Complying with SEC Regulations
December 17, 2021 • 5 min read
The Securities and Exchange Commission (SEC) is a federal regulatory body that oversees the financial services industry within the United States, and the agency lays out many regulations that companies in the industry must follow.
Some of the more prominent SEC regulations pertain to business communications and record keeping. In particular, rules 17a-3 and 17a-4 dictate that broker-dealers must archive all business communications for several years. The SEC has businesses create these archives to codify a record of communication. In the event of wrongdoing, the agency can comb through past communications to identify the individuals responsible for crimes that were committed.
Located within the Securities Exchange Act (SEA), Rule 17a-3 lays out the type of information that companies in the financial services industry must preserve for a set period of time. In the past, this information took the form of paper documents like blotters and memoranda. These days, information that must be archived is more likely to take the form of digital communications, including every version of a company's official website, emails, text messages, and social media posts.
Rule 17a-4 says records of business communications should be preserved for at least three to six years, based on the type of record. The rule also lays out how archived communications must be maintained. Records ought to be easily accessed and time-stamped. They must also be stored in a way that prevents editing or erasure. The rule states that duplicate records should be kept in separate locations.
SEC rules are meant to protect customers, and the agency is very strict about enforcing them. SEC investigators often audit a company to ensure they are in compliance. Any company that does not comply with SEC regulations runs the risk of making headlines for the wrong reasons.
Backups and Screenshots Aren't Compliance Solutions
Those unfamiliar with SEC regulatory compliance may think that a simple backup application or backup feature on a software platform should be sufficient to remain in compliance. However, SEC rules lay out very strict guidelines for preserving records, and most backup solutions do not meet these rigid criteria.
Typically, backups are not stored in a way that prevents erasure or editing. Backups are typically used for reference or to restore lost data. Therefore, they are readily accessible, easy to edit, and easy to delete. Furthermore, a backup program will often delete old records when a new backup record is created.
Backup systems also don't usually include the metadata necessary to prove authenticity. If a record cannot be proved authentic, it does not comply with SEC regulations and cannot be used in a court of law. A company wrongly accused will have a hard time proving innocence based on backup records.
Needless to say, taking screenshots of web pages or emails isn't sufficient either. Screenshots only capture an image and leave out all of the dynamic content, like videos and hyperlinks. Screenshots can be easily edited and erased. They also don't include the metadata necessary to prove authenticity.
Archiving to Maintain SEC Regulatory Compliance
The best way to comply with SEC regulations pertaining to recordkeeping rules is to use an archiving solution that is fit for purpose.
According to Rule 17a-4, records can be stored electronically, as long as the storage system follows particular requirements: They must be kept in a non-erasable, non-rewritable format. The standard way of doing this is to use a format known as "write once read many" or WORM. This standard storage format prevents records from being corrupted or deleted. It is a legally accepted way to authenticate past actions.
An archiving system should also create a hash value for each record, which is a series of numbers that serves as a digital fingerprint. Once a hash value has been created using a basic algorithm, any manipulation of the record will change the hash value. Hence, if a hash value has been changed, a record has been modified and the company is no longer in compliance.
People often use emails or text messages over platforms like Microsoft Teams for innocuous conversations, and the SEC isn't interested in preserving records of employee banter. However, companies looking to comply with SEC regulations should archive as much as possible. Companies should also consider archiving any business content linked to by their official web pages or emails.
An archiving solution should include the creation of multiple archives, with each one in a different location. A popular best practice is to create three copies that are kept in two different locations, guarding against data loss due to natural disaster or cyberattack.
How MirrorWeb Can Help with SEC Regulatory Compliance
Having a deep understanding of regulations from the SEC, FINRA, and various European regulatory bodies, MirrorWeb is a top provider of compliance solutions. In addition to helping your company comply with SEC regulations, our solutions and services can also provide insights and additional protections.
If you would like to learn more about how MirrorWeb can help, please visit our homepage today to schedule a consultation.