Financial Industry Regulatory Authority (FINRA) recordkeeping rules define strict requirements that broker-dealers and other financial entities must meet for archiving and preserving books and records, including electronic communications. Similarly, the US Securities and Exchange Commission (SEC) also regulates how electronic records must be kept, with penalties for non-compliance.
This guide focuses on what measures IT administrators and managed service providers (MSPs) can take to meet FINRA rule 4511 and SEC rule 17a-4(f) requirements for securely storing and retrieving financial communications and records for their own organizations, or on behalf of their clients.
What is the difference between the SEC and FINRA?
FINRA is a private, self-regulated industry body of broker-dealers in the US that develops and enforces rules for financial firms to help them operate legally and ethically. While not a US government body, they have the power to levy fines and place restrictions on broker-dealers who break their rules, or the rules set out by the Municipal Securities Rulemaking Board (MSRB) or the SEC.
The SEC is an independent US government agency that was founded to maintain markets and protect investors by enforcing various legal statutes, including financial reporting by businesses.
Who is covered by FINRA rule 4511 and SEC rule 17a-4?
IT administrators and MSPs who manage the IT systems for SEC-registered broker-dealers and FINRA member firms must take measures to comply with record-keeping and data preservation rules to ensure compliance.
While this guide helps you identify tools and processes to meet recordkeeping and archiving obligations, you must read and understand the regulations yourself directly from the official source, and consult with legal and technical experts to understand which rules your business must follow, as well as to ensure that they are effectively implemented.
This is critical as non-compliance (even unintentionally) can lead to enforcement actions such as fines, suspension, or loss of licensure. There may also be additional regulations (including customer data protection) that apply to your organization depending on your location or the nature of your business.
Covered communication types
SEC and FINRA recordkeeping rules apply to all business-related physical and electronic communications. This includes email, chat and collaboration tools (such as Slack and Microsoft Teams), audio and video call recordings (including voicemail), as well as social media interactions (if business-related).
Legal and compliance teams within your organization should identify the scope and supervision criteria for communications, so that all mandated communications are correctly preserved in line with regulations. All communications will need to be preserved for the defined retention periods in a format that is protected from data loss and cannot be modified. Additionally, data may need to be made readily available for regular supervisory review.
FINRA rule 4511: General recordkeeping obligation checklist
Compliance with FINRA Rule 4511 may also mean having to meet multiple other requirements defined by the Exchange Act and SEA. When your compliance teams are planning and implementing your recordkeeping systems, they should consider the following:
- Records must be accurate and complete
- Data must be stored in a tamper-proof format that is protected from data loss and alteration
- Preserved communication records must be retained for up to 6 years, depending on the document type
- The retention period may vary depending on the type of preserved document
The preservation of communication data can be assisted with email archiving solutions that support search, retrieval, and export. Some data will need special measures to ensure it is properly archived, for example, data from chat apps like Microsoft Teams, or collaboration platforms like SharePoint.
SEC rule 17a-4(f): Electronic storage of broker-dealer records
The procedures enforced by SEC Rule 17a-4(f) include how long communication records must be kept, and what technical standards must be met. Compliance can be aided by following these guidelines:
- Use immutable WORM (write once, read many) compliant storage
- Apply digital time-stamping to all retained records
- Maintain duplicate copies of all data in geographically separate locations
- Maintain indexes of stored records
- Ensure records are readily available during the retention period
- Notify the designated authority prior to using any new electronic storage medium
Supervision and access requirements
Both FINRA recordkeeping rules and SEC regulations make it necessary that all archived records are available on request – requiring an archiving solution that supports search suitable for eDiscovery. Firms may also need to designate an independent party to assist the SEC with access if it is necessary.
All archived records should be audited for access, modification, and deletion attempts, and periodic reviews should be made to ensure compliance with FINRA, SEC, as well as other applicable data preservation policies. Audit trails should be retained for the same duration as the data itself.
Additionally, records may need to be supervised under written supervisory procedures (WSPs).
FINRA and SEC recordkeeping compliance with Microsoft 365 and Google Workspace
Many financial businesses use Microsoft 365 and Google Workspace for their email, productivity, and collaboration software. While these fully managed solutions offer reliability and out-of-the-box functionality without infrastructure overheads, they operate on a shared responsibility model, which places all liability for any lost data on the customer. Therefore, it is your responsibility as an IT administrator or MSP handling financial data to ensure that it is preserved in accordance with FINRA and SEC recordkeeping rules, as well as other data regulations like CCPA and HIPAA.
This means that preserved data must also be backed up. You must be wary, however, that not all backup systems are compliant with FINRA and SEC requirements, and that there are data archiving and backup solutions tailored to the financial services industry.
If you have been tasked with preserving financial data in line with FINRA and SEC recordkeeping rules, consult with a NinjaOne representative today to find out how our MSP platform can help enable compliance.
