Back to Blog

SEC and FINRA Email Archiving Policy

Sean Stapleton

The Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) are two regulatory bodies that oversee the financial services industry, and these organizations have strict rules regarding record keeping.

One of the most prominent SEC guidelines is Rule 17a-4. It says that companies in the financial services industry must keep an archive of their electronic communications, including email. Archived emails must be immediately accessible for two years and kept in less-accessible storage for at least six years.

Because of this rule, financial companies must have a system for storing every email sent for at least six years. If a company cannot comply with this rule, it could face significant penalties, and those responsible for compliance could even face jail time.

The biggest investment banks in the world are not exempt,and the SEC has previously fined companies like Goldman Sachs and Bank of America for violating Rule 17a-4. In 2017, the SEC fined 12 companies for a combined $14.4 million, stating that these companies were fined due to their failure to keep hundreds of millions of documents in an archival format, called Write Once Read Many (WORM).

As a part of the federal government, the SEC Is focused on protecting individual investors. Unlike the SEC, FINRA is an independent not-for-profit organization that has been authorized by Congress to create and enforce regulations for financial services companies. Under the oversight of the SEC, FINRA is focused on providing a level playing field in the financial industry. The organization enforces financial regulations and administers corrective action to organizations found guilty of violations.

FINRA is also tasked with educating investors and resolving securities’ issues. Rules issued by FINRA cover a broad range of ethical and behavioral issues, including the use of deceptive or fraudulent tactics. FINRA rules also cover best practices for disclosures, communications, corporate responsibility, reporting, and other issues related to financial services.

Rules Related to SEC and FINRA Email Archiving

The original Securities Exchange Act of 1934 gave the SEC authority to make record-keeping rules for companies that provide financial services. Rule 17a-4 was enacted in 1993 and amended to include electronic records in 1997. This amendment meant that companies could use digital methods to store records if the methods used did not modify or erase records during the mandatory archiving period.

Under FINRA rule 4511, companies must preserve electronic records in a format that complies with SEC rule 17a-4. Copies of records can be kept in a separate, offsite facility. If a retention period for a type of file isn’t explicitly stated under Rule 17a-4, this FINRA rule states that records should be saved for six years.

Under FINRA rule 4513, financial companies must keep records of customer complaints for at least four years.

WORM Format

Write once read many (WORM) is an archival format designed to record a single instance of a record that cannot be erased or altered after the record has been created. In the past, financial services companies stored information in WORM format on physical storage devices like CD ROMs and floppy disks. Today, cloud storage systems have become the industry standard for email archiving and compliance with federal regulations.

D3P Compliance

An effective SEC and FINRA email archiving system can also help companies to comply with another SEC rule called the Designed Third Party (D3P) Rule. This rule requires companies that provide financial services to have a relationship with an independent third party that has permission to access the company's records and assist regulators in the case of illegal request or audit, when the company is unwilling or unable to provide the requested documents.

Most companies take a proactive approach to D3P compliance. To remain compliant, companies must present a Letter of Undertaking to FINRA, as well as any documentation related to the D3P rule. This documentation should outline the designated third party that can access the company's email archiving system.

Essentials for SEC and FINRA Compliance

Compliance with email record-keeping rules is a bit more involved than simply setting up an archiving system. To remain compliant, an SEC and FINRA email archiving system should provide comprehensive indexing, around-the-clock archive monitoring, customizable permissions and retention policies, a legal hold feature, an expunge feature, and advanced search capabilities.

Archived emails must be properly indexed to ensure future retrieval is possible. An archiving system should also store emails in formats that comply with SEC and FINRA rules.

An archival system should also allow for on-demand monitoring. Cyber attacks are common these days and no archive is completely impervious to cyberthreats. Around-the-clock monitoring can prevent a minor breach from becoming a catastrophe.

An email archiving system should also provide customizable retention functions to meet various regulations on the lengths of time different files must be stored. Functions should be customized to meet all of the relevant rules, as well as delete unnecessary files after the retention period has passed. Deleting old records clears up space, increases efficiency, and reduces liability.

In the event of ongoing legal disputes and other situations, a company may want to keep emails for longer than the mandatory time frame. An archiving system should be able to accommodate this need by placing a legal hold on specified emails for many years.

For obvious reasons, an archiving system should also have an expunged function that is customizable. This function allows a company to automatically remove any emails that no longer need to be kept to remain compliant. An archiving system should also have advanced search capability. Audits and legal discovery can be long and drawn out as it is. Poor searchability not only drags out this process but could also place a company in legal jeopardy.

Finally, an archiving system should be able to capture emails from a variety of programs and formats. Industry standards are changing all the time and a system that is capable of capturing a variety of file types is well-positioned for future trends and evolving technology.

MirrorWeb Can Help

At MirrorWeb, we understand that complaints can be complex and arduous. Our email archiving solutions are designed to help our clients remain compliant. If you would like to know how our solutions can help your company, please contact us today.

More from the Blog

2024 So Far: Recordkeeping Revamps and Regulatory Rigor

An analysis of the intense regulatory activity we have seen so far from the SEC, FINRA and the FCA.

Read Story

Whatsapp Compliance, Self-Reporting, and Ripping off the Band-Aid

The SEC has incentivized firms to self-report on off-channel violations. We look into the process and its benefits.

Read Story

FINRA Report 2024: Recordkeeping Takeaways

Key recordkeeping teakeaways from the 2024 FINRA Annual Regulatory Oversight Report.

Read Story

See what we can do for you.

Let us show you why MirrorWeb is trusted by organizations across the globe for their compliance and digital preservation needs.