Learn the benefits of outsourcing compliance with 17 CFR § 240.17a-3 and 17 CFR § 240.17a-4.
The Securities and Exchange Commission (SEC) holds broker-dealers to high standards. Its authority runs the gamut from policing the inappropriate leakage of non-public material information, to monitoring the messaging within sales and marketing communications to investors and prospects.
A key tool for the agency is the after-the-fact audit -- and to facilitate its audits the agency places strict requirements on broker/dealers for the preservation of records. To achieve compliance, firms must understand rules 17 CFR § 240.17a-3 and 17 CFR § 240.17a-4.
What are 17 CFR § 240.17a-3 and 17 CFR § 240.17a-4?
Broadly speaking, these are two interrelated rules that together spell out the detailed and rigorous record-keeping requirements that must be adhered to by any broker/dealer, or any other entity playing a role in any securities market.
To better understand the meaning behind such complex nomenclature, recall that the Securities Exchange Act (SEA) was passed by the US Congress in 1933, creating the Securities Exchange Commission (SEC). The SEA's goal remains to promote ethical behavior in the country's fast-evolving and continuously growing primary and secondary security markets, via the implementation of regulations.
The SEA's Section 17, "Preservation of Records and Reports of Certain Stabilizing Activities", contains rules intended to prohibit fraud and misrepresentations in the offer or sale of securities. The acronym CFR shows that the regulation falls within the US Code of Federal Regulations. The reference to Part 240 stipulates books and records requirements within Section 17.
Adding "a-3" and "a-4" completes the full nomenclature: CFR § 240.17a-3 and CFR § 240.17a-4. These rules are essentially updates to the core Section 17, adjusting the rules to equate with fast-evolving digital communications and media.
To Whom do the Rules Apply?
Section 17 itself applies to essentially the entire securities industry including not only broker-dealers but also the exchanges themselves. Updates CFR § 240.17a-3 and CFR § 240.17a-4 apply emphatically to brokers and dealers of all manner of secondary securities. This includes not only basic securities such as stocks and bonds but also expands to cover security-based swaps as well as OTC derivatives. A dive into Section 17 itself can provide detailed insight but in general, if a firm is involved with the sale or promotion of investments, more than likely A-3 and A-4 apply.
What is the Difference Between CFR § 240.17a-3 and CFR § 240.17a-4?
The rules are detailed -- which is by no means remarkable for regulatory compliance. But in their essence, the two sets of updates are intimately related in that they both apply to digital record-keeping. Note that in 1933, when the SEA was enacted, digital records were not in existence.
Still, the two updates each introduce a slightly different focus. CFR § 240.17a-3 goes into detail about the sorts of records that must be kept. These include all records of original entry relating to the purchase and sale of securities, sometimes referred to as books or blotters. The list goes on to include all manner of ledgers or similar records of items such as assets and liabilities, securities in transfer, dividends, interest, securities lending activities -- and much, much more. Generally speaking, if any record relating to the business exists, digital or otherwise, it must be preserved according to Section 17.
CFR § 240.17a-4 goes into greater detail about how records -- digital and physical -- must be preserved. Again, the update is highly detailed, requiring for example; originals of interoffice memoranda, sales scripts, and notes taken during or recordings of phone calls.
Failure to comply with any aspect of Section 17, along with each of its updates, can result in significant fines, often accompanied by regulatory actions such as being prohibited from participation in certain markets or activities. So it is incumbent on a business to examine the rules carefully.
How Long Must the Records be Archived?
In a nutshell, all entities covered by Section 17 must be able to immediately produce any records pertaining to business conducted within the current two years, under any circumstance. The rules emphatically state that such records "shall be maintained at the office to which they relate."
Regulators are of course aware that the ability to provide instant access may not be a reasonable standard. The statute reads "produce the records promptly at the request of a regulatory authority." But they will not tolerate delays spanning days, let alone longer periods. In short -- businesses need to be ready to move and to comply when requested, or risk regulatory ire or action.
Beyond two years of on-premise records access, the rules demand that parties including in Section 17 maintain records for a full six years. Though the expectation is that these records may take longer to retrieve, in practice, regulators are thinking in terms of days, in some cases a week or two, but definitely not a month or longer. If a regulator feels responses fall short in terms of quality or timing, they are empowered to escalate their actions under CFR § 240.17a-11.
In What Form Must the Records be Archived?
Regulators need assurance at all times, that records are complete and accurate. Consequently, they introduce rigorous standards for archiving.
Here, the SEC offers its official interpretation: "Electronic Storage of Broker-Dealer Records." Key requirements are that:
Such records must exist in a non-rewritable and non-erasable format
All records must be immutably time- and date-stamped
Data must be backed up at multiple locations
Records, including digital provenance, must be searchable and readily retrievable
Why Use an External Provider?
Getting it done starts with an up-to-date understanding of the regulations: what needs to be stored and in what condition? Because compliance is MirrorWeb's core focus, they can devote more resources to staying aware of the rules.
Then in addition, as a specialist, MirrorWeb continuously invests in state-of-the-art technologies. The firm currently deploys two archival webcrawlers. The first is Heritrix, a tried-and-true open-source tool in widespread usage. The second is Electrolyte, MirrorWeb's proprietary tool which, as Harriet Christie, COO at MirrorWeb explains, is a more sophisticated, agile, capable, and thorough tool for exploration and capture in the most rigorous and dynamic digital domains.
For any MirrorWeb client, the tools "meticulously and continuously crawl through social media, websites, and email", says Christie. Websites, she continues, "are preserved on a daily basis, where a webcrawler methodically and relentlessly moves around clicking all drop-down menus, ultimately 'seeing' and preserving every page." As for social media and email, "that is all captured on a real-time basis -- so even deleted pages are preserved."
From there, all of this collected data is transmitted to two cloud-based data centers creating security through redundancy - one in Ohio and another in Virginia. The data is stored securely but in "hot" and "cold" layers, the former for data that tends to be accessed more frequently.
How Fast Can Records be Retrieved?
Of critical importance, says Christie, is the fact that "clients, at all times, have complete access to their data." Everything is held in statute-compliant WORM format and well-indexed, meaning it is readily searchable and retrievable. "Clients can grab whatever they want, whenever they need it. If they need to, they can even meander through an archived website as though it was live", says Christie. So if for example, "an auditor says they want to see the state of the website and all communications for May 7, 2019, that's all instantly retrievable by the client."
In the end, broker-dealers should be asking themselves: how are we approaching this currently, and is there a better solution? As Christie explains, "Your business is brokerage, ours is data archiving and retrieval -- digital compliance."
Outsourcing compliance is becoming commonplace throughout the financial services industry. Still, broker-dealers should never completely abdicate responsibility for record archiving or any other regulatory requirement. Due diligence should include careful consideration in choosing a provider, as well as ongoing performance audits and reviews.
How Can MirrorWeb Help?
MirrorWeb is a firm providing turnkey, enterprise-class digital preservation as a service for broker/dealers and related operators. As Christie explains, MirrorWeb can help ensure that all records cited by the regulations are preserved for two years on-premises, and then a full six years in a secure, non-rewritable, and non-erasable format.
"MirrorWeb can capture and archive all communications covered by the statutes. This includes correspondence such as email, prospectuses, or other offering materials between the broker/dealer and any outside individuals or organizations", Christie says. "We are also able to capture and preserve websites documenting updates/changes, as stipulated by the rules." She continues, "We can also track and preserve all posts and communications on social media platforms like Facebook and LinkedIn, as well as internal communications on platforms like Microsoft Teams, Slack or Yammer." When you're ready, the teams at MirrorWeb are ready to show you their capabilities, flexibility, agility, and surprising affordability. As Christie explains, "when people see what we can do, it is eye-opening. We are absolutely disrupting this space."