act of 1934 (SEA) created the Securities Exchange Commission (SEC). It empowers the SEC with broad authority over all aspects of the securities industry and to require companies with publicly traded securities to periodically report information.

The SEA requires security-based swap execution facilities, large traders, security-based swap dealers, major security-based swap participants to retain records. These requirements can be found in the following sections:
(1) 3D(d)(9) – Security-Based Swap Execution Facilities;
(2) 13(h)(2) – Large Traders;
(3) 13A – Security-Based Swap Dealers;
(4) 15C(f)(2) – Government Securities Brokers and Dealers; and
(5) 15F – Registration and Regulation of Security-Based Swap Dealers and Major Security-Based Swap Participants

Link to Regulation:
Helpful Link:

Securities Act of 1933

The Securities Act of 1933 has two objectives:
(1) “Require that investors receive financial and other significant information about securities being offered for public sale;” and
(2) “Prohibit deceit, misrepresentations, and other fraud in the sale of securities.”

The Securities Act of 1933 requires the registration of securities to enable disclosure of important financial information. Some securities exempted from the registration requirement include:
(1) Private offerings to a limited number of persons or institutions;
(2) Intrastate offerings;
(3) Offerings of limited size; and
(4) Securities of municipal, state, and federal governments.

Link to the Regulation:
Helpful Link:

FINRA Rule 7440: Recording of Order Info

FINRA Rule 7440(a)(4) describes what records must be maintained by FINRA Reporting firms regarding orders received or executed at its trading department. These records must include identification of:
(1) each registered person receiving the order directly from a customer;
(2) each registered person executing the order; and
(3) the department originating the order if it was originated by a member and transmitted manually to another department.

Under FINRA Rule 7440(a)(5) these records must be maintained for the period of time laid out in SEA Rule 17a-4(b).

Link to Rule:

Helpful Link:

FINRA Rule 4513: Records of Written Customer Complaints

FINRA Rule 4513 requires firms to preservce records of written customer complaints at each office of supervisory jurisdiction. This rule clarifies that the requirement only applies to complaints relating to that specific office or activities supervised from that office. These records must be retained for at least four years.

Firms may maintain these records either at the office of supervisory jurisdiction or make them available promptly to a separate office upon FINRA’s request.

Link to Rule:

Helpful Link:

Financial Conduct Authority (FCA): Social Media and Customer Communications Guidance

In the UK, the Financial Conduct Authority (FCA) has released a guidance consultation paper outlining its supervisory approach to financial promotions in social media. This guidance contains no rules or record keeping requirements but is a useful summary of relevant rules and an indication of FCA’s supervisory expectations. The paper is intended to help firms understand how they can use social media and meet the FCA’s financial promotion and record-keeping rules. The five main tenets of the guidance include:

  • Follow the basic rule: Be fair, clear and not misleading.
  • Under the FCA definition, any form of communication, including social media, has the potential to be considered a financial promotion—if it includes an invitation or incentive to engage in financial activity.
  • Firms should make consumers aware of the potential benefits and risks of a financial product.
  • Each tweet, Facebook post, web page or other social communication needs to be considered individually, and must comply with the relevant rules.
  • Firms are responsible for their own communication, but not for messages included in a social media share or forward of their communication. If a consumer re-tweets a firm’s tweet, responsibility lies with the communicator, not the firm.

FINRA Rule 2210: Communications with the Public

FINRA 2210(b)(4)(A) outlines the recordkeeping requirements for retail and institutional communications. These mirror current recordkeeping requirements and incorporates by reference the medium, retention period, and recordkeeping format included in SEA Rule 17a-4. Such records must include:
– A copy of the communication and the dates of first and (if applicable) last use;
– The name of any registered principal who approved the communication and the date that approval was given;
– In the case of a retail communication or institutional communication that is not approved prior to first use by a registered principal, the name of the person who prepared or distributed the communication;
– Information concerning the source of any statistical table, chart, graph or other illustration used in the communication; and
– For retail communications that rely on the exception under paragraph (b)(1)(C), the name of the firm that filed the retail communication with FINRA and a copy of the Advertising Regulation Department’s review letter.

FINRA Rule 2210(b)(4)(B) with respect to communications recordkeeping requirements cross-references NASD Rule 3010(d)(3) and FINRA Rule 4511.

Link to Rule:

Markets in Financial Instruments Directive (MIFID II)

The Markets in Financial Instruments Directive (MiFID) is an EU law that harmonizes EU regulation of investment services. MiFID’s objectives are to increase competition and consumer protection in investment services. In April 2014 the EU approved MiFID II, which expands the scope of MiFID and went into effect January 3, 2018.

MiFID II applies to financial services businesses undertaking MiFID business anywhere in the EU, as well as those providing services cross-border. This includes:
(1) Investment firms;
(2) Trading venues;
(3) Data reporting service providers; and
(4) Third country firms providing investment services or performing investment activities into the EU (either on a services basis or via a branch)

MiFID II Article 16 (6) requires an investment firm to arrange for records to be kept of all services, activities and transactions undertaken by the business, which must be sufficient to enable the competent authority to fulfil its supervisory tasks and to perform enforcement actions.

This includes all communications that are intended to result in a trade even if they ultimately do not.

MiFID II Article 16 (7) states that records must include the recording of telephone conversations or electronic communications and minutes from face-to-face meetings related to the reception, transmission and execution of orders on behalf of clients or on one’s own account. Article 16 (7) also requires records to be kept for a period of 5 to 7 years (depending on the jurisdiction) and states that records must be provided to the client involved upon request.

MiFID II para 57, 82, article 4 (62), article 25 (6) – requires records to be stored in a ‘durable medium’ that allows them to be replayed or copied. Records must be retained in a format that does not allow the original record to be altered or deleted. In addition, records should be stored in a searchable medium to ensure they are accessible and readily available upon request.

‘Durable medium’ is akin to WORM and is defined as allowing ‘the unchanged reproduction of the information stored.’ (Article 4(62)).

Requirements are defined further by the European Commission MiFID II explanatory memorandum.

Link to Regulation:
Helpful Link:

Financial Conduct Authority: Investment Funds Sourcebook (FUND) and Collective Investment Schemes Sourcebook (COLL): Sch 1

The FCA’s Investment Funds Sourcebook (FUND) and Collective Investment Schemes Sourcebook (COLL) set out requirements for managers and depositories of authorized and unauthorized investment funds. Record keeping requirements include those relating to minutes of meetings, records of units held. acquired or disposed of, subscription and redemption orders, issues and cancellations of units and overall general record keeping obligations to evidence compliance with rules and, for alternative investment funds, details of assets that are not custodial assets.

To view the FCA’s table of recordkeeping requirements found in COLL:
Link to Handbook