Are you subject to regulation by the Financial Industry Regulatory Authority (FINRA)? If so, you'd better be sure your record keeping is bullet-proof. But even if you and your associates go out of your way to follow the rules and always do right by the customer, FINRA Rule 2010 means you can never be too certain. When a regulation is vaguely defined, regulatory action or lawsuits are likely a loose interpretation away.

## What Makes FINRA 2010 a "Catch-All" Regulation?

FINRA 2010 is a rather broad piece of regulatory script --- a "[short rule with a long reach](https://www.thinkadvisor.com/2018/08/31/finra-rule-2010-a-short-rule-with-a-long-reach/)" if you will. The rule itself requires that FINRA-registered actors "shall observe high standards of commercial honor" along with "just and equitable principles of trade." But what this means is never specifically defined, and so is open to interpretation.

A [major law firm](https://www.finraarbitrationattorney.com/finra-rule-2010-the-catch-all-provision-for-broker-misconduct/) writes that "FINRA Rule 2010 is a broad, sweeping rule that is utilized to address misconduct that is not directly addressed by another FINRA rule." But the firm goes a step further describing FINRA Rule 2010 as "the catch-all provision for broker misconduct."

Because the rule is so broad, firms should take care to document their interactions with clients and prospects. You must always be in a position to prove that you not only followed the explicit rules but also actively demonstrated "high standards, just and equitable principles."

## Whose Documents can be Subpoenaed by FINRA?

Now that we have a better understanding of FINRA Rule 2010, let's move to FINRA Rule 8210. Here, the regulatory authority can compel "a member, person associated with a member, or any other person subject to FINRA's jurisdiction" to produce, upon demand within discovery and related proceedings, testimony (under oath) and documents --- the keyword here being documents. So if you become embroiled in a FINRA 2010 controversy, you need to be prepared for both physical and digital discovery.

But discovery is not limited to you alone. Digging still deeper in the regulatory language, FINRA Rule 1011 goes on to define "associated" --- in other words, who else might need to join you in responding to discovery requirements. Again FINRA casts a wide net, in that becoming the associate of [a person of FINRA interest](https://www.finra.org/rules-guidance/rulebooks/nasdr-rules/1011) is very easy. All one needs to do is work at the same firm and be licensed under FINRA. This might be a partner in the firm, an officer, a director, or a branch manager. When all is said and done, just about the only people at your firm who are exempt from the need to present documents in a FINRA action --- physical or digital --- are those who are solely clerical.

## What about FINRA 2210?

FINRA 2010 is the catch-all regulation, but there are plenty of additional FINRA rules with which broker-dealers and similar firms must contend. Another broad set of compliance challenges stems from FINRA Rule 2210: [Communications with the Public](https://www.finra.org/rules-guidance/rulebooks/retired-rules/2210). Here, principals and their associates are liable for, among other things, the content of any "advertisement, sales literature, correspondence, public appearance", or an "independently prepared report".

One of the most important takeaways from FINRA 2010, FINRA 2210, FINRA 1011, FINRA 8210, and similar regulations is that if you are subject to any of these rules, you are also subject to FINRA 17a-4. This is an overriding regulation defining the standards for digital record keeping under anything FINRA-related --- and it is rigorous.

## What are the E-Discovery Rules for FINRA 17a-4?

FINRA 17a-4 requires that the digital actions of all principals and their associates --- practically speaking the entirety of your firm --- must be preserved for a period of six years. This includes everything mentioned in FINRA 2210. Recognize, though, broad definitions such as "communications" can also extend to external social media (e.g. LinkedIn, Facebook), internal communications (e.g. Yammer, Slack), internal productivity tools (e.g. Monday.com, Wrike), and, of course, the company website.

Moreover, FINRA 17a-4 stipulates that this digital footprint be stored in a non-rewritable, non-erasable, immutable format. Often referred to as a "write once, read many" (WORM) format, this prevents tampering and provides regulators access to metadata, yielding clear provenance for any data. An additional stipulation is that there must be multiple backup locations --- "the dog ate my homework" will be disallowed.

Be aware that the ambiguity of the rule's language could lead to FINRA 2010 plaintiffs viewing your conduct differently to how you do yourself. The safest route to avoiding fines, censure, decertification, and reputational damage is therefore to make certain you can produce any and all digital documents when demanded within e-discovery.

## How Can I Attain and Maintain Compliance?

Companies can attempt to capture, back up, and preserve their digital data on their own. But what about storage and delivery --- are you equipped with the latest technologies for indexing, search, and retrieval?

At [MirrorWeb](https://www.mirrorweb.com/), data preservation, e-discovery, FINRA compliance, and related essential digital due diligence are our primary focus. Our multiple web crawlers dutifully and relentlessly pore across your enterprise, its communications, email threads, websites, and social media postings to capture each and every digital entry.

We preserve your data backing up on redundant sites using WORM compliance. The data is yours whenever needed. Should a FINRA query arise, you can search and respond quickly, thoroughly, and precisely.

Of course, FINRA is not the only agency that may present you with demands for e-discovery. Recognize you and your firm could also be exposed to a wide range of regulatory bodies or even civil proceedings. It is for these reasons we would welcome the opportunity to discuss your needs and exposures and the services and peace of mind we have to offer.

In 2018, the European Securities and Markets Authority (ESMA) issued a sweeping update to its previously enacted Markets In Financial Instruments Directive (Mifid). With the introduction of Mifid II, ESMA enacts what [The Wall Street Journal](https://www.wsj.com/articles/what-you-need-to-know-about-europes-big-new-mifid-rules-1514904233?mod=article_inline) refers to as a "massive set of finance regulations --- a regulatory overhaul that reaches into just about every corner of how securities are traded in Europe."

Mifid II's vast reach extends to any and all trading in fixed income securities, equities, futures, exchange-traded goods, and retail derivatives. This, in turn, means all funds, fund managers, banks, trading exchanges, pension funds, brokers, and investors --- essentially anyone whose business involves the aforementioned securities --- must now maintain Mifid II compliance.

The central, stated goal of the Mifid II regulations is to ensure markets are more transparently competitive leading to fair treatment for investors. Key actions are intended to:

-   **Strengthen audit and risk management.** Mifid II requires batteries of additional reporting and record-keeping relating to trading including recordings of all conversations and correspondence.

-   **Reduce conflicts of interest.** This is accomplished in several ways, most notably by requiring banks to charge explicit fees for their research rather than bundling trades and research. They must also share data with the entire marketplace within 15 minutes of being made available to others. There are also changes to commission structures and related compensation.

-   **Regulate new product development.** Mifid II looks closely at new products --- how they function and how they are marketed. Banks, asset managers, and others are now required to report on key aspects of new products even before they can be launched.

-   **Limit high-frequency trading.** Any auto-trading algorithms must undergo testing and approval for registration plus be equipped with emergency shutdown circuit breakers.

-   **Limit "dark pools."** Dark pools are a means of masking the trading of large blocks of securities so as to protect prices until a large sale can conclude. Mifid II introduces an annual limit to the degree firms can participate in such markets --- no more than 8% of trading volume per year.

## What Is The Cost of Failing To Comply?

That's just a thumbnail sketch of what in practice becomes an expensive proposition. Start with the cost of compliance. Industry watchers such as [IHS Markit](https://cdn.ihs.com/www/pdf/counting-the-cost-of-mifid-ii.pdf), a relative of the Boston Consulting Group, says that for the EU's top 40 global investment banks and 400 top asset managers, new processes and technology to enable Mifid II would run over $2 billion in 2017 alone.

Failure to comply leads to fines as well as sanctions such as being prevented from participating in a given security or marketplace. Detailed in ESMA's [sanctions and measures](https://www.esma.europa.eu/sites/default/files/library/esma35-43-2751_report_mifid_ii_sanctions_2020.pdf) report for 2020 national competent authorities (NCA) --- regulators in individual EU nations --- imposed a total of 613 sanctions and measures in 23 of 30 participating jurisdictions. The price paid by the financial services industry as a whole: €8,400,430. Note that this is up sharply from 2019 --- €1,839,000 --- signaling a climate of rising enforcement.

But in addition, by establishing and maintaining Mifid II compliance, financial services companies are protecting their reputations. Reputational damage is generally more costly in terms of lost clients, prospects, and sales than actual fines. In fact, analysts from the [Center for Economic Policy Research](https://voxeu.org/article/financial-market-wrongdoing-fines-vs-reputational-sanctions) say losses in share valuation associated with sanctions "are on average nine times larger than the financial penalties imposed by the regulators"

## What Are The Record-Keeping Requirements?

Mifid II outlines a handful of articles that delineate expectations for data oversight and collections --- let's call these requirements. Commenting on the whole of such rules, [PWC](https://www.ksfglobalservices.com/wp-content/themes/ksf/pdfs/MIFID2-Are-you-ready-for-the-new-era-in-record-keeping-PwC-KSF-Consultation-Paper.pdf) says that Mifid II "requires content to be readily available for inquiry and content reconstruction" and that management must establish "effective oversight and control of policies".

Mifid II provides rules for three principal categories of data:

-   Orders and transactions

-   Telephone and electronic communications plus written notes or recordings of in-person meetings

-   General records on clients, orders, and transactions

The objective is that all information relating to any transaction can be reconstructed to show how the interaction began, evolved, and completed.

All such data must be held for a minimum of five years, although the expectation is that information relative to large transactions and customers should be stored significantly longer. Moreover, such procedures and policies need to be monitored with periodic quality audits.

## What Can We Do To Help?

At [MirrorWeb](https://www.mirrorweb.com/) we have the technologies and the experience to help your firm achieve and maintain systematic and ongoing Mifid II compliance. For example, Mifid II requires that your data is:

-   Stored in WORM-compliant media, meaning it's unalterable

-   Stored in a durable manner, meaning that it's not vulnerable

-   Backed up, meaning that it's stored in multiple locations

-   Readily accessible, meaning that requested data must be available on demand

Our web crawlers will comb your emails, websites and other initial sources in an ongoing manner making certain to capture everything required by Mifid II with complete [fidelity](https://www.mirrorweb.com/#how). The data is stored with WORM compliance, backed up at multiple sites. We manage the data, but it remains your asset and can be accessed and searched at any moment. So when the regulators pose a query, you can respond immediately and precisely with confidence.

When you're ready to discuss Mifid II --- we'll be here.

The Securities and Exchange Commission (SEC) holds broker-dealers to high standards. Its authority runs the gamut from policing the inappropriate leakage of non-public material information, to monitoring the messaging within sales and marketing communications to investors and prospects.

A key tool for the agency is the after-the-fact audit -- and to facilitate its audits the agency places strict requirements on broker/dealers for the preservation of records. To achieve compliance, firms must understand rules 17 CFR § 240.17a-3 and 17 CFR § 240.17a-4.

## What are 17 CFR § 240.17a-3 and 17 CFR § 240.17a-4?

Broadly speaking, these are two interrelated rules that together spell out the detailed and rigorous record-keeping requirements that must be adhered to by any broker/dealer, or any other entity playing a role in any securities market.

To better understand the meaning behind such complex nomenclature, recall that the Securities Exchange Act (SEA) was passed by the US Congress in 1933, creating the Securities Exchange Commission (SEC). The SEA's goal remains to promote ethical behavior in the country's fast-evolving and continuously growing primary and secondary security markets, via the implementation of regulations.

The SEA's Section 17, "Preservation of Records and Reports of Certain Stabilizing Activities", contains rules intended to prohibit fraud and misrepresentations in the offer or sale of securities. The acronym CFR shows that the regulation falls within the US [Code of Federal Regulations](https://www.govinfo.gov/help/cfr). The reference to Part 240 stipulates books and records requirements within Section 17.

Adding "a-3" and "a-4" completes the full nomenclature: CFR § 240.17a-3 and CFR § 240.17a-4. These rules are essentially updates to the core Section 17, adjusting the rules to equate with fast-evolving digital communications and media.

## To Whom do the Rules Apply?

Section 17 itself applies to essentially the entire securities industry including not only broker-dealers but also the exchanges themselves. Updates CFR § 240.17a-3 and CFR § 240.17a-4 apply emphatically to brokers and dealers of all manner of secondary securities. This includes not only basic securities such as stocks and bonds but also expands to cover security-based swaps as well as OTC derivatives. A dive into [Section 17](https://www.law.cornell.edu/cfr/text/17/part-240#subjgrp108) itself can provide detailed insight but in general, if a firm is involved with the sale or promotion of investments, more than likely A-3 and A-4 apply.

## What is the Difference Between CFR § 240.17a-3 and CFR § 240.17a-4?

The rules are detailed -- which is by no means remarkable for regulatory compliance. But in their essence, the two sets of updates are intimately related in that they both apply to digital record-keeping. Note that in 1933, when the SEA was enacted, digital records were not in existence.

Still, the two updates each introduce a slightly different focus. [CFR § 240.17a-3](https://www.ecfr.gov/current/title-17/chapter-II/part-240/subject-group-ECFR17722751b422db3/section-240.17a-3) goes into detail about the sorts of records that must be kept. These include all records of original entry relating to the purchase and sale of securities, sometimes referred to as books or blotters. The list goes on to include all manner of ledgers or similar records of items such as assets and liabilities, securities in transfer, dividends, interest, securities lending activities -- and much, much more. Generally speaking, if any record relating to the business exists, digital or otherwise, it must be preserved according to Section 17.

[CFR § 240.17a-4](https://www.ecfr.gov/current/title-17/chapter-II/part-240/subject-group-ECFR17722751b422db3/section-240.17a-4) goes into greater detail about how records -- digital and physical -- must be preserved. Again, the update is highly detailed, requiring for example;  originals of interoffice memoranda, sales scripts, and notes taken during or recordings of phone calls.

Failure to comply with any aspect of Section 17, along with each of its updates, can result in significant fines, often accompanied by regulatory actions such as being prohibited from participation in certain markets or activities. So it is incumbent on a business to examine the rules carefully.

## How Long Must the Records be Archived?

In a nutshell, all entities covered by Section 17 must be able to immediately produce any records pertaining to business conducted within the current two years, under any circumstance. The [rules](https://www.federalregister.gov/documents/2021/06/11/2021-11572/recordkeeping-and-reporting-requirements-for-security-based-swap-dealers-major-security-based-swap) emphatically state that such records "shall be maintained at the office to which they relate."

Regulators are of course aware that the ability to provide instant access may not be a reasonable standard. The statute reads "produce the records promptly at the request of a regulatory authority." But they will not tolerate delays spanning days, let alone longer periods. In short -- businesses need to be ready to move and to comply when requested, or risk regulatory ire or action.

Beyond two years of on-premise records access, the rules demand that parties including in Section 17 maintain records for a full six years. Though the expectation is that these records may take longer to retrieve, in practice, regulators are thinking in terms of days, in some cases a week or two, but definitely not a month or longer. If a regulator feels responses fall short in terms of quality or timing, they are empowered to escalate their actions under CFR § 240.17a-11.

## In What Form Must the Records be Archived?

Regulators need assurance at all times, that records are complete and accurate. Consequently, they introduce rigorous standards for archiving.

Here, the SEC offers its official interpretation: "[Electronic Storage of Broker-Dealer Records](https://www.sec.gov/rules/interp/34-47806.htm)." Key requirements are that:

-   Such records must exist in a non-rewritable and non-erasable format

-   All records must be immutably time- and date-stamped

-   Data must be backed up at multiple locations

-   Records, including digital provenance, must be searchable and readily retrievable

## Why Use an External Provider?

Getting it done starts with an up-to-date understanding of the regulations: [what needs to be stored and in what condition](https://www.mirrorweb.com/blog/a-complete-summary-of-sec-17a3-and-17a4)? Because compliance is MirrorWeb's core focus, they can devote more resources to staying aware of the rules.

Then in addition, as a specialist, MirrorWeb continuously invests in state-of-the-art technologies. The firm currently deploys two archival webcrawlers. The first is Heritrix, a tried-and-true open-source tool in widespread usage. The second is Electrolyte, MirrorWeb's proprietary tool which, as Harriet Christie, COO at MirrorWeb explains, is a more sophisticated, agile, capable, and thorough tool for exploration and capture in the most rigorous and dynamic digital domains.

For any MirrorWeb client, the tools "meticulously and continuously crawl through social media, websites, and email", says Christie. Websites, she continues, "are preserved on a daily basis, where a webcrawler methodically and relentlessly moves around clicking all drop-down menus, ultimately 'seeing' and preserving every page." As for social media and email, "that is all captured on a real-time basis -- so even deleted pages are preserved."

From there, all of this collected data is transmitted to two [cloud-based data centers](https://www.mirrorweb.com/#how) creating security through redundancy - one in Ohio and another in Virginia. The data is stored securely but in "hot" and "cold" layers, the former for data that tends to be accessed more frequently.

## How Fast Can Records be Retrieved?

Of critical importance, says Christie, is the fact that "clients, at all times, have complete access to their data." Everything is held in statute-compliant WORM format and well-indexed, meaning it is readily searchable and retrievable. "Clients can grab whatever they want, whenever they need it. If they need to, they can even meander through an archived website as though it was live", says Christie. So if for example, "an auditor says they want to see the state of the website and all communications for May 7, 2019, that's all instantly retrievable by the client."

## Why Outsource?

In the end, broker-dealers should be asking themselves: how are we approaching this currently, and is there a better solution? As Christie explains, "Your business is brokerage, ours is data archiving and retrieval -- digital compliance."

Outsourcing compliance is becoming commonplace throughout the [financial services industry](https://www.forbes.com/sites/forbesinsights/2016/12/01/for-your-consideration-a-new-compliance-model-in-asset-management/?sh=6e8aae68e6fb). Still, broker-dealers should never completely abdicate responsibility for record archiving or any other regulatory requirement. Due diligence should include careful consideration in choosing a provider, as well as ongoing performance audits and reviews.

## How Can MirrorWeb Help?

[MirrorWeb](https://www.mirrorweb.com/) is a firm providing turnkey, enterprise-class digital preservation as a service for broker/dealers and related operators. As Christie explains, MirrorWeb can help ensure that all records cited by the regulations are preserved for two years on-premises, and then a full six years in a secure, non-rewritable, and non-erasable format.

"MirrorWeb can capture and archive all communications covered by the statutes. This includes correspondence such as email, prospectuses, or other offering materials between the broker/dealer and any outside individuals or organizations", Christie says. "We are also able to capture and preserve websites documenting updates/changes, as stipulated by the rules." She continues, "We can also track and preserve all posts and communications on social media platforms like Facebook and LinkedIn, as well as internal communications on platforms like Microsoft Teams, Slack or Yammer." When you're ready, the teams at [MirrorWeb](https://www.mirrorweb.com/) are ready to show you their capabilities, flexibility, agility, and surprising affordability. As Christie explains, "when people see what we can do, it is eye-opening. We are absolutely disrupting this space."

Section 206 is part of the Investment Advisers Act of 1940. While the regulatory intricacies of this legislation can be complicated and difficult to understand, the Securities and Exchange Commission has published two interpretive positions that are likely to help those working in finance ensure compliance.

Ultimately, [The act](https://www.sec.gov/rules/interp/ia-1732.htm#foot4) forbids investment bankers, either directly or indirectly, "acting as principal for his own account, knowingly to sell any security to or purchase any security from a client, or acting as broker for a person other than such client, knowingly to effect any sale or purchase of any security for the account of such client, without disclosing to such client in writing before the completion of such transaction the capacity in which he is acting and obtaining the consent of the client to such transaction."

## Section 206(3)

Of specific interest to financial institutions is [Sec. 206(3)](https://www.sec.gov/rules/interp/ia-1732.htm#foot4), which forbids investment advisers from engaging in or carrying out transactions for clients while acting as principals for their own account or as brokers for someone other than their clients without disclosing that relationship to clients in writing and obtaining clients' consent. The fundamental goals of this regulation are:

-   To ensure transparency between financial advisers and their clients

-   To prevent those executing such transactions on behalf of clients from engaging in self-dealing behavior

Now, let's break down that regulation. First, it deals with the point at which advisors must obtain clients' consent for transactions if they are the principal or agency representative. Specifically, advisers are required to obtain their clients' consent to transactions covered under Sec. 206(3) before such transactions are made.

Second, this rule identifies the kinds of transactions not covered --- those for which the adviser is not considered an "acting broker" --- as those for which they receive no compensation for making the transaction on clients' behalf. Since the whole goal of the regulation is to ensure no unethical behavior is happening on the part of the investment adviser, removing compensation from the equation is an important distinction.

## What Must Be Disclosed and When

For advisers and transactions covered under the act, it's important to understand exactly what must be disclosed. The SEC clarifies that advisers must reveal potential conflicts of interest via a written disclosure of their acting capacity in the transaction. The SEC's clarifying document also recommends reading Sec. 206(3) in conjunction with 206(1) and 206(2). These additional sections impose:

-   An affirmative good-faith duty regarding their clients

-   A duty to fully and faithfully disclose all facts related to the advisory relationship with their clients

Part of the impetus for the SEC's guidance on the matter was comments from industry representatives regarding the need for clarification on when exactly the disclosure and consent need to happen. The SEC clarified that it views "completion" as noted in Section 206(3) as "settlement" of a transaction, not "execution."

Securities transactions have various stages before they can be considered complete. "Settlement" refers to the actual exchange of securities and payment, whereas "execution" comes before that and refers to the contractual agreement between parties to the terms of the transaction.

## MirrorWeb Ensures Compliance

It's clear that investment advisers need to not only provide disclosure in accordance with Section 206 but also obtain prior consent prior to settling transactions with clients. They must also ensure their record-keeping practices allow them to easily prove they are complying with this rule. Enter [MirrorWeb](https://www.mirrorweb.com/), which helps organizations meet their digital compliance and preservation needs.  

Let's say that you send a client a disclosure and request compliance electronically. MirrorWeb captures and archives exact copies of all electronic information --- including from emails and other digital communications --- for later retrieval. This lets you focus on what you do best --- providing clients with the financial services they need --- while spending less time worrying about capturing and archiving disclosures and signed consents. 

Once signed up to use MirrorWeb, clients' data capture needs are evaluated and a capture schedule is devised. The company delivers:

-   Data storage in any location to make procurement simple and allow you to meet regulatory data storage requirements

-   The ability to search archives and easily download exactly the records you need from within the platform

-   Accessibility through an easy-to-use SaaS platform with user access management, full-text search function, and more

-   A robust support team that is available 24/7, 365 days of the year

## What is electronic records management?

Electronic records management or [ERM](https://www.aiim.org/search?term=electronic+records) is the totality of the policies and procedures surrounding the collection, archiving, on-demand search, retrieval, delivery and in many cases ultimate deletion of a company's digital communications and other records.

Records can include everything from routine business logs of sales, trades, or similar transactions to all manner of communications including email, recorded phone conservations, website updates, videoconferences, and even business and social media posts across platforms such as Slack, Teams, YouTube, Yammer, LinkedIn, Facebook, Gab, Twitter, and Instagram.

## Why is ERM Important?

Increasingly, organizations - from businesses and non-profits to government agencies - are finding themselves exposed to requirements for e-discovery. E-discovery requires these entities to produce digital records upon demand across a wide range of legal and regulatory actions.

In particular, a growing body of global and national regulatory agencies as well as local and national courts are stipulating strict and detailed rules for ERM. In addition to specifying an expanding array of both physical and digital documents that must be retained, they are also holding organizations accountable for the manner of archiving and retrieval alongside all related managerial procedures. Compliance failures can result in fines or related actions.

## What Sorts of Regulations Invoke ERM Requirements?

Differing industries may apply varying preservation requirements. For example, in the U.S., regulation 17 CFR § 240.17a-4 from the Securities and Exchange Commission requires broker-dealers to hold on to all internal and external communications plus its website activity and social media posts for a period of six years. Then in the EU, the General Data Protection Regulation (GDPR) places limits on what sorts of personal data can be collected and how long it may be retained.

Some of the more well-known areas where ERM rules are becoming more stringent include:

### Financial services:

-   SEC / Financial Regulatory Authority (FINRA) 17a4

-   §  10-06 --- Requires financial firms to retain records of all social media communications

-   §  11-32 --- Specifies that tweets and text messages are written material that need to be preserved

-   §  11-39 --- Establishes the requirement to retain, retrieve, and supervise business communication, even when that communication is conducted from a personal device

-   Markets In Financial Instruments Directive II: a massive set of regulations covering all facets of asset management and securities trading through the EU

### Retail and related commerce

-   GDPR: sweeping regulations from the EU covering the collection and management of personal data

-   CCPA: regulations closely mirroring the GDPR but applicable for residents of California only

### Healthcare

-   Health Insurance Portability and Accountability Act (HIPAA): requiring U.S.-based healthcare providers to maintain close control over patient records but also on-demand access as directed by patients  

### General

-   Federal Rules of Civil Procedure (FRCP): requiring businesses, individuals, and other organizations to be able to promptly and completely respond to court-directed e-discovery

-   [Rule 34: Producing Documents, Electronically Stored Information](https://www.law.cornell.edu/rules/frcp/rule_34)

_**Note:** thanks to the rise of e-discovery rules --- virtually all industries, companies, organizations, and individuals are being held to strict ERM standards, regardless of whether or not a regulatory standard applies. The FRCP standards are just one example of the bar being raised for the whole of record keeping._

## What are the Costs of Compliance Failures?

Running afoul of ERM rules exposes businesses to an array of risks. Fines themselves can be upwards of millions of dollars. For example, under Mifid II, in 2020 alone, the European Securities and Market Authority ([ESMA](https://www.esma.europa.eu/sites/default/files/library/esma35-43-2751_report_mifid_ii_sanctions_2020.pdf)) imposed fines of €8,400,430. That's just one agency in one year --- with the number of agencies, courtrooms, and other jurisdictions establishing ERM requirements growing by the day.

Similarly, firms must also concern themselves with sanctions --- for example, failure to comply can lead to prohibitions on conducting business in certain markets, temporary bans, or similar penalties.

But worst of all, companies must concern themselves with reputation risks. Reputational damage is generally more costly in terms of lost clients, prospects, and sales than actual fines. In fact, analysts from the[ Center for Economic Policy Research](https://voxeu.org/article/financial-market-wrongdoing-fines-vs-reputational-sanctions) say losses in share valuation associated with sanctions "are on average nine times larger than the financial penalties imposed by the regulators."

## What is WORM Storage?

As emphatic regulations proliferate and as the general expectations within e-discovery manifest, a key theme emerges --- the need for WORM-compliant ERM.

The acronym WORM refers to a "write once, read many" storage drive. What it means is that when using a WORM-compliant device, a file can be written to the drive only once. From there, it is kept in pristine condition with all of its associated metadata intact.

Where there are emphatic regulations --- a list that is swelling --- WORM compliance is a nearly universally present requirement. Even within the broader practice of e-discovery, the expectations of judges, arbitrators, plaintiffs, and other participants and stakeholders increasingly demand that data storage be WORM-compliant.

## What is Metadata?

It is not enough that an organization is capable of retrieving and sharing requested data. What is required is that the business, person, or other entity in question is able to ensure the provenance of the information that is shared. That is: the data is accurate, complete, and up-to-date, preserved in its original state.

To do this requires simultaneous storage and retrieval of immutable attributes associated with each document, posting, or other files. Metadata includes information such as:

-   The name of the author or creator of the file

-   The file creation date

-   The date, time, nature, and author of any changes to the file since its inception

-   The software or operating system in use

-   Any unique identifiers

Organizations may also add additional identifiers such as the type of file, its broad categorization, which functional entity created it, or whatever might help with retrieving the information as needed. That these attributes remain immutable requires WORM compliant procedures and equipment.

## What Other Requirements May Exist?

Expectations for ERM have evolved significantly. Again, some of the below may be required by regulation; other aspects are simply becoming baseline expectations. But in general, your data archives must be:

-   **Immutable.** The records cannot be changed; they are authentic as filed

-   **Discoverable.** Your databases must be easy to search and deliver all relevant files

-   **Auditable.** Your processes must be documented and transparent

-   **Redundant.** All of your data must be backed up to a secure location or better still, locations

-   **Of appropriate duration.** Certain regulations introduce minimum storage requirements --- "you must hold on to this record for five to seven years --- and others maximum --- this file must be permanently deleted after a specified period. Your ERM system must be efficient and effective in executing specific requirements.

## Why is Assurance Essential?

WORM-compliant ERM, whether mandated by regulation or merely as reasonable practice, is becoming the standard in business and society. Organizations are increasingly expected to be able to demonstrate that their processes are sound and thorough; that their storage systems are WORM-compliant, discoverable, auditable, and redundant.

This leads to a significantly more evolved state than simply being able to retrieve and share as requested. A demonstrably sophisticated and capable ERM system can also prove a negative. If the policies and procedures are sound and if the storage drives exhibit the attributes above including WORM-compliance, then there is no more to a story than what is supplied.

Assume a regulator or plaintiff suspects an item or items may exist as evidence of actions they allege, and place a demand for retrieval. If it exists, it is captured, stored, retrieved, and delivered upon demand. If it doesn't exist, that is reasonable proof it did not happen.

## How Can MirrorWeb Assist?

[MirrorWeb](https://www.mirrorweb.com/) has extensive experience working with a wide variety of industries and organizations needed to address everything from regulatory compliance to the risks of potential demands for e-discovery.

We are data professionals, and we can help your group develop the right sets of ERM procedures to ensure you are protected and compliant. Our multiple web crawlers and other tools will routinely comb your digital byways to make certain every email, web posting, video conference, or social media posting is captured, tagged, and archived.

Our WORM-compliant storage ensures your data and files will remain immutable, searchable, and always available, fully backed up in multiple locations.

We know our business, leaving you free to run yours. And you can have complete confidence, if the need arises to produce a report to a regulator, court, or other competent authority, you have complete access to and control of your data -- and you can be confident, if "it" happened, you have it. And if it did not happen, you can prove that too.

Regulatory Compliance