There are two key bodies that oversee the compliance of financial institutions in terms of how they preserve and manage their business records: FINRA and SEC.
The Financial Industry Regulatory Authority (FINRA) is a non-profit organization which, authorized by the US Congress, controls the operations and enforces rules that govern the activities by organizations operating in the financial services industry, including stockbrokers and brokerage firms.
Together with the SEC (Securities and Exchange Commission), FINRA is the most important regulatory body in the US financial system.
Due to complex, multi-layered SEC regulations regarding the preservation of records, specifically SEC 17a-4(b), SEC 204-2, SEC 206(4)-7, SEC Rule IA-2204 and FINRA Rule 4500, financial firms are under continuous scrutiny and face substantial fines for non-compliance.
So, in today’s post, we’ll look at how you can ensure FINRA compliant email archiving and how to meet SEC email retention requirements.
Recent Examples of FINRA Non-Compliance
Failing to meet FINRA and SEC requirements can be a costly endeavor.
It only takes a few minutes into the FINRA website to find extensive information about fines levied on organizations that have failed to comply.
Meanwhile, according to Investment News, the annual SEC enforcement report for fiscal year 2018 cites “821 enforcement actions which resulted in $3.9 billion in disgorgement and penalties”. A year later, in 2019, the SEC enforcement report for fiscal year 2019 cited even more enforcement cases and a higher amount of fines — “862 enforcement actions […], which resulted in $4.3 billion in disgorgement and penalties”.
In January 2019, Advisory Group Equity Services Ltd. was censured and fined $20,000 because they “failed to establish and maintain a reasonable supervisory system with respect to the retention and review of emails of newly hired representatives.” These emails contained discussions about investments, stock prices and securities transactions.
In April 2019, Wilson-Davis & Co., Inc. was censured and fined $32,500, as they failed to establish, maintain and enforce an email retention system that could allow them to “review email correspondence for indications of potential violations of federal securities laws or FINRA rules.”
More recently, in March 2020, Spencer Edwards, Inc. was fined $3,400,000 and ordered to pay disgorgement in the amount of $90,940, plus prejudgment interest.
The findings showed that “the firm failed to adequately supervise its brokers and ensure that it employed procedures adequate to comply with recordkeeping requirements and its obligation not to participate in unregistered, non-exempt securities offerings.”
It was also established that the firm’s CCO didn’t ensure the firm had an effective tool to “retain electronic communications, as the firm’s brokers routinely used personal email accounts bypassing any system of surveillance or monitoring the firm utilized.”
Inside SEC 17a-4 Compliance Requirements
The key components are outlined in subsection (f)(2)(ii), which states that the storage media should:
- contain measures that protect record integrity
- preserve records in a non-rewritable and non-erasable (WORM) format
- verify automatically the quality and accuracy of the record storing process
- be able to time and date-stamp records and index them appropriately
- prevent alteration or deletion of records for their required retention period
- allow for easy access and availability of records
- allow the deletion of records after the retention period expires
- have the capacity to download records
- be able to store duplicate copies in a different location
- be able to contain records for a minimum of three years
To meet SEC requirements, financial firms typically implement email archiving solutions, either on-premises or in the cloud to improve email management and ensure complete compliance with the rules.
In case of non-compliance, the monetary fines range from $1,000 to over $140,000.
At the same time, non-monetary penalties include the suspension or expulsion of the responsible individual and/or the company, depending on the nature of the breach and the aggravating factors.
Mobile and Social Media Archiving and SEC 17a-4
Although it was originally considered best practice to prohibit the use of social media and text messaging to prevent compliance risks, this practice is no longer sustainable. Just like everyone else, financial firms are growing increasingly reliant on mobile and social media platforms for quick communication with employees and clients.
FINRA’s Regulatory Notices 10-6 and 11-39 deal with the corporate use of social media and record-keeping, while SEC Rule 17a-4(b) mandates that all employee communication on social media must be preserved for at least 3 years.
In 2017, FINRA published Regulatory Notice 17-18, where they outlined the rules governing social media and mobile communications. In July 2018, SEC reaffirmed the application of the securities laws to social media use and continues to focus on how investment advisors use social networks.
Firms which communicate via social media and text messaging, both internally and with clients, are typically advised to keep personal and business-related communication separate (by using different apps or platforms), to retain all social media and mobile content and create policies that will outline the rules for content retention.
How to Meet SEC Email Retention Requirements
One of the best and easiest ways to avoid penalties and ensure FINRA/SEC compliance standards is to implement an archiving solution. The primary benefits are:
- Automated, almost instant compliance
- Increased storage capacity
- Improved system performance
- The ability to search databases fast
- Protection from litigation
- A searchable, centralized repository of all electronically stored information
- Improved data governance
SEC-17a-4 Compliance Checklist
The following list is a good starting point for financial firms wishing to get their FINRA/SEC compliance in order. Remember that these points are just guidelines which require significant follow-up work
Assign a SEC/FINRA go-to person
Your firm should select an individual to take charge of compliance and data protection issues. This person should interpret the rules in collaboration with your legal team, ensure that all areas of the business are compliant and that all data is being backed up securely.
Register with an information commissioner
If the country in which the business is based has an information commissioner or data compliance regulator, your organization should be registered with this body.
Determine data that needs archiving
Identify first party and third party data. Then evaluate what kinds of data need to be archived, for how long, and what can be deleted. In the case of email data, complete archiving is the usual answer.
Train staff on SEC/FINRA compliance requirements
All staff should be trained on what the correct procedures are if they come into contact with personal data, for example, sensitive email communications. Employees must know that they will generate legal trouble for the business in case of unauthorized private data disclosure.
Back up sensitive information
Identify the ways in which you will back up sensitive data to ensure compliance. As for email data, email archiving solutions that are compliant are the best way to satisfy the law.
Facilitate eDiscovery processes
All data types should be archived in a way that allows eDiscovery in the case of a data request during legal proceedings.
Introduce a system that meets FINRA record retention requirements
Make sure the data is archived in accordance with the rules outlined by FINRA and SEC, namely that the archiving solution has the capability to:
- retain messages in a write-once-read-many format
- support different retention schedules- apply legal holds
- perform queries to comply with early case assessment
- produce messages to their original state with the ability to be shared with third parties
- index information and perform advanced searches based on various criteria
- prevent accidental or intentional alteration and deletion of data
- supervision capability and workflow for compliance officers
It’s a good idea to choose an archiving solution that can not only support multiple email platforms (you might change them at some point, which could complicate issues if your archiving solution can’t work with both), but also archive various types of data, including social media, instant messages and content created on mobile devices.
Some fourth-generation email archiving solutions can be customized to archive social media and text messages. These are typically purchased as simple add-ons and don’t require extensive implementation.
Having a centralized archive where non-email content is archived alongside email means that there will be only one place to search when preparing for eDiscovery or proving compliance. This will make supervision and exporting much more streamlined and effective.
Check FINRA compliance vendor directory
Finally, when looking for an archiving vendor, check if they are registered in the FINRA Compliance Vendor Directory. The directory is a comprehensive resource that lets firms search for and evaluate vendors that offer compliance-related products and services, information archiving included.
If the vendor has been approved, the chances are that they will meet most or all of your requirements. This will save you a lot of time and effort while searching for the most adequate solution.
As a FINRA-approved vendor, Jatheon offers financial firms on-premise and cloud archiving solutions with powerful search, ediscovery, audit and exporting capabilities, customizable retention schedules, legal hold and message verification features, as well as the ability to prevent alteration and deletion of data.
To learn how Jatheon can help you choose and implement the right archiving solution for your firm, get in touch or schedule your personal demo.
In case you want to learn more about email archiving in the financial industry, here are a couple of guides to help you get started: