The Securities Exchange Act (SEA) Rule 17a-3 specifies the minimum requirements for broker-dealer records, how long records and documents relating to a broker-dealer’s business, and the format they may be kept.
SEC Rule 17a-4 is part of the US Securities Exchange Act of 1934 and outlines requirements for data retention, indexing, and accessibility for companies which deal in the trade or brokering of financial securities such as stocks, bonds, and futures. Records of certain transactions must be retained and indexed on indelible (WORM) media with immediate accessibility for a period of six months, and with non-immediate access for a period of at least two years. Duplicate records must also be kept within the same time frame at an off-site location.
Books and records to be maintained by investment advisers.
Chaperoning arrangements for international research.
SEC and FINRA books and records requirements.
FINRA Rule 3110 requires firms to have supervisory procedures in place to review electronic correspondence and internal communications relating to its investment banking, securities business and customer complaints as well as maintenance and retention requirements for to chronicle the evidence of review required by Rule 3110(b)(4),
FINRA Rule 3120(a) requires firms to designate and identify to FINRA one or more principals required to create, maintain, and enforce supervisory control procedures and policies.
Influencing or Rewarding Employees of Others
Outside Business Activities of Registered Persons.
Private Securities Transactions of an Associated Person.
Guidance Regarding the Review and Supervision of Electronic Communications
Defines the responsibilities and limitations placed on open-end mutual funds, unit investment trusts and closed-end funds that offer investment products to the public
Documentation on the Investment Advisers Act of 1940
Imposes record-keeping, reporting and disclosure requirements on all Investment Advisers, Broker Dealers, and Major Swap Participants.
The Dodd-Frank Wall Street Reform and Consumer Protection Act established the Bureau of Consumer Financial Protection (CFPB). The CFPB “regulate[s] the offering and provision of consumer financial products or services under the Federal consumer financial laws.” For more information about the CFPB, click here: https://www.consumerfinance.gov/
Link to Regulation: http://housedocs.house.gov/rules/finserv/111_hr4173_finsrvcr.pdf
Helpful Link: https://www.sec.gov/spotlight/dodd-frank.shtml
Under Title VII of the Dodd-Frank Act, over-the-counter (“OTC”) derivatives regulated as “swaps” and certain other derivative transactions will be subject to new record-keeping and reporting requirements. All swap counter parties, including end users, will be required to keep complete swap records, with data reporting on all swaps required throughout the life of the trade. Books and records; keeping and inspection.
FINRA Rule 4511 provides general recordkeeping requirements for FINRA’s financial and operational rules. These recordkeeping requirements clarify that firms are required to:
(1) make and preserve books and records as required byt the Securities Exchange Act (SEA), applicable SEA rules, and FINRA; and
(2) preserve books and records required to be made per FINRA rules in a format complying with SEA Rule 17a-4.
FINRA Rule 4511(b) requires firms to retain FINRA records and books, which do not have a specified retention period under FINRA rules or applicable Exchange Act rules, for at least six years.
FINRA Rule 4511(c) requires firms to retain books and records pursuant to FINRA in a format and media complying with SEA Rule 17a-4.
FINRA Regulatory Notice 12-29, SEC Approves New Rules Governing Communications With the Public, includes details on the new SEC-approved FINRA rules governing broker-dealers’ communication with the public. The rules went into effect on February 4, 2013.
Included in the changes is a reduced number of communication categories from six down to three: retail communication, institutional communication and correspondence.
FINRA Regulatory Notice 11-39 (guidance on social networking websites and business communications) is a response to January 2010’s FINRA Regulatory Notice 10-06, addressing questions regarding the application of the rules since 10-06’s publication. The notice is presented in Q&A format and covers four sections: recordkeeping, supervision, third-party posts, third-party links and websites, and accessing social media sites from personal devices.
Regulatory Notice 11-32 provides questions and answers from FINRA regarding the application of the new rule to assist member firms in the implementation of new FINRA Rule 4530 requirements (as explained in FINRA Regulatory Notice 11-06). In addition, FINRA Regulatory Notice 11-32 provides the definition of tweets and text messages being “written” material.
FINRA Regulatory Notice 10-59 includes amendments to FINRA rule 8210 which requires broker-dealers to:
The effective date of these amendments was December 29, 2010. FINRA views industry standards for strong encryption to be 256-bit or higher.
Using social media Web sites, such as blogs and social networking sites, for business and personal communications is becoming more frequent. Firms have asked FINRA staff how the FINRA rules governing communications with the public apply to social media sites that are sponsored by a firm or its registered representatives. This Notice provides guidance on blogs and social networking websites to firms regarding these issues.
Documentation from FINRA for Regulatory Notice 10-06
Similar to FINRA Regulatory Notice 10-06, FINRA Regulatory Notice 07-59 is titled “Supervision of Electronic Communications.” This regulatory notice provides guidance regarding the review and supervision of electronic communications.
“…a member firm’s obligations to supervise electronic communications are based on the content and audience of the message, rather than the electronic form of the communication.”
“FINRA expects a firm to have supervisory policies and procedures to monitor all electronic communications technology used by the firm and its associated persons to conduct the firm’s business.”
A party must, without awaiting a discovery request, provide to the other parties – the name and address of each individual likely to have discoverable information. a copy – or a description by category and location – of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses, unless the use would be solely for impeachment; a computation of each category of damages claimed by the disclosing party – who must also make available for inspection and copying as under Rule 34 the documents or other evidentiary material, unless privileged or protected from disclosure, on which each computation is based, including materials bearing on the nature and extent of injuries suffered; and for inspection and copying as under Rule 34, any insurance agreement under which an insurance business may be liable to satisfy all or part of a possible judgment in the action or to indemnify or reimburse for payments made to satisfy the judgment.
FRCP Rule 26 text
FDA Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures in the United States. Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data that are:
(1) required to be maintained by the FDA predicate rules or;
(2) used to demonstrate compliance to a predicate rule.
People using closed systems to modify, create, maintain, or transmit electronic records must employ, at a minimum, procedures and controls designed to conduct the following:
(1) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records;
(2) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency;
(3) Record protection enabling accurate and ready retrieval throughout the retention period;
(4) Limiting system access to authorized individuals;
(5) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. This documentation must be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
(6) Use of operational system checks enforcing permitted sequencing of steps and events, as appropriate;
(7) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand;
(8) Use of device checks to determine, as appropriate, the validity of the source of data input or operational instruction;
(9) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks;
(10) Establishing and adhering to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification;
(11) Use of appropriate controls over systems documentation
The Fair & Accurate Credit Transactions Act of 2002 (FACTA) amended the Fair Credit Reporting Act. FACTA allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies (Equifax, Experian and Trans Union). In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the website, annualcreditreport.com, to provide free access to annual credit reports. The act also contains provisions to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected, or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult. Further, it requires secure disposal of consumer information.
Markets in Financial Instruments Directive (MiFID) article 51(3) is a European Union law that provides harmonised regulation for investment services across the 31 member states of the European Economic Area. The main objectives of the Directive are to increase competition and consumer protection in investment services.
If a firm performs investment services and activities, it is subject to MiFID in respect both of these and also of ancillary services (and it can use the MiFID passport to provide them to member states other than its home state). However if a firm only performs ancillary services, it is not subject to MiFID (but nor can it benefit from the MiFID passport).
MiFID covers almost all tradable financial products with the exception of certain foreign exchange trades. This includes commodity and other derivatives such as freight, climate and carbon derivatives, which were not covered by ISD.
MiFID article 51(3) establishes that competent authorities shall draw up and maintain a list of the minimum records investment firms are required to keep under MiFID and its implementing measures. The list of minimum records to be kept includes the following communications items:
For more information: https://www.esma.europa.eu/databases-library/interactive-single-rulebook/mifid-ii
The Government in the Sunshine Act is a 1976 U.S. law intended to create greater transparency in government. It requires all meetings that are conducted by federal agencies be open to the public unless it falls into one of the Sunshine Act’s ten exemptions.
Sunshine Act § 1612.10 outlines the recordkeeping requirements for federal agencies under the Act.
State sunshine laws are the laws in each state that govern public access to governmental records. These laws are sometimes known as open records laws or public records laws, and are also collectively referred to as FOIA laws, after the federal Freedom of Information Act.
Link to Regulation: https://www.law.cornell.edu/cfr/text/29/1612.10
The Freedom of Information Act (FOIA), 5 U.S.C. § 552, is a federal law allowing for the full or partial disclosure of previously unreleased information and documents controlled by the United States government. The Act defines agency records subject to disclosure, outlines mandatory disclosure procedures and grants nine exemptions to the statute.
FOIA applies to any information in an agency record, excluding information encompassed by the nine exemptions, regardless of format.
Agencies must make available for public inspection in an electronic format:
(1) Final judicial opinions, including any dissent and concurrences, and orders made in the adjudication of cases;
(2) Statements of policy and interpretations adopted by the agency and not published in the Federal Register;
(3) Administrative staff manuals and instructions to staff that affect members of the public;
(4) Copies of all records, regardless of format that (a) have been released to someone pursuant to a FOIA records request; (b) because of the subject matter’s nature, the agency has determined the record will likely be requested frequently; or (c) has been requested 3 or more times; and
(5) A general index of all records referred to in point 4 above.
Link to Regulation: https://www.law.cornell.edu/uscode/text/5/552
The Federal Financial Institutions Examination Council (FFIEC) final guidance (attached and excerpted below) on social media was published on Dec. 11, 2013. The FFIEC is comprised of six supervisory agencies, and guidance applies to all of them. They are:
Banks, credit unions, and mortgage lenders are all required to comply with FFIEC guidelines.
According the guidelines, a financial Institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. An overview of the specific
For more information: https://www.ffiec.gov/
The Federal Energy Regulatory Commission (FERC) Compliance Order No. 717, codified in 18 CFR Part 358, requires that all emails, voicemail, text messages and other communication between transmission providers’ transmission function employees and marketing function employees must be retained for five years.
FERC Regulations 18 CFR Part 35 & Part 284. An electronic data retention policy is required by these regulations for each entity under its jurisdiction. Data must be archived encrypted to WORM (write once read many) media. Based on wholesale vs. retail criteria, this data must be archived and available for a 5 to 6 year time period. Industries affected are Public Utilities, Natural Gas Companies, Electric Producers, Gas & Oil Production and Training.
FERC will put heavy emphasis on whether firms are taking precautionary compliance measures with focuses on:
(1) Senior management’s role in fostering compliance programs
(2) Preventative practices to ensure compliance
(3) Detection and reporting of non-compliant activity
(4) Reactive efforts to remedy compliance violations
Links to CFR Parts:
Part 358: https://www.ecfr.gov/cgi-bin/text-idx?SID=860f3db633b732c52378235e5bd27af6&mc=true&node=pt18.1.358&rgn=div5
Part 35.41: https://www.ecfr.gov/cgi-bin/text-idx?SID=cebb6afb34ef37fb73d3316243f442e9&mc=true&node=pt18.1.35&rgn=div5#sp18.1.35.b
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was adopted to ensure health insurance coverage after leaving an employer and also to provide standards for facilitating health-care–related electronic transactions. To improve the efficiency and effectiveness of the health-care system, HIPAA included administrative simplification provisions that required DHHS to adopt national standards for electronic health-care transactions (2). At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated adoption of federal privacy protections for certain individually identifiable health information. The HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) (3) provides the first national standards for protecting the privacy of health information. The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records.
HIPAA Privacy Rule from the HHS website.
FINRA Rule 4514 requires a firm or associated person to get a customer’s express written authorization before obtaining from the customer, or submitting for payment, a negotiable instrument on the customer’s checking, savings, share, or similar account.
Firms must preserve this written authorization, when the customer’s signature is not on the negotiable instrument. This record must be retained for 3 years following the date the authorization expires.
FINRA Rule 3170 requires firms to establish, enforce, and maintain written procedures supervising telemarketing activities of all its registered persons, including recordings of the conversations.
The Securities Exchange Act of 1934 (SEA) created the Securities Exchange Commission (SEC). It empowers the SEC with broad authority over all aspects of the securities industry and to require companies with publicly traded securities to periodically report information.
The SEA requires security-based swap execution facilities, large traders, security-based swap dealers, major security-based swap participants to retain records. These requirements can be found in the following sections:
(1) 3D(d)(9) – Security-Based Swap Execution Facilities;
(2) 13(h)(2) – Large Traders;
(3) 13A – Security-Based Swap Dealers;
(4) 15C(f)(2) – Government Securities Brokers and Dealers; and
(5) 15F – Registration and Regulation of Security-Based Swap Dealers and Major Security-Based Swap Participants
Link to Regulation: http://legcounsel.house.gov/Comps/Securities%20Exchange%20Act%20Of%201934.pdf
Helpful Link: https://www.sec.gov/answers/about-lawsshtml.html
The Securities Act of 1933 has two objectives:
(1) “Require that investors receive financial and other significant information about securities being offered for public sale;” and
(2) “Prohibit deceit, misrepresentations, and other fraud in the sale of securities.”
The Securities Act of 1933 requires the registration of securities to enable disclosure of important financial information. Some securities exempted from the registration requirement include:
(1) Private offerings to a limited number of persons or institutions;
(2) Intrastate offerings;
(3) Offerings of limited size; and
(4) Securities of municipal, state, and federal governments.
Link to the Regulation: http://legcounsel.house.gov/Comps/Securities%20Act%20Of%201933.pdf
Helpful Link: https://www.sec.gov/answers/about-lawsshtml.html
FINRA Rule 7440(a)(4) describes what records must be maintained by FINRA Reporting firms regarding orders received or executed at its trading department. These records must include identification of:
(1) each registered person receiving the order directly from a customer;
(2) each registered person executing the order; and
(3) the department originating the order if it was originated by a member and transmitted manually to another department.
Under FINRA Rule 7440(a)(5) these records must be maintained for the period of time laid out in SEA Rule 17a-4(b).
FINRA Rule 4513 requires firms to preservce records of written customer complaints at each office of supervisory jurisdiction. This rule clarifies that the requirement only applies to complaints relating to that specific office or activities supervised from that office. These records must be retained for at least four years.
Firms may maintain these records either at the office of supervisory jurisdiction or make them available promptly to a separate office upon FINRA’s request.
In the UK, the Financial Conduct Authority (FCA) has released a guidance consultation paper outlining its supervisory approach to financial promotions in social media. This guidance contains no rules or record keeping requirements but is a useful summary of relevant rules and an indication of FCA’s supervisory expectations. The paper is intended to help firms understand how they can use social media and meet the FCA’s financial promotion and record-keeping rules. The five main tenets of the guidance include:
FINRA 2210(b)(4)(A) outlines the recordkeeping requirements for retail and institutional communications. These mirror current recordkeeping requirements and incorporates by reference the medium, retention period, and recordkeeping format included in SEA Rule 17a-4. Such records must include:
– A copy of the communication and the dates of first and (if applicable) last use;
– The name of any registered principal who approved the communication and the date that approval was given;
– In the case of a retail communication or institutional communication that is not approved prior to first use by a registered principal, the name of the person who prepared or distributed the communication;
– Information concerning the source of any statistical table, chart, graph or other illustration used in the communication; and
– For retail communications that rely on the exception under paragraph (b)(1)(C), the name of the firm that filed the retail communication with FINRA and a copy of the Advertising Regulation Department’s review letter.
FINRA Rule 2210(b)(4)(B) with respect to communications recordkeeping requirements cross-references NASD Rule 3010(d)(3) and FINRA Rule 4511.
The Markets in Financial Instruments Directive (MiFID) is an EU law that harmonizes EU regulation of investment services. MiFID’s objectives are to increase competition and consumer protection in investment services. In April 2014 the EU approved MiFID II, which expands the scope of MiFID and went into effect January 3, 2018.
MiFID II applies to financial services businesses undertaking MiFID business anywhere in the EU, as well as those providing services cross-border. This includes:
(1) Investment firms;
(2) Trading venues;
(3) Data reporting service providers; and
(4) Third country firms providing investment services or performing investment activities into the EU (either on a services basis or via a branch)
MiFID II Article 16 (6) requires an investment firm to arrange for records to be kept of all services, activities and transactions undertaken by the business, which must be sufficient to enable the competent authority to fulfil its supervisory tasks and to perform enforcement actions.
This includes all communications that are intended to result in a trade even if they ultimately do not.
MiFID II Article 16 (7) states that records must include the recording of telephone conversations or electronic communications and minutes from face-to-face meetings related to the reception, transmission and execution of orders on behalf of clients or on one’s own account. Article 16 (7) also requires records to be kept for a period of 5 to 7 years (depending on the jurisdiction) and states that records must be provided to the client involved upon request.
MiFID II para 57, 82, article 4 (62), article 25 (6) – requires records to be stored in a ‘durable medium’ that allows them to be replayed or copied. Records must be retained in a format that does not allow the original record to be altered or deleted. In addition, records should be stored in a searchable medium to ensure they are accessible and readily available upon request.
‘Durable medium’ is akin to WORM and is defined as allowing ‘the unchanged reproduction of the information stored.’ (Article 4(62)).
Requirements are defined further by the European Commission MiFID II explanatory memorandum.
The FCA’s Investment Funds Sourcebook (FUND) and Collective Investment Schemes Sourcebook (COLL) set out requirements for managers and depositories of authorized and unauthorized investment funds. Record keeping requirements include those relating to minutes of meetings, records of units held. acquired or disposed of, subscription and redemption orders, issues and cancellations of units and overall general record keeping obligations to evidence compliance with rules and, for alternative investment funds, details of assets that are not custodial assets.
To view the FCA’s table of recordkeeping requirements found in COLL: https://www.handbook.fca.org.uk/handbook/COLL/Sch/1/1.html
Link to Handbook https://www.handbook.fca.org.uk/handbook/COLL/