The SEC recently amended Exchange Act Rule 17a-4 by adopting new recordkeeping requirements for broker-dealers. Most notably, the SEC will no longer require broker-dealers to maintain records in “write once, read many” or “WORM” format. Instead, broker-dealers have the option of utilizing a new “audit trail” alternative for their electronic recordkeeping systems. The changes also affect the use of third-party recordkeeping services and requirements related to timely production of records. The compliance date for broker-dealers is May 3, 2023.
For its part, FINRA recently published a chart summarizing what it deems as the “most significant changes” and other nuances between the legacy and amended rule. We have summarized a handful of those below and added several of our own points. Firms should consider these differences, nuances, and other considerations as they determine how to adapt their processes to the new audit trail alternative (if they choose that path at all).
Changes to Electronic Recordkeeping Requirements
- Retention Format – The audit trail alternative is optional — firms may continue with the legacy WORM approach to recordkeeping. FINRA notes that “the amended rule does not appear to prohibit” firms from maintaining WORM for some records and utilizing an audit trail for others. The SEC does not address this nuance in the adopting release. FINRA’s view seems reasonable, but ultimately SEC staff will have the final say, either through written guidance or in findings during exams. Firms that stay the course with WORM and continue to maintain electronic recordkeeping systems that use optical disks to meet the WORM requirement must serialize original and duplicate units of storage media, and time-date the required period of retention for the information. The SEC is requiring this to distinguish one disk from another and to associate the records stored on the disk with that specific storage unit.
- Verification – Firms must continue to “verify automatically” the “accuracy” of their recording process. Under the legacy rule, firms needed to verify automatically the “quality.” The new rule changes this to the “completeness.” This seems like a negligible change, yet the SEC offered little explanation for why they made the change at all. They only say that the “requirement was designed to ensure that when an original record is added to the electronic recordkeeping system it is completely and accurately captured in the system.”
- Download and Transfer – Firms’ electronic recordkeeping systems “must have the capacity to readily download and transfer copies of a record and its audit trail (if applicable) in both a human readable format and in a reasonably usable electronic format, and to readily download and transfer the information needed to locate the electronic record.” The SEC noted (in the proposal) that a proprietary or native file format that cannot be accessed or read by commonly used systems would not pass muster in this regard.
- Backup or Redundant Recordkeeping System – WORM compliance requires broker-dealers to store a duplicate copy of records separately from the original. Broker-dealers using the audit trail alternative must maintain a backup electronic recordkeeping system that is at least equal to the level that is achieved through the primary system or have other redundancy capabilities that are designed to ensure access to the records required to be maintained and preserved. This requirement is designed to ensure that regulators can access and examine a firm’s records even if the primary electronic recordkeeping system is disrupted, malfunctions, or otherwise becomes inaccessible. The SEC does not specify how the backup electronic recordkeeping system must achieve redundancy. However, sufficient geographic separation of the hardware components of the primary and backup electronic recordkeeping systems may be relevant (as identified by commenters to the proposal).
- Facilities – Firms must at all times have available for examination facilities for immediate production of electronic records and for producing copies of those records. The legacy requirement has been for firms to provide all information necessary to access records and indexes stored on the electronic storage media promptly upon request. The SEC made two subtle but important changes here. First, the new requirement is to produce the actual record, rather than the information needed to access the record. Second, the timing requirement is immediately instead of promptly upon request. The SEC does not provide any color here on what immediate means, so firms should take that to literally mean immediately.
- Senior Management Responsibility – A “designated executive officer” who is a member of senior management of a broker-dealer, and up to two other designated officers, are permitted to take responsibility for providing records to regulators if the firm fails or is unable to do so. This is an option firms may select, but it is not required. Today, only a designated unaffiliated third party (D3P) is permitted to serve in this role. Firms may continue utilizing an unaffiliated D3P. The employees must have the same ability as the executive officer to independently access and provide the records either directly or through a specialist who reports directly or indirectly to them. In addition, the designated executive officer can appoint in writing up to three specialists to assist in fulfilling the executive officer’s obligations.
- Cloud Service Providers and Related “Undertaking” – Historically, a D3P that prepares or maintains broker-dealer regulatory records in paper or electronic format has been required to file a written and signed undertaking (the “traditional undertaking”) with the SEC in which the D3P agrees, among other things, to permit examination of the records by the SEC and its staff as well as to promptly furnish to the SEC and its staff true, correct, complete, and current hard copies of any or all parts of such books and records. The traditional undertaking has led to confusion and challenges in the cloud storage context, including related to questions of whether the cloud storage provider or the firm itself has control of, access to, and management rights over the records. Cloud service providers often cannot access (or grant the SEC access to) encrypted broker-dealer records on their servers or produce such records upon request.
The rulemaking provides firms with greater comfort that they may utilize cloud service provider offerings to satisfy their recordkeeping requirements. In particular, a cloud service provider will be permitted to file an “alternative” undertaking with the SEC that does not require it to give the SEC access to a broker-dealer’s records and to produce them upon request. The alternative undertaking includes three key requirements and is also subject to several limitations on utilization, including:
- It cannot be used if the broker-dealer must rely on the third party to take an intervening step to make the records available (e.g., it cannot be used if the broker-dealer must ask the third party to transfer copies of the records to the broker-dealer or decrypt the records before they can be accessed).
- It is not sufficient for the third party to merely hold the records in electronic form — the broker-dealer must have “independent access.” “Independent access” means that the broker-dealer can regularly access the records without the need of any intervention by the third party and through such access unilaterally take actions with respect to the records held by the third party that are contemplated by the traditional undertaking. Specifically, the broker-dealer must be able to permit examination of the books and records at any time or from time to time during business hours by representatives or designees of the SEC, and to promptly furnish to the SEC or its designee a true, correct, complete, and current hard copy of any or all or any part of such records.
Broker-dealers will be obligated to ensure that arrangements with third party recordkeepers comply with these new requirements. Cloud storage providers will also need to be mindful of the obligations they are undertaking. Importantly, FINRA noted that firms that continue using their existing D3P to comply with Rule 17a-4(f) must confirm that the D3P files new undertakings with FINRA by May 3, 2023, because the language of the legacy undertaking has changed.
It would come as no surprise to see the SEC staff issue additional guidance to the industry as nuanced questions arise. In the absence of that, firms may be wary of switching from WORM to the audit trail alternative. Firms may actually expect their service providers to maintain original records in addition to any subsequent iterations, modifications, etc., at least until the industry has a better grasp of the SEC staff’s expectations.
Finally, as is often the case, clarity will likely come from future exams by FINRA and SEC staff. FINRA discusses recordkeeping in its 2023 Report on Its Examination and Risk Monitoring Program (including a specific reminder about undertakings).
Nicholas J. LosurdoPartner
Lauren A. SchwartzAssociate