SEC Rule 17a-4: Definition, Implications, and Compliance Roadmap
by Aware
Navigating the regulatory landscape is crucial for businesses, particularly in the financial sector. SEC Rule 17a-4 is a pivotal regulation governing data retention and accessibility. In this post, we’ll demystify the rule, explore its key provisions, and provide a practical roadmap for compliance. Whether you’re new to the regulatory terrain or seeking to enhance your understanding, this guide aims to clarify the intricacies of SEC Rule 17a-4.
What is SEC Rule 17a-4?
SEC Rule 17a-4 is a regulation that requires broker-dealers to maintain and preserve certain electronic records for at least three years, and to make those records available to the U.S. Securities and Exchange Commission (SEC) upon request. The rule is designed to protect investors by ensuring that broker-dealers have accurate and complete records of their activities.
Examples of the types of records covered by SEC Rule 17a-4 include:
- Order tickets
- Account statements
- Trade confirmations
- Correspondence with customers
- Internal collaboration messages
- Other records that are relevant to the broker-dealer's business
Contents
- What are the requirements for SEC Rule 17a-4?
- What does SEC Rule 17a-4 require broker-dealers to do?
- The risks of SEC Rule 17a-4 noncompliance
- How to implement SEC Rule 17a-4 compliance
- Frequently asked questions
What are the requirements for SEC Rule 17a-4?
The SEC 17a-4 rule amendment defines how broker-dealers and other financial services must manage their electronically stored information (ESI). This includes what information is and is not covered by Rule 17a-4, and what steps brokers must take to be compliant.
- Record Types: Including emails, financial transactions, and communications.
- Retention Periods: Typically 3-6 years depending on record type.
- Accessibility: To facilitate swift regulatory reviews.
- WORM Compliance: Write Once, Read Many (WORM) non-erasable format.
These provisions ensure that all original records are preserved in an easily accessible format that can be provided to the SEC upon request. This brings the requirements for electronically stored information up to date with modern recordkeeping technologies and accounts for new forms of ESI being created, such as internal messaging systems.
They also more closely align the requirements of Rules 17a-4 and 18a-6, which apply to broker-dealers, including those registered as security-based swap dealers (SBSDs) or major security-based swap participants (MSBSPs); and SBSDs and MSBSPs that are not also registered as broker-dealers, respectively.
What does SEC Rule 17a-4 require broker-dealers to do?
To be compliant with SEC Rule 17a-4, broker-dealers and other covered entities must take specific measures to protect ESI, including:
- Developing a record retention policy that identifies all of the electronic records that must be maintained and preserved.
- Implementing a system for storing and archiving electronic records in a WORM format.
- Having a process in place for providing electronic records to the SEC upon request.
Many of the requirements outlined in SEC Rule 17a-4 were already established prior to the 2023 amendment, which came into force on Jan. 3. Some of the key amendments include adding an audit trail alternative to the WORM requirement, giving broker-dealers the opportunity to choose a designated executive officer in place of a designated third party to make certain undertakings, and resolves conflicts of data control in modern storage systems, such as cloud service providers.
The risks of SEC Rule 17a-4 noncompliance
Failure to comply with SEC Rule 17a-4 noncompliance carries significant financial and reputational risks. The SEC can fine broker-dealers for violations or and suspend or revoke their registration. In addition, failure to comply with SEC regulations may leave broker-dealers open to legal action from investors.
SEC fines for improper recordkeeping
- In September 2023, 10 firms were fined a combined $79 million
- In August 2023, 11 firms agreed to pay a total of $289 million in penalties
- In May 2023, two banks received fines of $22.5 million combined
The pandemic accelerated the uptake of electronic messaging systems like Slack, Microsoft Teams, and texting application WhatsApp, and the SEC has responded with a series of regulatory actions that have affirmed definitively that this dataset is included in the amended Rule 17a-4.
In addition, noncompliant firms face reputational risk due to negative publicity surrounding SEC actions, and they may be at increased risk of data breaches and other security incidents. This is because broker-dealers that are not in compliance with SEC Rule 17a-4 may not have adequate security controls in place to protect their customers' sensitive data.
How to implement SEC Rule 17a-4 compliance
It’s essential that broker-dealers and other entities meet the requirements of SEC Rule 17a-4 and plug any compliance gaps in their datasets to minimize financial, reputational, and information security risks.
Define compliance-applicable datasets
SEC 17a-4(b) defines the datasets that are covered by the amended retention requirements. These include records of payments made and received, financial computations, contracts and written records and more. However, not all definitions are clear-cut. 17a-4(b)(4) requires companies to keep “originals of all communications…relating to its business as such.”
FINRA interprets this to mean “all electronic communications relating to the firm’s business.” This includes email, collaboration messaging tools (Slack, Teams), instant messaging tools (text messages, WhatsApp), productivity tracker tools (Asana, Trello), and collaboration messages within cloud storage files and documents (OneDrive, Google Drive).
Understanding the full scope of SEC Rule 17a-4 is essential to being fully compliant, and that means understanding where and how employees are communicating about the business. This will often incorporate unsanctioned solutions or shadow IT.
Take charge of app security today with this quick checklist
Analyze datasets for liabilities
Once broker-dealers have identified all the sources of electronic communications, steps should be taken to limit liability by ensuring every channel is adequately protected from cyber threats, the information shared within those channels is documented in real time in a compliant repository, and employees are aware of their responsibilities to protect sensitive data by self-policing how and where it is shared.
An important first step toward understanding the scale of the liability, broker-dealers can use Aware to retain ESI from popular collaboration tools using real-time ingestion into a searchable archive that proactively identifies risky content.
Aware research shows that employees in all industries routinely share highly sensitive, confidential, and regulated information within workplace-sanctioned collaboration tools. Understanding and addressing this risk at scale is essential to supporting regulatory compliance and protecting valuable business and client information.
Address short-term liabilities
With better understanding of how employees use collaboration tools, and where potential liabilities are greatest, admins and executives can develop strategies to promptly address and rectify short-term compliance gaps. This may include resolving gaps in the broker-dealer's record retention policy, or any electronic records that are not being stored in a WORM format.
Employees are often the first line of defense for data security, so review infosec training and ensure that everybody knows how to safely share confidential information when necessary.
Implement long-term monitoring systems
Using Aware, broker-dealers can automate the retention of collaboration data into a compliant archive in real time, ensuring the capture of a full record of message revisions and deletions. Aware also supports ongoing compliance monitoring to help maintain the security and confidentiality of business communications.
Using Aware, entities can keep a continuous finger on the pulse of their workplace and identify areas of increased risk, mitigate them through automated employee coaching, and take charge of the massive volume of data that digital collaboration tools create.
Frequently asked questions
What is compliance data retention?
Compliance data retention involves ecurely storing and managing data in accordance with regulatory requirements, industry standards, and legal obligations.
The primary goals of compliance data retention are to ensure transparency, accountability, and the ability to respond to legal or regulatory inquiries. Companies, especially those in regulated industries such as finance, healthcare, and telecommunications, must adhere to these retention policies to avoid legal consequences and to protect the interests of stakeholders, clients, and the general public.
What is the SEC amended Rule 17a-4?
In November 2022, the SEC announced the adoption of new amendments to the Securities Exchange Act of 1934 Rule 17a-4, governing electronic recordkeeping requirements for broker-dealers and other covered entities. The effective date of the amendment was January 3, 2023, and the compliance date was May 3, 2023. At the same time, the SEC also amended Rule 18a-6, and set the compliance date for November 3, 2023.
The amended rules updated the SEC requirements for how broker-dealers notify their designated examining authority (DEA) before employing an electronic recordkeeping system and allowed them to use an audit-trail alternative to the write-once, read-many (WORM) requirement.
How does SEC 17a-4 apply to my company?
SEC 17a-4 applies to broker-dealers, including those registered as security-based swap dealers (SBSDs) or major security-based swap participants (MSBSPs). SEC 18a-6 applies to SBSDs and MSBSPs that are not also registered as broker-dealers. Together, these rules define all entities that are governed by the new amendments.
What is the fine for SEC 17a-4?
While there is no fixed penalty amount for failing to comply with SEC 17a-4, broker-dealers and other regulated firms have already settled fines in the tens of millions for not complying with regulatory recordkeeping rules.
What is a SEC 17a-4 audit?
An SEC 17a4 audit is an examination of a broker-dealer's electronic storage media to ensure that they are being maintained and record preservation is carried out in accordance with SEC Rule 17a-4. The audit may be conducted by the SEC itself, or by a designated examining authority (DEA) such as securities regulators or self-regulatory organization (SRO). Broker-dealers should be prepared to provide the auditor with access to all of their electronic records, as well as any documentation related to their record retention policy and procedures.
Final thoughts
SEC Rule 17a-4 is an important regulation that protects investors by ensuring that broker-dealers have accurate and complete records of their activities. Broker-dealers can comply with SEC Rule 17a-4 by following the steps above and by implementing technology solutions like Aware to help them monitor and maintain long-term compliance.
Learn more about how Aware supports compliance in digital collaboration