The SEC recently adopted new recordkeeping requirements for broker-dealers and “SBS entities” (security-based swap dealers and major security based swap participants). Most notably, the SEC will no longer require broker-dealers to maintain records in “write once, read many” or “WORM” format. Instead, broker-dealers will be able to utilize a new “audit trail” alternative for their electronic recordkeeping systems.
New Audit Trail Alternative
Firms utilizing the new audit trail alternative will need to retain records in a manner that permits the re-creation of an original record and interim iterations if the original record is altered, overwritten, or erased. More specifically, audit trail records must track each distinct record in a way that maintains its security, signatures, and data to ensure its authenticity and reliability for the duration of each record’s applicable retention period in a manner that maintains a complete time-stamped audit trail that includes:
- All modifications to and deletions of a record or any part thereof
- The date and time of actions that create, modify, or delete the record (both human-initiated and automated actions)
- The identity of the individual(s) creating, modifying, or deleting the record (which can be reflected in the audit trail as a unique identifier for the individual)
The SEC noted that it is taking a “principles-based” approach to allow firms to preserve their regulatory records on the same electronic recordkeeping system they use for business purposes, while at the same time making the means of doing so more technology neutral. Nevertheless, firms (and their service providers) that choose to utilize the audit trail alternative will likely need to modify their current systems to satisfy the technological requirements specified by the SEC. Firms may also need to maintain two systems in parallel for several years until the expiration of applicable recordkeeping periods — the new audit trail system for new records and a separate WORM-compliant system for legacy records.
Use of Cloud Service Providers
The rulemaking provides firms with greater comfort that they may utilize cloud service providers to satisfy their recordkeeping requirements. In particular, a cloud service provider will be permitted to file an “alternative undertaking” with the SEC that does not require it to give the SEC access to a broker-dealer’s records or produce them upon request. The alternative undertaking includes the following three requirements:
- The third party must acknowledge that the records are the property of the broker-dealer
- The third party must acknowledge that the broker-dealer has made these three representations to the third party (in a service contract or otherwise)
a. The broker-dealer is subject to SEC rules governing the maintenance and preservation of certain records
b. The broker-dealer has independent access to the records maintained by the third party
c. The broker-dealer consents to the third party fulfilling the obligations set forth in its undertaking
- The third party must undertake to facilitate within its ability, and not impede or prevent, the examination, access, download, or transfer of the records by a representative or designee of the SEC (or of a SIPA trustee)
Broker-dealers will be obligated to ensure that arrangements with third-party recordkeepers comply with these new requirements. Cloud storage providers will also need to be mindful of the obligations they are undertaking. In a not-so-veiled threat to service providers who might “withhold, delete, or discard” required records due to contractual, financial, or other disputes with a firm (e.g., in the event of non-payment by the broker-dealer), the adopting release states that deleting or discarding a broker-dealer’s records “would constitute a primary violation of the rule by the broker-dealer and may subject the service provider to secondary liability for causing or aiding and abetting the violation.” Contractual provisions that would permit, among other things, a service provider to withhold, delete, or discard records are inconsistent with the retention requirements of Rule 17a-4 and the undertaking requirements of Rule 17a-4(i).
Historically, a designated third party or “D3P” that prepares or maintains broker-dealer regulatory records in paper or electronic format has been required to file a written and signed undertaking (the “traditional undertaking”) with the SEC in which the D3P agrees, among other things, to permit examination of the records the SEC and its staff as well as to promptly furnish to the SEC and its staff true, correct, complete, and current hard copies of any or all or any part of such books and records. The traditional undertaking has led to confusion and challenges in the cloud storage context, including related to questions of whether the cloud storage provider or the firm itself has control of, access to, and management rights over the records. Cloud service providers often cannot access (or grant the SEC access to) encrypted broker-dealer records on their servers or produce such records upon request.
The rulemaking also permits broker-dealers to select a “designated executive officer” who is a member of senior management, and up to two other designated officers, to take responsibility for providing records to regulators if the firm fails or is unable to do so. Today, only a D3P is permitted to serve in this role. Firms may continue utilizing an unaffiliated D3P. The selected employees must have the same ability as the executive officer to independently access and provide the records either directly or through a specialist who reports directly or indirectly to them. The designated executive officer can appoint in writing up to three specialists to assist in fulfilling the executive officer’s obligations.
The compliance date for broker-dealers is May 3, 2023 (November 3, 2023 for SBS entities).
SEC staff will likely continue to request firms’ business records instead of records stored in WORM format or reproduced via the audit trail alternative. In the event SEC staff believe they need an original, that is when the firm would be expected to recreate the original record via the audit trail information (or produce the WORM version).
It would come as no surprise to see the SEC staff issue additional guidance to the industry as nuanced questions arise. In the absence of guidance from SEC staff, firms may be wary of switching from WORM to the audit trail alternative. Firms may actually expect their service providers to maintain original records in addition to any subsequent iterations, modifications, etc., at least until the industry has a better grasp of the SEC staff’s expectations.
Firms will also likely continue to struggle with the age-old question of whether a particular record is a draft versus a final version and when the recordkeeping obligation is triggered. The SEC tries to add clarity here by noting that the “audit-trail requirement applies to the final records…rather than to drafts or iterations of records that would not otherwise be required to be maintained and preserved.” Firms should be able to draw on existing WORM practices to achieve compliance in this regard. However, firms that pursue the new audit trail alternative will need to reconsider how they approach compliance. Many firms lean toward a conservative approach in this regard.
Finally, recordkeeping usually is not the hottest of topics in the FinReg space, but the SEC and CFTC recently levied $2 Billion in fines against broker-dealers for recordkeeping violations. The SEC charged those firms for not supervising personal device communications of their personnel. Even with the new audit trail requirement, unless firms are requiring that employees back up their personal devices to a cloud system, for example, it is difficult to see how the new audit trail alternative will help registrants address the conduct regulators view as most egregious.