How to Meet FINRA Compliance and Retain Records in Line With SEC 17a-4

The financial sector is overseen by two key regulatory bodies that determine how you manage your business records — FINRA and the SEC.

Due to the complexity and rigor of these regulations, it’s challenging to comply, and many financial firms still face hefty fines.

However, there are strategies and solutions you can implement to get on top of your FINRA and SEC compliance.

In this article, we’ll help you understand:

• What are FINRA and SEC rule 17a-4.
• How FINRA non-compliance affects your business.
• Steps to complying with FINRA compliance requirements.
• Must-have FINRA archiving solution features.

Understanding FINRA Compliance

The Financial Industry Regulatory Authority (FINRA) is a non-governmental organization regulating the United States financial industry.

FINRA oversees the responsibilities of financial services firms and broker-dealers towards the government and ensures they follow all the rules and regulations to protect investors and maintain the integrity of the securities market.

All FINRA-covered firms are obligated to follow a specific set of rules on how they need to conduct business with customers and manage their records.

These rules include:

• Licensing — Ensures that brokerage firms are properly licensed and registered to operate in the securities market.
• Communications — Guarantees that the communications with the public are accurate, faithful, and not misleading.
• Recordkeeping — Requires brokerage firms to maintain an accurate record of all transactions, client information, and communications.
• Legal Enforcement — Identifies market manipulation, insider trading, and other securities law violations.

Adhering to these rules ensures that the market functions fairly and efficiently for both financial organizations and the public.

FINRA is overseen by the Securities and Exchange Commission (SEC).

When talking about FINRA email compliance, there’s no rule more crucial than rule 17a-4.

What Is SEC Rule 17a-4?

SEC Rule 17a-4 was established by the U.S. Securities and Exchange Commission and outlines the specific requirements brokers need to follow for preserving records.

It’s an extension of SEC Rule 17a-3 that regulates anyone working with trading securities as brokers or dealers and outlining the rules they have to follow such as accurate record keeping.

While Rule 17a-3 regulates recordkeeping, Rule 17a-4 gets more specific and pertains to the storage and maintenance of records required by Rule 17a-3.

Rule 17a-4 consists of four key elements to ensure that all records are retained and accurate. These elements are:

• Recordkeeping Requirements — Brokers are required to archive and maintain comprehensive records of all business activities, transactions, and communications for regulatory audits, investigations, and compliance.
• Retention Periods — SEC rules specify that different types of records have a minimum period that they need to be retained. In most cases, this retention period is six years.
• Accessibility and Retrieval — Archived records must be readily accessible and retrievable in a short period when requested by the SEC or the public.
• Write-Once-Read-Many (WORM) — FINRA WORM compliance mandates that the storage system for electronic information prevents alterations and deletions. It requires you to prove the integrity of your records.

These elements can be broken down into specific 17a-4 requirements for any financial institution or broker-dealer that wants to operate in the regulated industry.

SEC retention requirements

While rule 17a-4 requires financial firms to preserve all electronic records, there are specific SEC retention requirements that need to be met for this retention strategy to be compliant.

The key requirements are outlined in subsection (f)(2)(ii), which states that the retained data should:

• Preserve records in a non-rewritable and non-erasable (WORM) format.
• Contain measures that protect email message data integrity.
• Verify the quality and accuracy of the record-storing process automatically
• Be able to time and date-stamp and index records appropriately.
• Prevent alteration or deletion of records for their required retention period.
• Allow for easy access and availability of records.
• Allow the deletion of records after the retention period expires.
• Have the capacity to download records.
• Be able to store duplicate copies in a different location.
• Be able to contain records for a minimum of three years.

These regulations are required for the market to maintain accurate FINRA books and records requirements outlined by the 4511 general requirements document.

Failing to comply with these SEC retention requirements can lead to severe fines and penalties that can range from $1,000 to over $140,000.

Let’s take a look at the consequences of not complying with rule 17a-4.

Examples of FINRA and 17a-4 non-compliance

Failing to meet FINRA books and records and 17a-4 compliance requirements is a costly endeavor that only can leave you out of your business.

According to the SEC enforcement report for 2023, “Commission filed 784 enforcement actions resulting in $5 billion in financial remedies/penalties”.

Compared to 2022 when the total fines reached $6.4 billion, 2020’s $4.68 billion in fines, and 2018 when it was $3.9 billion.

There’s a clear pattern of the SEC keeping a closer eye on financial institutions and enforcing their compliance requirements rigorously.

Over the past 5 years, some of the biggest outliers getting fined by the SEC due to FINRA non-compliance were:

• JPMorgan Chase — Fined $4 million in 2023 in a settlement with the SEC after accidentally deleting 47 million electronic messages that they were supposed to retain.
• Wall Street Banks — Eleven banks and brokerages fined $1.8 billion in 2022 over traders using banned messaging apps that broke record-keeping rules and regulations.
• Advisory Group Equity Services — Fined $20,000 in January 2019 for “failing to establish and maintain reasonable supervisory systems concerning the retention and review of emails of newly hired representatives.” The email in question continued discussions about investments and stock prices.
• Wilson-Dvis & Co. — Fined $32,500 in April 2019 for failing to establish, maintain, and enforce an email retention system that would allow them to “review email correspondence for indications of potential violations of FINRA rules.”
• Spencer Edwards, Inc. — Fined $3,400,000 in March 2020 and ordered to pay disgorgement for $90,940, plus prejudgment interest.
• TD Private Client Wealth LLC — Fined $600,000 in November 2023 for failing to place the email accounts for its new employees into the electronic queue it established for email review. This resulted in failing to monitor and review over 3.5 million emails related to 691 employee email accounts.

These are just a few examples of businesses failing to comply with 17a-4. The most common reasons being due to inadequate email archiving, retention, and monitoring.

All of these could have been prevented if they had followed the right protocols for 17a-4 email retention.

Retain, search, and produce FINRA communication records.

Next-level cloud email archiving is here.

Learn More

SEC 17a-4 Compliance Checklist

With FINRA/SEC email retention requirements being so strict, there’s a great chance that certain elements of your compliance strategy need checking.

The following list is a good starting point for financial firms wishing to get their FINRA/SEC compliance in order.
Remember that these points are just guidelines that require significant follow-up work.

• Assign a SEC/FINRA compliance officer

Your firm should have one or more employees dedicated to FINRA compliance and data protection issues.

This person should interpret the rules in collaboration with your legal team, ensure that all areas of the business are compliant and that all data is backed up securely.

Compliance officers need to work closely with your IT security and communications departments and have top-level access to your archiving systems.

• Register with an information commissioner

Every country has its information commissioner or data compliance regulator that your organization needs to be registered with to ensure compliance with data protection laws and regulations specific to that jurisdiction.

These regulatory bodies oversee the collection, processing, and storage of personal information, safeguarding individuals’ privacy rights and ensuring that organizations adhere to established data protection standards.

• Determine data that needs archiving

Identify first-party and third-party data you’re working with and the channel it’s being sent across.

Evaluate the specific FINRA email retention periods and rules in your state and determine which data needs to be archived and for how long.

• Train staff on SEC/FINRA retention requirements

All staff should be trained on which procedures to take when coming into contact with personal data, for example, sensitive email communications.

Employees must know that they will generate legal trouble for the business in case of unauthorized private data disclosure.

• Back up sensitive information

Determine how you will back up sensitive data in emergencies such as hacks, deletions, or malfunctions.

The backup needs to provide you with all the data you lost in its original format and the method of your backup needs to be fast so as not to disrupt your business or alarm the SEC.

• Facilitate the ediscovery processes

All the data in your archiving system needs to be searchable for ediscovery in case of data requests during legal processing.

It should be archived and organized in a way that takes little time to find and the found data wasn’t tampered with.

• Comply with FINRA books and records retention requirements

Make sure the data is archived in accordance with the rules outlined by FINRA and the SEC, namely that the archiving solution you’re using has the capabilities to:

• Retain messages in a WORM format
• Support different retention schedules
• Apply legal holds
• Perform queries to comply with early case assessment
• Produce messages in their original state
• Index information and perform advanced searches
• Prevent alteration and deletion of data
• Let compliance officers supervise the activity

The most important part of staying FINRA compliant is the archiving solution you choose to implement in your organization.

It should be able to capture and retain your communications data, help with ediscovery, and allow you to monitor email. To accomplish all of this, your FINRA email archiving solution needs to come with several crucial features.

Must-Have FINRA Archiving Solution Features

When choosing the right email archiving solution for your firm, pay attention to these features:

• Indexing — The stored records must be indexed to make future retrieval successful. They should also be stored in a format that meets FINRA compliance requirements.
• Multiple format capture — There are many communication channels to keep track of and retain and all of them have specific actions and formats like text, video, audio messages, emoji reactions, replies, comments, likes, etc.… Your solution must be able to capture all of these, especially edits and deletions.
• Custom retention policies — With numerous SEC retention requirements your solution of choice should allow you to create custom policies for each data type. These policies should be automatically applied to captured data and the data should be deleted automatically when they expire.
• Review status tracking — Monitor and track the progress of reviews including all the actions and comments made on the review at hand.
• Historical tracking — Track all the changes made to configurations to demonstrate which rules, policies, and actions were taken by which employee for each reviewed message.
• Export with review history — Delivery of sample messages to auditors including the full history of review activities in a standard PST format.
• Advanced whitelisting — Automatically detect non-problematic emails by setting up custom keywords in your archive’s filtering and retention policy rules reducing the noise and constant need for configuration changes.
• Legal hold — When expecting potential audits, investigations, or litigation cases, you may need to preserve specific records even after their retention periods expire. With legal holds, you can preserve electronically stored information indefinitely or until after the case is closed.
• Advanced filtering — Refine the list of messages to review with flexible filters (keyword, boolean, proximity…) so that you can focus on reviewing most import items first. Narrow down your search with precision.
• Monitoring — Features like keyword warnings, audit trails, and violation text preview allow you to detect violations before they get out of hand in an efficient way where you don’t need to open every email to check for violations.
• Conversation threading — Review related messages and email chains in a single step without the need to manually identify messages from the same topic or thread.

Remember that not all data is contained in your email but also in mobile and social media channels, which also need capture.

FINRA’s Regulatory Notices 10-6 and 11-39 deal with the corporate use of social media and record-keeping, while SEC Rule 17a-4(b) mandates that all employee communication on social media must be preserved for at least 3 years.

It makes little sense to implement multiple solutions for every different channel you’re using. That’s why modern FINRA archiving software is equipped to archive content from multiple channels.

Let’s take a quick look at Jatheon’s solution.

How Jatheon Sets You Up for FINRA and 17a-4 Compliance

Jatheon is a FINRA-compliant email archiving solution that seamlessly integrates into your email server and automatically captures and indexes all incoming and outgoing emails.

Besides email, Jatheon also captures all social media, text messages, Bloomberg messages, and WhatsApp messages into one central repository.

This allows you to search through all your different communication channels from one central interface with advanced search features like:

• Boolean search — Combine keywords with AND, OR, and NOT operators.
• Wildcard and proximity operators — Search the archive with partial terms.
• Fuzzy searches — Accommodate your search for spelling errors.
• Keyword search — Look for specific terms with a dataset.

The most important feature of custom retention policies is present in Jatheon in the form of Tags that can be programmed to automatically apply to incoming emails or messages and delete them after their respective retention period expires.

This gives you a way to manage your archive automatically while staying compliant with FINRA.

Every captured message is written in the FINRA worm compliance format and the integrity check feature can easily prove that it wasn’t tampered with.

Lastly, with features like custom roles, monitoring, and supervision, you can make sure that only authorized personnel are using your archive. In case of misconduct, you can easily prove who used your archive and what for.

Conclusion

In the world of financial firms and investment brokers, there’s no more important regulatory body than FINRA, which, with the SEC rule 17a-4, governs how you retain your records to stay compliant

Many firms still fail to comply, leading to huge fines. However, this problem can be solved.

By following the right FINRA compliance rules and implementing a comprehensive email archiving solution, your business can be kept safe from potential fines and penalties.

FAQ

What are the FINRA compliance requirements?

FINRA compliance requirements are regulatory guidelines and rules designed to protect investors’ personal information and ensure financial data security by requiring financial institutions to retain electronic records of all transactions and communications.

What is SEC 17a-3?

SEC Rule 17a-3 mandates broker-dealers to document and maintain records of all customer account information, securities transactions, and communications. They help facilitate regulatory oversight and ensure the integrity of the securities industry.

What are FINRA books and records requirements?

FINRA books and records requirements mandate businesses to make and preserve all records of transactions, communications, and customer accounts as outlined by FINRA and store them in a format that complies with rule 17a-4.

Are broker dealers required to record phone calls?

According to FINRA Rule 3170 (Tape Recording of Registered Personas), or the “Taping Rule”, certain firms are required to have taping systems installed on their phones to record all conversations with registered persons and existing/potential customers.

What is the penalty for violating FINRA?

FINRA penalties include fines, suspension, and in cases of serious misconduct jail time. These penalties depend on the severity of the violation and whether it was intentional or negligent. FINRA fines can range from $5,000 for small firms and $150,000 to millions of dollars for large firms.

About the Author

Marko Dinic

As Jatheon’s CEO, Marko Dinic oversees new business development and has a leadership role in shaping the company’s vision, strategy, and product development. Outside work, he loves visiting places off the beaten path, investing, and space travel.