SEC Proposes Alternative to “WORM” Books and Records Retention for Broker-Dealers and Security-Based Swap Entities

On November 18, 2021, the U.S. Securities and Exchange Commission (“SEC”) proposed amendments to Rules 17a-4 and 18a-6 under the Securities Exchange Act of 1934 related to recordkeeping requirements for broker-dealers and certain security-based swap (“SBS”) entities.^[1] The industry could see a swift timeline in 2022 for SEC adoption of the proposed changes. In the meantime, broker-dealers, SBS entities and recordkeeping vendors should consider how this proposal could affect their recordkeeping systems and related practices, including internal and external data and information security.

Proposed Changes ^[2]

The proposal would amend the electronic record preservation and prompt production requirements of Rules 17a-4 and 18a-6, including by:

1. Providing an audit trail alternative to the current requirement that broker-dealer electronic records be preserved exclusively in non-rewriteable, non-erasable format (also known as write once, read many or “WORM” format).
   
   
2. Eliminating the third-party access and undertaking requirements for broker-dealers and replacing them with a requirement that at least one senior officer of the broker-dealer (or SBS entity) — with independent access to, and the ability to provide, the records — execute an undertaking to furnish, upon request by the SEC, a record and its audit trail (if applicable), which is to be preserved on an electronic recordkeeping system in a “reasonably usable” electronic format.
   
   
3. Eliminating a requirement that the broker-dealer notify its designated examining authority before employing an electronic recordkeeping system.
   
   
4. Requiring that broker-dealers and SBS entities be ready at all times to provide records stored on an electronic recordkeeping system. The changes would also replace current rules that require broker-dealers and SBS entities to organize and index all information maintained on both original and any duplicate storage media with a requirement only that the electronic recordkeeping system organize and maintain information necessary to locate records.
   
   
5. Requiring broker-dealers and SBS entities to have a backup set of records when records are preserved on an electronic recordkeeping system, which is similar to the current requirement that firms separately maintain and store duplicate copies of records. This suggests that the SEC will expect the broker-dealer or SBS entity to have a second electronic recordkeeping system that serves as a redundant source from which to retrieve records. Records stored on the backup electronic recordkeeping system would need to be preserved in accordance with record preservation requirements of Rules 17a-4 or 18a-6, as applicable.^[3]

Under the proposed, new audit trail alternative to WORM, a firm’s electronic recordkeeping system would need to preserve the records for the duration of their applicable retention periods in a manner that maintains a complete time-stamped audit trail. The electronic recordkeeping system must have the capacity to readily download and transfer copies of a record and its audit trail (if applicable) into “a human readable format" (i.e., a format that can be naturally read by an individual) or a "reasonably usable electronic format.” The audit trail must include the following information:

1. All modifications to, and deletions of, a record or any part thereof;
   
   
2. The date and time of operator entries and actions that create, modify, or delete the record;
   
   
3. The identity of the individual(s) creating, modifying, or deleting the record; and
   
   
4.  Any other information needed to maintain an audit trail of each distinct record in a way that maintains security, signatures, and data to ensure the authenticity and reliability of the record and that permits re-creation of the original record and interim iterations of the record.

Observations

The industry should generally view the proposal as a welcomed attempt by the SEC to modernize recordkeeping obligations and solve legacy constraints in this area. Nevertheless, the proposal seems to raise just as many questions as it does solutions.

1. The proposal states that a “reasonably usable” electronic format is one that is common and compatible with commonly used systems for accessing and reading electronic records. In other words, a proprietary file format not easily accessible or readable by common systems would not be permitted. The SEC requests comment on what types of electronic record formats should be considered reasonably usable, and any final rule would benefit from additional guidance as to what the SEC considers a reasonably usable electronic format.
   
   
2. Eliminating the third-party access and undertaking requirements would mean that at all times, a broker-dealer or SBS entity must have at least one senior officer with independent access to — and the ability to provide — the firm’s records to the SEC. The senior officer would also be required to execute the required undertakings, similar to what is required of third depositaries of electronic records under the current rules. Independent access would mean that “the senior officer has the knowledge, credentials, and information necessary to access and provide the records” on his or her own, without having to rely on any other individual at the firm. If adopted, and given the sweeping access this requirement would require of a senior officer, firms may want to consider developing and implementing policies relating to senior officer access to ensure that such access only be used in response to a regulatory request or for other valid firm or regulatory purposes. This is especially true for firms that segregate business and regulatory decision-making and access to information. It may also be difficult (if not impossible) for any one person at a firm to satisfy these undertakings individually. Simply put, firms do not operate that way. This element of the proposal also raises data and information security considerations, including by seemingly ignoring the long-established principle of “least privilege” (i.e., the security concept in which a user is given the minimum level of access or permission needed to perform the user’s job function).
   
   
3. Currently, some firms employ a WORM recordkeeping system almost exclusively for the purpose of meeting the requirements of Rule 17a-4 and maintain separate working copies of records for use in day-to-day business operations. In the SEC’s view, the proposed amendments are designed to facilitate the use of a single electronic recordkeeping system for business and regulatory purposes. However, requiring firms to maintain backup “systems” and the potential to have WORM and audit trail systems in parallel could add confusion to an area the SEC is arguably trying to streamline and modernize. We expect the SEC to add clarity in terms of what suffices as a “backup electronic recordkeeping system.” In other words, will redundant records stored in separate locations on a firm’s recordkeeping system be sufficient, or does the SEC really intend for firms to maintain backup records on entirely separate “systems”?
   
   
4. The proposal seeks to give firms the option to (eventually) do away with WORM once and for all. In addition, broker-dealers and SBS entities will have the option of continuing to preserve some records in WORM format, while using the audit trail for other types of records. It may be easier, for example, to store certain types of static records, like emails, in WORM format, while using an audit trail for records that are regularly updated. Notably, the proposed audit trail method would only apply to records created after the eventual effective date of the rule change. Firms that choose to adopt an audit trail recordkeeping system would be permitted to maintain new records on a system that would meet the audit trail requirements but would be required to preserve legacy records on a WORM-compliant system (though given that the audit trail method would only apply to records created after adoption, it is unclear what the SEC views as the alternative). This implies that firms would be faced with the burden of maintaining the old and new systems in parallel at least until expiration of the retention periods for the legacy WORM-preserved records.

The public comment file closed on January 3, 2022 and is surprisingly lean. This may be a result of the timing of the proposal (one week prior to Thanksgiving) and brief comment window (which extended across the December 2021 holiday season and calendar year-end). SEC Commissioner Peirce has previously advocated for extended rulemaking comment periods, generally. We will closely monitor updates in this area, including a potential extension of the comment window and, of course, any future adoption by the SEC.^[4]

---

^[1] In 2019, the SEC signaled its intention to proceed with this modernization when it chose to neither extend the WORM requirement nor the designated third party recordkeeper requirement to the rules applicable to SBS entities, noting then that “the Commission believes that any change to the broker-dealer electronic storage provisions should be addressed in a separate regulatory initiative where the Commission intends to consider electronic storage media issues in a broader context, including with respect to other market participants.”

^[2] This proposed rulemaking was quite substantial. This Client Alert discusses the changes we consider the most significant. 

^[3] While similar to the current requirement that a broker-dealer or SBS entity store separately from the original, on any medium acceptable under Rule 17a-4, a duplicate copy of a record for the requisite time period, the proposal would modernize the duplicate copy requirement slightly by eliminating the WORM requirement. The SEC believes that this backup electronic recordkeeping system will facilitate examinations and promote the business continuity of the broker-dealer or SBS entity in the event the primary recordkeeping system is disrupted.

^[4] The Commission often does consider comment letters received after the comment deadline, even without an extension, especially where they are looking for industry input and have received fewer comments than expected.