Looking for a great weekend read? You could turn to a classic novel, work your way through the list of articles you were too busy to read at work, or curl up with your favorite beverage and reread Securities Exchange Commission (SEC) Rule 17a-4, the 14-page PDF that fundamentally changed regulatory compliance expectations around record keeping for the financial services industry!
Okay, we admit section 17a-4 of the Securities Exchange Act may not make for scintillating weekend reading, but that doesn’t make it any less critical to understand.
Too many firms continue to drop the ball on SEC Rule 17a-4, missing easy opportunities to maintain regulatory compliance. Plus, the SEC and Financial Industry Regulatory Authority (FINRA) are actively monitoring broker-dealers’ compliance with each subsection of this lengthy rule.
That’s why you have to know what you’re doing, and so do we. As providers of regulatory compliance and eDiscovery technology and services, we’ve made it our mission to know the pressures that compliance professionals in the financial services industry are facing, and build solutions designed to help ease those pressures.
At Hanzo, we’re web archiving specialists, so we generally focus on SEC Rule 17a-4(f), which allows and governs the storage of books and records in electronic format.
In the first post of a new series in 2019, Hanzo Knows, we're going to take a closer look at the key components and requirements of this SEC rule, what happens if you don't follow it, and how it came to be.
Hanzo Knows: Compliance Basics of SEC Rule 17a-4(f)
SEC Rule 17a-4, along with SEC Rule 17a-3, sets out what records exchange members, brokers, and dealers need to preserve. It also establishes how long those records should be maintained and how they should be stored, which is where subsection (f) comes in.
Specifically, Rule 17a-4(f) states that those “records required to be maintained and preserved” can be stored on “micrographic media … or by means of ‘electronic storage media.’” While micrographic media includes microfilm, microfiche, and “any similar medium,” electronic storage media is—thankfully—even less strictly defined. Instead, demonstrating an appreciation for technological changes to come, the Rule characterizes electronic storage media primarily by what it can do.
The key components of electronic storage media are enumerated in subsection (f)(2)(ii), which states that the media must:
1. Preserve the records exclusively in a non-rewriteable, non-erasable format (WORM);
2. Verify automatically the quality and accuracy of the storage media recording process;
3. Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media;
4. And have the capacity to readily download indexes and records preserved on the electronic storage media to any medium.
Broker-dealers must “notify [their] examining authority … prior to employing electronic storage media,” and they must provide at least 90 days’ notice before using “any electronic storage media other than optical disk technology.” They must also keep those records “at all times … available for examination” by the SEC and any self-regulatory organizations and store a separate “duplicate copy of the record” for as long as they store the original.
Finally, there are two provisions intended specifically to provide oversight of record archives for compliance professionals in the financial services industry.
SEC Rule 17a-4(f)(3)(v) requires that broker-dealers have “an audit system providing for accountability regarding inputting of records … to electronic storage media.” And tagged on to the very end of the section, subsection (f)(3)(vii) notes that a firm “exclusively using electronic storage media for some or all of its record preservation” must designate “at least one third-party … who has access to and the ability to download information.” These designated third parties, intended to provide regulatory authorities with access to data should the broker-dealer go out of business or stop cooperating, have turned out to be tremendous resources for broker-dealers as well.
Before we break down a few of these individual requirements, let’s take a moment to consider how we got here and where the rule as a whole may be going.
Hanzo Knows: The History, and Future, of SEC Rule 17a-4(f)
If you think SEC Rule 17a-4 sounds a bit quaint and outdated, you’re not wrong. It was initially passed in 1997, when the Palm Pilot 1000 was the hottest new high-tech device, and the Internet had 70 million users. Needless to say, a lot has changed since then. Microfiche may still be around, but it’s no longer in common use for record archiving, and optical storage devices like CDs aren’t the cutting-edge technology they once were. As for the Internet? Today it has over 4.2 billion users accessing more dynamic, personalized, and interactive pages than they did when SEC Rule 17a-4 was first passed.
But there were definite advantages to CDs as storage devices for books and records. Early optical storage devices like CDs were non-rewriteable: you had one opportunity to add data to the disc, and after that, you couldn’t edit or erase its contents (you could break it, of course, but even that was harder than it looked!).
The “write once, read many” or WORM format of CDs was a hardware limitation that served the SEC’s purposes well, preventing the modification or alteration of financial books and records. Now, with the move to hard-drive storage and then the cloud, those hardware controls are no longer in play. Fortunately, they don’t have to be, so long as records are retained in a WORM format that prevents the overwriting of data. In 2003, the SEC clarified via Interpretive Release No. 34-47806 that the rule “does not require that a particular type of technology or method be used to achieve the non-rewriteable and non-erasable requirement.” So long as some combination of hardware and software prevents overwriting, any durable electronic storage medium works.
In the cloud, though, there’s another problem: what if you rely on a vendor to maintain your archives and that vendor ends up deleting your records? FINRA released Regulatory Notice 18-31 in September 2018 to clarify what should happen to records maintained by a vendor when the broker-dealer terminates the contract or stops paying for services. Predictably enough, some broker-dealers have been burned by the failure to plan for reasonable worst-case scenarios (or, perhaps, to read their contracts carefully).
Some found themselves with contracts that allowed the third-party record-keeping vendor to delete or discard their records—in violation of SEC Rule 17a-4—upon nonpayment or other termination of services. Regulatory Notice 18-31 states that contracts should include a provision that “such records are the property of the broker-dealer required to preserve such records and will be surrendered promptly on request of the broker-dealer.”
So what else has recent technology changed about the application of Rule 17a-4(f)?
Let’s revisit two of those key components for electronic storage media: that it be non-rewriteable and automatically verified.
Hanzo Knows: What’s WORM Got to Do With It?
Under Rule 17a-4(f)(2)(ii)(A)(say that five times fast), firms using electronic storage media must ensure that they are preserving records “exclusively in a non-rewriteable, non-erasable format.” Easy enough, right? It would seem so, but somehow, over the last two years, WORM storage has repeatedly proven to be a stumbling block.
In August 2017, United First Partners LLC was fined $35,000 for failing to maintain the firm’s emails in WORM storage. Approximately 15% of the firm’s emails were non-compliantly stored after “the firm’s servers became disconnected from its email retention vendor.”
In September 2017, Virtu Financial Capital Markets LLC was fined $175,000 for “fail[ing] to maintain electronic brokerage records related to approximately 46 million market-making transactions” in WORM format. Virtu also neglected to provide the requisite 90-day notice for its use of electronic storage media.
In October 2017, BOK Financial Securities, Inc. was fined $175,000 for failing to maintain hundreds of thousands of brokerage records in WORM format.
In November 2017, SGI Securities LLC was fined $5,000 for failing to preserve 2,830 firm emails. SGI used a vendor for email storage, but “the firm’s server was not Rule 17a-4 compliant” and nothing “prevent[ed] it from permanently deleting emails.”
Moving into 2018, in January Hancock Investment Services, Inc., was fined $100,000 for failing to preserve its business-related emails in WORM format. After Hancock discovered that “millions of business-related emails sent and received by the firm and its personnel, including emails with firm customers” were not in compliance, it transitioned its email storage to a cloud provider.
In May 2018, Integrated Trading and Investments, Inc. faced a low fine of just $5,000 for failing to “maintain and preserve certain business-related emails in … WORM” format. There, the firm’s representatives used their personal emails for business activity but didn’t have a system for adequately archiving those emails.
Now that the hardware used for data storage has the capacity to be overwritten, firms have found a host of ways to fail to comply with the requirement for WORM storage.
The bottom line is simple: ensure that every one of your business communications—via email, text message, online websites and social media channels, or otherwise—is preserved in WORM-compliant storage.
Hanzo Knows: Using Hash Values to Verify Data Accuracy
Electronic storage media must also “verify automatically the quality and accuracy of the storage media recording process” and note the time and date that the information is stored. This is where hashing comes in.
A hash value is a string of numbers that acts as a “digital fingerprint,” uniquely identifying a file or document. Once data has been “hashed,” or had its hash value calculated through a standard algorithm, any subsequent changes to the underlying data or file will change the hash value. In short, hash values are a simple, quick, cost-effective way to verify that an original dataset has not been modified, ensuring compliance with SEC Rule 17a-4.
Hanzo knows how the regulatory landscape works.
