There are two key bodies that oversee the compliance of financial institutions in terms of how they preserve and manage business records: FINRA and SEC.
The Financial Industry Regulatory Authority (FINRA) is a non-profit organization which, authorized by the US Congress, controls the operations and enforces rules that govern the activities by organizations operating in the financial services industry, including stockbrokers and brokerage firms.
Together with the SEC (Securities and Exchange Commission), FINRA is the most important regulatory body in the US financial system.
Due to complex, multi-layered SEC regulations regarding the preservation of records, specifically SEC 17a-4(b), SEC 204-2, SEC 206(4)-7, SEC Rule IA-2204 and FINRA Rule 4500, financial firms are under continuous scrutiny and face substantial fines for non-compliance.
So, in today’s post, we’ll look at how you can ensure FINRA compliant email archiving and how to meet SEC email retention requirements.
Recent Examples of FINRA Non-Compliance
Failing to meet FINRA and SEC requirements can be a costly endeavor.
It only takes a few minutes into the FINRA website to find extensive information about fines levied on organizations that have failed to comply.
Meanwhile, according to Investment News, the annual SEC enforcement report for fiscal year 2018 cites “821 enforcement actions which resulted in $3.9 billion in disgorgement and penalties”. A year later, in 2019, the SEC enforcement report for fiscal year 2019 cited even more enforcement cases and a higher amount of fines — “862 enforcement actions […], which resulted in $4.3 billion in disgorgement and penalties”. Finally, fiscal 2020 saw a small decline in the number of enforcement actions (715), but the total orders reached $4.68 billion in disgorgement and penalties, which was a record amount for the Commission.In fiscal 2020, @SEC levied a record $4.86 billion in penalties. #FINRA Click To Tweet
In January 2019, Advisory Group Equity Services Ltd. was censured and fined $20,000 because they “failed to establish and maintain a reasonable supervisory system with respect to the retention and review of emails of newly hired representatives.” These emails contained discussions about investments, stock prices and securities transactions.
In April 2019, Wilson-Davis & Co., Inc. was censured and fined $32,500, as they failed to establish, maintain and enforce an email retention system that could allow them to “review email correspondence for indications of potential violations of federal securities laws or FINRA rules.”
More recently, in March 2020, Spencer Edwards, Inc. was fined $3,400,000 and ordered to pay disgorgement in the amount of $90,940, plus prejudgment interest.
The findings showed that “the firm failed to adequately supervise its brokers and ensure that it employed procedures adequate to comply with recordkeeping requirements and its obligation not to participate in unregistered, non-exempt securities offerings.”
It was also established that the firm’s CCO didn’t ensure the firm had an effective tool to “retain electronic communications, as the firm’s brokers routinely used personal email accounts bypassing any system of surveillance or monitoring the firm utilized.”
Inside SEC 17a-4 Compliance Requirements
The key components are outlined in subsection (f)(2)(ii), which states that the storage media should:
- contain measures that protect record integrity
- preserve records in a non-rewritable and non-erasable (WORM) format
- verify automatically the quality and accuracy of the record storing process
- be able to time and date-stamp records and index them appropriately
- prevent alteration or deletion of records for their required retention period
- allow for easy access and availability of records
- allow the deletion of records after the retention period expires
- have the capacity to download records
- be able to store duplicate copies in a different location
- be able to contain records for a minimum of three years
To meet SEC requirements, financial firms typically implement email archiving solutions, either on-premises or in the cloud to improve email management and ensure complete compliance with the rules.
In case of non-compliance, the monetary fines range from $1,000 to over $140,000.
At the same time, non-monetary penalties include the suspension or expulsion of the responsible individual and/or the company, depending on the nature of the breach and the aggravating factors.
Mobile and Social Media Archiving and SEC 17a-4
Although it was originally considered best practice to prohibit the use of social media and text messaging to prevent compliance risks, this practice is no longer sustainable. Just like everyone else, financial firms are growing increasingly reliant on mobile and social media platforms for quick communication with employees and clients.
FINRA’s Regulatory Notices 10-6 and 11-39 deal with the corporate use of social media and record-keeping, while SEC Rule 17a-4(b) mandates that all employee communication on social media must be preserved for at least 3 years.
In 2017, FINRA published Regulatory Notice 17-18, where they outlined the rules governing social media and mobile communications. In July 2018, SEC reaffirmed the application of the securities laws to social media use and continues to focus on how investment advisors use social networks.
Firms which communicate via social media and text messaging, both internally and with clients, are typically advised to keep personal and business-related communication separate (by using different apps or platforms), to retain all social media and mobile content and create policies that will outline the rules for content retention.
How to Meet SEC Email Retention Requirements
One of the best and easiest ways to avoid penalties and ensure FINRA/SEC compliance standards is to implement an archiving solution. The primary benefits are:
- Automated, almost instant compliance
- Increased storage capacity
- Improved system performance
- The ability to search databases fast
- Protection from litigation
- A searchable, centralized repository of all electronically stored information
- Improved data governance
SEC-17a-4 Compliance Checklist
The following list is a good starting point for financial firms wishing to get their FINRA/SEC compliance in order. Remember that these points are just guidelines which require significant follow-up work
Assign a SEC/FINRA go-to person
Your firm should select an individual to take charge of compliance and data protection issues. This person should interpret the rules in collaboration with your legal team, ensure that all areas of the business are compliant and that all data is being backed up securely.
Register with an information commissioner
If the country in which the business is based has an information commissioner or data compliance regulator, your organization should be registered with this body.
Determine data that needs archiving
Identify first party and third party data. Then evaluate what kinds of data need to be archived, for how long, and what can be deleted. In the case of email data, complete archiving is the usual answer.
Train staff on SEC/FINRA compliance requirements
All staff should be trained on what the correct procedures are if they come into contact with personal data, for example, sensitive email communications. Employees must know that they will generate legal trouble for the business in case of unauthorized private data disclosure.
Back up sensitive information
Identify the ways in which you will back up sensitive data to ensure compliance. As for email data, email archiving solutions that are compliant are the best way to satisfy the law.
Facilitate the ediscovery processes
All data types should be archived in a way that allows ediscovery in the case of a data request during legal proceedings.
Introduce a system that meets FINRA record retention requirements
Make sure the data is archived in accordance with the rules outlined by FINRA and SEC, namely that the archiving solution has the capability to:
- retain messages in a write-once-read-many format
- support different retention schedules
- apply legal holds
- perform queries to comply with early case assessment
- produce messages to their original state with the ability to be shared with third parties
- index information and perform advanced searches based on various criteria
- prevent accidental or intentional alteration and deletion of data
- supervision capability and workflow for compliance officers
It’s a good idea to choose an archiving solution that can not only support multiple email platforms (you might change them at some point, which could complicate issues if your archiving solution can’t work with both), but also archive various types of data, including social media, instant messages and content created on mobile devices.
Some fourth-generation email archiving solutions can be customized to archive social media and text messages. These are typically purchased as simple add-ons and don’t require extensive implementation.
Having a centralized archive where non-email content is archived alongside email means that there will be only one place to search when preparing for ediscovery or proving compliance. This will make supervision and exporting much more streamlined and effective.
Check FINRA compliance vendor directory
Finally, when looking for an archiving vendor, check if they are registered in the FINRA Compliance Vendor Directory. The directory is a comprehensive resource that lets firms search for and evaluate vendors that offer compliance-related products and services, information archiving included.
If the vendor has been approved, the chances are that they will meet most or all of your requirements. This will save you a lot of time and effort while searching for the most adequate solution.
The Features Financial Firms Need for FINRA Compliance
Complying with a variety of financial and informational regulations can be extremely difficult unless the right approaches and systems are used.
So here’s a rundown of essential features your archiving solution should have to help you stay in line with financial sector regulations:
1. Comprehensive indexing
It’s not enough to simply store communications in a bulk format, they must also be indexed to make future retrieval successful and stored in formats compliant with the relevant rules.
2. Capture a variety of formats
The number of communication channels and formats in which information is stored is increasing and at the same time, all this information is considered official business records, and needs to be preserved. So it’s important that you can capture not just email, but also instant messaging, texts, voice calls, videos, social media pages, etc.
3. 24/7 archive monitoring
Security of the archived information is also critical – an archiving solution that doesn’t offer 24/7 monitoring and support provides little in the way of continuous security in case an incident occurs.
4. Custom retention policies
There are numerous regulations stipulating for how long records need to be preserved. To stay aligned with these laws, your archiver should allow you to specify custom retention policies and rules, so that you preserve information for as long as necessary according to FINRA, but not longer than that (to reduce liability. For more information on setting email retention policies, here’s a list of best practices on setting retention policies.
5. Customizable roles and permissions
To ensure all your employees and compliance officers have access to the right information, it’s important that you can customize roles according to everyone’s job responsibilities. This allows you to ensure efficiency and preserve the security of your records.
6. Legal hold
In case when you expect potential audits, investigations, or litigation cases, you may need to preserve some records even after their retention periods expire. This is where the legal hold feature comes in handy. With it, you can preserve electronically stored information indefinitely or until after the case is closed.
7. Configurable expunge periods
Being able to set custom expunge periods allows you to set an automated removal of all messages that you are no longer required to keep. This enables you to have fresh storage space as data will be deleted once its life span expires.
8. Advanced searches
Financial firms work with enormous data sets that are exchanged via email. With advanced search capabilities, you can narrow down your search with a lot of precision and retrieve all the information in just seconds.
These are just some of the features that a modern archiving system for financial services needs to have. For an exhaustive list of features (including both hardware and software), check out this guide on which features to consider when buying your archiving solution.
Why Email Matters to Financial Services
Although email is the most common communication tool in all industries, it is vitally important in the financial sector, where emails contain sensitive financial and private information. It’s no surprise then that email is a major target during compliance audits.
Regulatory compliance requirements for the financial industry are spread across a number of acts. These acts all demand that companies in the financial industry maintain good email archives, which is why a solid archiving solution is essential in achieving regulatory compliance.
Failing to meet these regulatory compliance requirements will, in most cases, result in heavy fines. On the other hand, an email archive that meets the requirements outlined in these acts could provide huge savings for companies in the financial industry.
In case you want to learn more about email archiving in the financial industry, here are some more resources to help you create a sound action plan:
As a FINRA-approved vendor, Jatheon offers financial firms on-premise and cloud archiving solutions with powerful search, ediscovery, audit and exporting capabilities, customizable retention schedules, legal hold and message verification features, as well as the ability to prevent alteration and deletion of data.
To learn how Jatheon can help you choose and implement the right archiving solution for your firm, get in touch or schedule your personal demo.