How to achieve WORM compliance (and then stay compliant)
June 19, 2020 • 7 min read
To make the financial services industry a more responsible and accountable space, the focus on thorough record-keeping has never been more important. Reliable records created in WORM (write once, read many) format can allow a firm to meet the regulatory standard required and generally run a more accountable operation.
However, the standards are continually being raised by regulatory authorities. From FINRA record retention requirements to SEC rule 17a-3, it’s important than you and your entire team (whether this includes just compliance analysts or even extending to digital archivists and operation managers) are up to speed on everything you need to know.
By the end of this blog, you’ll be fully updated on everything required under FINRA WORM compliance and be able to assess where your firm can be doing more to achieve the best standards in record keeping.
What is WORM compliance?
Essentially, WORM compliance means satisfying record keeping rules that ensure this data cannot be tampered with (or deleted) in any way possible. This can create an irrefutable and therefore reliable record of business, invaluable for regulatory and best practice purposes.
What is WORM storage?
Standing for ‘write once, read many’, WORM storage describes the way of storing data so it cannot be tampered with once created. Therefore, to have WORM compliant storage, firms have to have a system in place that means these records are unalterable and can therefore not be rewritten or erased. At the same time, users must be able to easily access and read this data.
A good way to think about WORM data storage, is that anything stored this way is effectively a snapshot of data frozen in time.
For firms that are serious about WORM compliance, an increasingly popular strategy is the use of cloud-based solutions. Rather than relying on physical records (such as hard drives or physical papers) that can easily be destroyed or interfered with, cloud-based WORM compliant storage is allowing firms to make their data more easily accessible while still protecting it.
A huge benefit of WORM data storage that uses cloud technology is it frees up physical space and means these firms can more easily scale up their storage (rather than having to buy another floor in a building, a business with more records to safeguard can simply purchase a greater share of a cloud).
Who does this apply to (and which job functions are responsible)?
Where records of data need to be captured and retained, you'll often encounter WORM as the required format to meet regulator requirements. The regulatory rules that demand this format of retention include:
FINRA / SEC: US financial services firms must meet rule 17-a4, meaning business communications such as websites and social media must be recorded and archived in WORM format. They must also be held in a destination that's immediately accessible and kept for up to 6 years.
FCA: UK financial services firms must capture electronic communications such as websites, financial promotions or voice calls and hold them in an immutable format. These must be retained for at least five years or where requested by the FCA for up to seven years.
MiFID II: Requiring financial services firms operating across the EU to hold accurate records of their business communications for up to seven years.
NARA: This requirement means agencies need to deploy an archiving solution that is able to capture immutable records.
GDPR: The requirements for GDPR record retention don't specifically demand WORM compliance, however, to ensure records are captured accurately and not changed, a format such as WORM is recommended to ensure best practice.
SEC WORM compliance applies to all persons engaged in trading securities as a broker/dealer and all persons associated with the business.
As a regulatory requirement, you may assume this is simply a matter for the compliance department. Wrong! WORM compliance impacts day-to-day operations so to help the firm overall achieve compliance, all individuals should be aware of these requirements and what they should do to help meet these.
What are the risks and penalties for non-compliance?
Maintaining complete and accurate records is required in order to operate in the securities industry. And, to make it clear how important it is that firms fulfil WORM compliance, the regulators have been increasingly willing to punish non-compliant firms.
For example, back in 2017 over $2m in fines were paid by HSBC, Allianz and Mass Mutual over failure to create records of millions of customer documents in non-erasable formats.
While these firms may have been thoroughly making records, they failed when it came to using WORM data storage solutions.
Remember, if the data can be rewritten or tampered with in any way then it is not WORM compliant storage.
How long must communications be preserved to comply with FINRA and SEC rules?
With WORM compliant storage, such records have to tick a lot of boxes in terms of the kinds of information covered and how they are stored. Time restraints are important too when it comes to FINRA record retention, and under FINRA Rule 4511(b) records made under the Securities Exchange Act – which we’ll come to later – have to be kept for a minimum of six years.
What is WORM compliant archiving?
As we’ve mentioned, new technologies – such as cloud-based solutions – are minimising some of the physical frailties and risks older record systems faced. However, there are other ways to use technology to fulfil WORM compliance.
Website archiving is rapidly gaining attention as the solution of choice for many regulated firms for its ability to create full and further records while also storing them in WORM data storage formats that fulfil FINRA record retention rules.
With crawl technology, archiving solutions instantly scour entire digital estates to create tamperproof and ISO-compliant archives. Unlike screenshots, the WORM archive created can be fully interacted with but most importantly without being compromised.
A golden age of compliance
The financial services industry has always been able to respond and innovate when needed, with the most successful businesses adapting to economic pressures to find new income streams when needed.
Naturally, financial services have come to embrace technology as most sectors have. It’s now widely expected for a bank or investment firm to have a highly interactive website, furnished with as much information as possible, and to increasingly communicate via digital channels.
Covid-19, forcing entire communities to lockdown, has emphasised this and forced businesses to accelerate app development and embrace new mediums such as live streams.
But, technology is evolving at the back end of these businesses as well as at the front end. With a higher regulatory standard to satisfy – and more regulations under continual revision and potentially overlapping with one another – technology is being increasingly relied upon to drive more efficient compliance solutions.
Ensuring web channels remain compliant is essential and today this is achieved through RegTech archiving solutions. With compliance departments stretched at the seams, firms need to be more accountable than ever over their growing digital estates.
The ability to scour entire websites and social feeds and create living, breathing WORM archives is allowing more firms to fully satisfy all the record-keeping regulations they face while at the same time creating lasting records of their digital legacies.