Back to Blog

SEC and FINRA Email Archiving Policy

Sean Stapleton

The Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) are two regulatory bodies that oversee the financial services industry, and these organizations have strict rules regarding record keeping.

One of the most prominent SEC guidelines is Rule 17a-4. It says that companies in the financial services industry must keep an archive of their electronic communications, including email. Archived emails must be immediately accessible for two years and kept in less-accessible storage for at least six years.

Because of this rule, financial companies must have a system for storing every email sent for at least six years. If a company cannot comply with this rule, it could face significant penalties, and those responsible for compliance could even face jail time.

The biggest investment banks in the world are not exempt,and the SEC has previously fined companies like Goldman Sachs and Bank of America for violating Rule 17a-4. In 2017, the SEC fined 12 companies for a combined $14.4 million, stating that these companies were fined due to their failure to keep hundreds of millions of documents in an archival format, called Write Once Read Many (WORM).

As a part of the federal government, the SEC Is focused on protecting individual investors. Unlike the SEC, FINRA is an independent not-for-profit organization that has been authorized by Congress to create and enforce regulations for financial services companies. Under the oversight of the SEC, FINRA is focused on providing a level playing field in the financial industry. The organization enforces financial regulations and administers corrective action to organizations found guilty of violations.

FINRA is also tasked with educating investors and resolving securities’ issues. Rules issued by FINRA cover a broad range of ethical and behavioral issues, including the use of deceptive or fraudulent tactics. FINRA rules also cover best practices for disclosures, communications, corporate responsibility, reporting, and other issues related to financial services.

Rules Related to SEC and FINRA Email Archiving

The original Securities Exchange Act of 1934 gave the SEC authority to make record-keeping rules for companies that provide financial services. Rule 17a-4 was enacted in 1993 and amended to include electronic records in 1997. This amendment meant that companies could use digital methods to store records if the methods used did not modify or erase records during the mandatory archiving period.

Under FINRA rule 4511, companies must preserve electronic records in a format that complies with SEC rule 17a-4. Copies of records can be kept in a separate, offsite facility. If a retention period for a type of file isn’t explicitly stated under Rule 17a-4, this FINRA rule states that records should be saved for six years.

Under FINRA rule 4513, financial companies must keep records of customer complaints for at least four years.

WORM Format

Write once read many (WORM) is an archival format designed to record a single instance of a record that cannot be erased or altered after the record has been created. In the past, financial services companies stored information in WORM format on physical storage devices like CD ROMs and floppy disks. Today, cloud storage systems have become the industry standard for email archiving and compliance with federal regulations.

D3P Compliance

An effective SEC and FINRA email archiving system can also help companies to comply with another SEC rule called the Designed Third Party (D3P) Rule. This rule requires companies that provide financial services to have a relationship with an independent third party that has permission to access the company's records and assist regulators in the case of illegal request or audit, when the company is unwilling or unable to provide the requested documents.

Most companies take a proactive approach to D3P compliance. To remain compliant, companies must present a Letter of Undertaking to FINRA, as well as any documentation related to the D3P rule. This documentation should outline the designated third party that can access the company's email archiving system.

Essentials for SEC and FINRA Compliance

Compliance with email record-keeping rules is a bit more involved than simply setting up an archiving system. To remain compliant, an SEC and FINRA email archiving system should provide comprehensive indexing, around-the-clock archive monitoring, customizable permissions and retention policies, a legal hold feature, an expunge feature, and advanced search capabilities.

Archived emails must be properly indexed to ensure future retrieval is possible. An archiving system should also store emails in formats that comply with SEC and FINRA rules.

An archival system should also allow for on-demand monitoring. Cyber attacks are common these days and no archive is completely impervious to cyberthreats. Around-the-clock monitoring can prevent a minor breach from becoming a catastrophe.

An email archiving system should also provide customizable retention functions to meet various regulations on the lengths of time different files must be stored. Functions should be customized to meet all of the relevant rules, as well as delete unnecessary files after the retention period has passed. Deleting old records clears up space, increases efficiency, and reduces liability.

In the event of ongoing legal disputes and other situations, a company may want to keep emails for longer than the mandatory time frame. An archiving system should be able to accommodate this need by placing a legal hold on specified emails for many years.

For obvious reasons, an archiving system should also have an expunged function that is customizable. This function allows a company to automatically remove any emails that no longer need to be kept to remain compliant. An archiving system should also have advanced search capability. Audits and legal discovery can be long and drawn out as it is. Poor searchability not only drags out this process but could also place a company in legal jeopardy.

Finally, an archiving system should be able to capture emails from a variety of programs and formats. Industry standards are changing all the time and a system that is capable of capturing a variety of file types is well-positioned for future trends and evolving technology.

MirrorWeb Can Help

At MirrorWeb, we understand that complaints can be complex and arduous. Our email archiving solutions are designed to help our clients remain compliant. If you would like to know how our solutions can help your company, please contact us today.

More from the Blog

Connector Spotlight: Vimeo

We're now able to capture Vimeo content through MirrorWeb Insight. Read on for more details!

Read Story

UPDATE - How the SEC Keeps Raising the Stakes on Mobile Messaging

Following August 2024's wave of enforcement, an updated overview of the SEC's three year probe into off-channel communications.

Read Story

The Generative Generation - AI, Chatbots and Financial Compliance

AI tools have undoubtedly transformed modern working practice across most industries. What does this mean for financial regulators?

Read Story

See what we can do for you.

Let us show you why MirrorWeb is trusted by organizations across the globe for their compliance and digital preservation needs.