How to Ensure Compliance with FINRA and SEC 17a-4 with Email Archiving

July 15, 2019 by Jatheon

The Financial Industry Regulatory Authority (FINRA) is a non-profit organization which, authorized by the US Congress, controls the operations and enforces rules that govern the activities by organizations operating in the financial services industry, including stockbrokers and brokerage firms. Together with SEC (The Securities and Exchange Commission), FINRA is the most important regulatory body in the US financial system.

Due to complex, multi-layered SEC regulations regarding the preservation of records, specifically SEC 17a-4(b), SEC 204-2, SEC 206(4)-7, SEC Rule IA-2204 and FINRA Rule 4500, financial firms are under continuous scrutiny and face substantial fines for non-compliance.

It only takes a few minutes into the FINRA website to find extensive information about fines levied on organizations that have failed to comply. According to Investment News, the annual SEC enforcement report for fiscal year 2018 cites “821 enforcement actions which resulted in $3.9 billion in disgorgement and penalties”.

According to Investment News, the annual SEC enforcement report for 2018 cites 821 enforcement actions which resulted in $3.9 billion in disgorgement and penalties. Click To Tweet

Recent Examples of Non-Compliance

In January 2019, Advisory Group Equity Services Ltd. was censured and fined $20,000 because they “failed to establish and maintain a reasonable supervisory system with respect to the retention and review of emails of newly hired representatives.” These emails contained discussions about investments, stock prices and securities transactions.

In April 2019, Wilson-Davis & Co., Inc. was censured and fined $32,500, as they failed to establish, maintain and enforce an email retention system that could allow them to “review email correspondence for indications of potential violations of federal securities laws or FINRA rules.”

Inside SEC 17a-4 Compliance Requirements

Under SEC 17a-4, financial firms are obliged to preserve electronic records. This is typically accomplished through technological systems that automate record retention. The key components are outlined in subsection (f)(2)(ii), which states that the storage media should:

  • contain measures that protect record integrity
  • preserve records in a non-rewritable and non-erasable (WORM) format
  • verify automatically the quality and accuracy of the record storing process
  • be able to time and date-stamp records and index them appropriately
  • prevent alteration or deletion of records for their required retention period
  • allow for easy access and availability of records
  • allow the deletion of records after the retention period expires
  • have the capacity to download records
  • be able to store duplicate copies in a different location
  • be able to contain records for a minimum of three years

To meet these requirements, financial firms typically implement email archiving solutions, either on-premises or in the cloud to improve email management and ensure complete compliance with the rules.

In case of non-compliance, the monetary fines range from $1,000 to over $140,000, while non-monetary penalties include the suspension or expulsion of the responsible individual and/or the company, depending on the nature of the breach and the aggravating factors.

Non-compliance with FINRA and SEC 17a-4 results in monetary fines ranging from $1,000 to over $140,000 and suspension or expulsion of the responsible individual and/or the company. Click To Tweet

Mobile and Social Media Archiving and SEC 17a-4

Although it was originally considered best practice to prohibit the use of social media and text messaging to prevent compliance risks, this practice is no longer sustainable. Just like everyone else, financial firms are growing increasingly reliant on mobile and social media platforms for quick communication with employees and clients.

FINRA’s Regulatory Notices 10-6 and 11-39 deal with the corporate use of social media and record-keeping, while SEC Rule 17a-4(b) mandates that all employee communication on social media must be preserved for at least 3 years.

In 2017, FINRA published Regulatory Notice 17-18, where they outlined the rules governing social media and mobile communications. July 2018, SEC reaffirmed the application of the securities laws to social media use and continues to focus on how investment advisors use social networks.

Firms which communicate via social media and text messaging, both internally and with clients, are typically advised to keep personal and business-related communication separate (by using different apps or platforms), to retain all social media and mobile content and create policies that will outline the rules for content retention.

How to Ensure SEC 17a-4 with Email Archiving

One of the best and easiest ways to avoid penalties and ensure FINRA/SEC compliance standards is to implement an archiving solution. The primary benefits are:

  • Automated, almost instant compliance
  • Increased storage capacity
  • Improved system performance
  • The ability to search databases fast
  • Protection from litigation
  • A searchable, centralized repository of all electronically stored information
  • Improved data governance

Read next:

Why Email Archiving Can Be a Matter of Life and Death in the Financial Services Industry

Why You Need to Archive Mobile Communications in 2019

How to Create a Comprehensive Social Media Monitoring Strategy

SEC-17a-4 Compliance Checklist

The following list is a good starting point for financial firms wishing to get their FINRA/SEC compliance in order. Remember that these points are just guidelines which require significant follow-up work.

    1. Your firm should select an individual to take charge of compliance and data protection issues. This person should interpret the rules in collaboration with your legal team, ensure that all areas of the business are compliant and that all data is being backed up securely.
    2. If the country in which the business is based has an information commissioner or data compliance regulator, your organization should be registered with this body.
    3. Identify first party and third party data. Then evaluate what kinds of data need to be archived, for how long, and what can be deleted. In the case of email data, complete archiving is the usual answer.
    4. All staff should be trained on what the correct procedures are if they come into contact with personal data, for example, sensitive email communications. Employees must know that they will generate legal trouble for the business in case of unauthorized private data disclosure.
    5. Identify the ways in which you will back up sensitive data to ensure compliance. As for email data, email archiving solutions that are compliant are the best way to satisfy the law.
    6. All data types should be archived in a way that allows eDiscovery in a case of a data request during legal proceedings.
    7. Make sure the data is archived in accordance with the rules outlined by FINRA and SEC, namely that the archiving solution has the capability to:

      – retain messages in a write-once-read-many format

      – support different retention schedules- apply legal holds

      – perform queries to comply with early case assessment

      – produce messages to their original state with the ability to be shared with third parties

      – index information and perform advanced searches based on various criteria

      – prevent accidental or intentional alteration and deletion of data

      – supervision capability and workflow for compliance officers

    8. It’s a good idea to choose an archiving solution that can not only support multiple email platforms (you might change them at some point, which could complicate issues if your archiving solution can’t work with both), but also archive various types of data, including social media, instant messages and content created on mobile devices.
      Some fourth-generation email archiving solutions can be customized to archive social media and text messages. These are typically purchased as simple add-ons and don’t require extensive implementation.
      Having a centralized archive where non-email content is archived alongside email means that there will be only one place to search when preparing for eDiscovery or proving compliance. This will make supervision and exporting much more streamlined and effective.
    9. Finally, when looking for an archiving vendor, check if they are registered in the FINRA Compliance Vendor Directory. The directory is a comprehensive resource that lets firms search for and evaluate vendors that offer compliance-related products and services, information archiving included.

If the vendor has been approved, the chances are that they will meet most or all of your requirements. This will save you a lot of time and effort while searching for the most adequate solution.

Jatheon is a global leader in email, social media and mobile communications archiving and ediscovery with 15 years of experience with on-premise archiving and a new, latest-generation cloud email archiving solution.

As a FINRA-approved vendor, Jatheon offers financial firms on-premise and cloud archiving solutions with powerful search, ediscovery, audit and exporting capabilities, customizable retention schedules, legal hold and message verification features, as well as the ability to prevent alteration and deletion of data.

To learn how Jatheon can help you choose and implement the right archiving solution for your firm, get in touch or schedule your personal demo.

Schedule Your Personal Demo

Look inside Jatheon’s solution to see how to better manage your corporate email and messaging data. Leave us your contact details and we’ll get in touch and show you around.

Join over five thousand happy businesses using Jatheon.