Back to Blog

How to achieve WORM compliance (and then stay compliant) | MirrorWeb

Marketing Team

Person filling out a checklist

To make the financial services industry a more responsible and accountable space, the focus on thorough record-keeping has never been more important. Reliable records created in WORM (write once, read many) format can allow a firm to meet the regulatory standard required and generally run a more accountable operation.

However, the standards are continually being raised by regulatory authorities. From FINRA record retention requirements to SEC rule 17a-3, it’s important than you and your entire team (whether this includes just compliance analysts or even extending to digital archivists and operation managers) are up to speed on everything you need to know.

To help, we’ve created a full hub of all things WORM compliance which includes our complete guide to SEC rules 17a-3 and 17a-4 – updated for the Regulation Best Interest changes made in June 2020.

By the end of this blog, you’ll be fully updated on everything required under FINRA WORM compliance and be able to assess where your firm can be doing more to achieve the best standards in record keeping.

Man relaxed and content at work with laptop


What is WORM compliance?

Essentially, WORM compliance means satisfying record keeping rules that ensure this data cannot be tampered with (or deleted) in any way possible. This can create an irrefutable and therefore reliable record of business, invaluable for regulatory and best practice purposes.


What is WORM storage?


Standing for ‘write once, read many’, WORM storage describes the way of storing data so it cannot be tampered with once created. Therefore, to have WORM compliant storage, firms have to have a system in place that means these records are unalterable and can therefore not be rewritten or erased. At the same time, users must be able to easily access and read this data.

A good way to think about WORM data storage, is that anything stored this way is effectively a snapshot of data frozen in time. 

For firms that are serious about WORM compliance, an increasingly popular strategy is the use of cloud-based solutions. Rather than relying on physical records (such as hard drives or physical papers) that can easily be destroyed or interfered with, cloud-based WORM compliant storage is allowing firms to make their data more easily accessible while still protecting it.

A huge benefit of WORM data storage that uses cloud technology is it frees up physical space and means these firms can more easily scale up their storage (rather than having to buy another floor in a building, a business with more records to safeguard can simply purchase a greater share of a cloud).


Who does this apply to (and which job functions are responsible)?

Where records of data need to be captured and retained, you'll often encounter WORM as the required format to meet regulator requirements. The regulatory rules that demand this format of retention include:

  • FINRA / SEC: US financial services firms must meet rule 17-a4, meaning business communications such as websites and social media must be recorded and archived in WORM format. They must also be held in a destination that's immediately accessible and kept for up to 6 years.

  • FCA: UK financial services firms must capture electronic communications such as websites, financial promotions or voice calls and hold them in an immutable format. These must be retained for at least five years or where requested by the FCA for up to seven years.

  • MiFID II: Requiring financial services firms operating across the EU to hold accurate records of their business communications for up to seven years.

  • NARA: This requirement means agencies need to deploy an archiving solution that is able to capture immutable records.

  • GDPR: The requirements for GDPR record retention don't specifically demand WORM compliance, however, to ensure records are captured accurately and not changed, a format such as WORM is recommended to ensure best practice.

SEC WORM compliance applies to all persons engaged in trading securities as a broker/dealer and all persons associated with the business.

As a regulatory requirement, you may assume this is simply a matter for the compliance department. Wrong! WORM compliance impacts day-to-day operations so to help the firm overall achieve compliance, all individuals should be aware of these requirements and what they should do to help meet these.


What are the risks and penalties for non-compliance?

Maintaining complete and accurate records is required in order to operate in the securities industry. And, to make it clear how important it is that firms fulfil WORM compliance, the regulators have been increasingly willing to punish non-compliant firms.

burning cash

For example, back in 2017 over $2m in fines were paid by HSBC, Allianz and Mass Mutual over failure to create records of millions of customer documents in non-erasable formats.

While these firms may have been thoroughly making records, they failed when it came to using WORM data storage solutions.

Remember, if the data can be rewritten or tampered with in any way then it is not WORM compliant storage.


How long must communications be preserved to comply with FINRA and SEC rules?

With WORM compliant storage, such records have to tick a lot of boxes in terms of the kinds of information covered and how they are stored. Time restraints are important too when it comes to FINRA record retention, and under FINRA Rule 4511(b) records made under the Securities Exchange Act – which we’ll come to later – have to be kept for a minimum of six years.


What is WORM compliant archiving?

As we’ve mentioned, new technologies – such as cloud-based solutions – are minimising some of the physical frailties and risks older record systems faced. However, there are other ways to use technology to fulfil WORM compliance.

slightly open laptop

Website archiving is rapidly gaining attention as the solution of choice for many regulated firms for its ability to create full and further records while also storing them in WORM data storage formats that fulfil FINRA record retention rules.

With crawl technology, archiving solutions instantly scour entire digital estates to create tamperproof and ISO-compliant archives. Unlike screenshots, the WORM archive created can be fully interacted with but most importantly without being compromised.

You can learn everything there is to know about website archiving in our guide right here.


How to comply with SEC rule 17a-3 and 17a-4

Under the Securities Exchange Act 1934, rules 17a-3 and 17a-4 are arguably the most rigorous and important regulations for US regulated firms when it comes to record-keeping. These rules champion WORM compliance and have really made broker/dealers pay greater attention to the data they record and how long these records are kept for.

screenshot of rule 17a-4 dictating WORM compliance

However, the newly introduced Regulation Best Interest (or Reg BI) has introduced some changes to rules 17a-3 and 17a-4 that may potentially be overlooked. To help, we’ve created a newly-updated and fully comprehensive guide on 17a-3 and 17a-4 compliance.

A golden age of compliance

The financial services industry has always been able to respond and innovate when needed, with the most successful businesses adapting to economic pressures to find new income streams when needed.

Naturally, financial services have come to embrace technology as most sectors have. It’s now widely expected for a bank or investment firm to have a highly interactive website, furnished with as much information as possible, and to increasingly communicate via digital channels.

Covid-19, forcing entire communities to lockdown, has emphasised this and forced businesses to accelerate app development and embrace new mediums such as live streams.

But, technology is evolving at the back end of these businesses as well as at the front end. With a higher regulatory standard to satisfy – and more regulations under continual revision and potentially overlapping with one another – technology is being increasingly relied upon to drive more efficient compliance solutions.

fingers pointing at laptop screen

Ensuring web channels remain compliant is essential and today this is achieved through RegTech archiving solutions. With compliance departments stretched at the seams, firms need to be more accountable than ever over their growing digital estates.

The ability to scour entire websites and social feeds and create living, breathing WORM archives is allowing more firms to fully satisfy all the record-keeping regulations they face while at the same time creating lasting records of their digital legacies.

MirrorWeb is a leading web monitoring and archiving solution used across the financial services industry on both sides of the Atlantic. We help firms of all sizes create legally admissible, ISO-compliant archives that also satisfy WORM compliance concerns. If you’re new to this field, and want to learn more about archiving and how it can help your business, download The Essential Guide to Website Archiving for free by following the link below. 

More from the Blog

Whatsapp Compliance, Self-Reporting, and Ripping off the Band-Aid

The SEC has incentivized firms to self-report on off-channel violations. We look into the process and its benefits.

Read Story

FINRA Report 2024: Recordkeeping Takeaways

Key recordkeeping teakeaways from the 2024 FINRA Annual Regulatory Oversight Report.

Read Story

How MirrorWeb Evolves with Demand

Adaptability is vital in the world of communications surveillance. This blog looks at MirrorWeb’s journey as a company, and why it's helped us be agile and reactive to a challenging regulatory landscape.

Read Story

See what we can do for you.

Let us show you why MirrorWeb is trusted by organizations across the globe for their compliance and digital preservation needs.