Image shows man in financial sector working on laptop and computer. Image courtesy of Shutterstock.
Beyond having to follow basic retention schedules and compliance measures, organizations in highly regulated industries must adhere to more stringent requirements such as SEC Rule 17a-4. Failure to comply with these regulations have landed companies into some pretty hot water. An annual report by the U.S Securities and Exchange Commission stated that in 2018 alone, 821 enforcement actions resulted in $3.9 billion in disgorgement and penalties.
This article will delve into what SEC Rule 17a-4 is, which organizations are impacted, five challenges that arise when meeting these requirements, and how to address these challenges to ensure compliance.
What is SEC Rule 17a-4 and which organizations are impacted?
Rule 17a-4 is part of a regulation issued by the US Securities and Exchange Commission (SEC) in accordance with the US Securities Exchange Act of 1934. Under this Act, any organizations that operate in the financial service industry (including stockbrokers and brokerage firms) must comply with requirements for electronic data storage. This includes aspects such as retention period, discoverability, accessibility, and accountability.
More specifically, this rule requires that financial firms retain and index records of transactions on indelible media and provide immediate accessibility for this content for two years, and non-immediate access for a minimum of six years. There should be duplicate records kept at an off-site location for the same amount of time. Other communications, including (but not limited to) physically written communication, emails, and instant message should also be retained for three to six years, period dependent on the documents at issue.
What are the consequences for non-compliance?
These requirements are enforced by the Financial Industry Regulatory Authority (FINRA). A non-profit organization authorized by US Congress, FINRA controls the operations and enforces rules that govern the activities of organizations operating in the financial services industry. The SEC and FINRA are two of the most important regulatory bodies in the US financial system.
Under SEC 17a-4, financial firms are under continuous observance and face substantial fines for non-compliance. Monetary fines for breaking regulation range from $1,000 to over $140,000 per breach. There are also non-monetary penalties including suspension or expulsion of the responsible individual and/or entire company, depending on the nature of the breach. One example includes Scottrade getting fined $2.6 million, however this case is not unique.
With consequences like these, relevant organizations will want to ensure compliance. We’ve listed out some of the challenges organizations can run into for 5 SEC17a-4, and how using the right tool can address these to make sure all is correctly in line.
What four challenges do organizations face with this regulation?
1. Ensuring proper retention
SEC17a-4, sections a-e outline the rules for records preservation. Organizations will need to make sure that they have the capabilities to properly retain relevant content for at least six years.
2. Storing records in a non-rewriteable, non-erasable format
SEC 17a-4(f) states that any electronically stored content must be preserved exclusively in a ‘non-rewriteable, non-erasable format, essentially requiring WORM storage. An official FINRA press release stated that many firms failed to maintain electronic records in this format when they fined 12 firms over $14 million dollars due to a lack of proper protection from record alterations.
What is WORM storage?
An abbreviation for Write-Once-Read-Many, all data stored in WORM-compliant storage cannot be overwritten, tampered with or deleted. FINRA rules require this standard for SEC 17a-4 compliance to ensure that all business-related records cannot be altered. Lacking this storage-type will result in non-compliance.
3. Scattered systems =lacking ability to discover and retrieve record
From the inbox to local files, the data that SEC 17a-4 demands be retained can come from one of many different systems. Section 17a-4(j) necessitates the ability to discover and retrieve these records. However, records can get lost across various systems, since not all content is known and/or discoverable without the proper tools. Not being able to search and access content poses a massive risk in noncompliance.
Another challenge can arise with properly storing and retaining physical office records for the necessary two years outlined by SEC17a-4(l).
4. Pass audits to avoid penalties
As discussed in the prior section, consequences of regulation breach are substantial. To avoid fines, loss of certification, loss of credibility, and bad press, organizations must be able to conduct periodic internal and external audits with FINRA to prove that they are SEC-compliant.
Addressing the four challenges to ensure SEC 17a-4 compliance
To meet these requirements, financial firms can select tools which not only comply with SEC 17a-4, but automate the retention process to ensure that compliance is achieved without strain or time from the organization's end users.
Using a tool like Collabspace, a cloud compliance solution, will not only ensure that compliance is met, but will optimize eDiscovery and offer content review and audit features. By using Collabspace, organizations will have...
1. Automated retention to ensure SEC 17a-4 compliance
All Collabspace products use a data lake approach to records management, meaning that data is automatically streamed from your go-to content sources into a unified cloud repository.
Geo-replication and container + multi-part item-level encryption ensure the content will be retained securely for SEC17a-4 and disaster recovery purposes. Read more about Collabspace security measures.
2. WORM Storage to prevent alteration
Every Collabspace product, from ARCHIVE through to CONTINUUM, has WORM-compliant storage to ensure no data can be overwritten or deleted. Making the content immutable after the initial write is critical prevents any tampering or deletion so it is truly locked in, and compliant with SEC 17a-4.
Collabspace WORM storage also ensures that recovering data is quick and seamless in the event of accidental deletion or another incident
3. Unified content discovery and export capabilities
All content retained in any Collabspace product is discoverable, with powerful search available in Collabspace ARCHIVE, and Collabspace DISCOVERY offering even more content discovery options, such as automatic optical character recognition (OCR) and audio/video transcription features. So whether it be emails or scanned pdfs, they can be found and exported whenever need be.
4. Version Tracking and Audit Lists
With features like version tracking and audit lists, organizations can access and export full audit trails and receive content review notifications. This way, audits can be easily conducted both internally and externally whenever necessary to prove SEC17a-4 regulations are being met.
SEC 17a-4 includes specific requirements organizations in the financial services to properly store and manage their electronic business records in WORM-compliant storage. While many organizations have had to pay large fines for failure to do so, this can be avoided by using products such as Collabspace for proper WORM storage, retention, duplication an audit capabilities.
We will be releasing a whitepaper going more in depth into this topic soon, stay tuned!
Want to learn more about how Collabspace can ensure that your organization meets SEC 17a-4, or another, compliance? We work hard to provide products that meet your organization's regulatory requirements. Contact us with your questions, read our Compliance Checklist, or download our free brochure about Collabspace ARCHIVE, DISCOVERY and CONTINUUM features below:
Note: this article was originally published in 2020, and has since been edited and updated by Nadia Lepak to stay current.