Man in financial sector working on mobile device and laptop. Image courtesy of Shutterstock.
Beyond having to follow basic retention schedules and compliance measures, organizations in highly regulated industries must adhere to more stringent requirements such as SEC Rule 17a-4. Failure to comply with these regulations has landed companies into some pretty hot water. An annual report by the U.S Securities and Exchange Commission stated that in 2018 alone, 821 enforcement actions resulted in $3.9 billion in disgorgement and penalties.
The best way to avoid fines is educating yourself about this policy and how to ensure SEC17a-4 compliance. This article will cover...
What is SEC Rule 17a-4 and which organizations are impacted?
SEC Rule 17a-4 is part of a regulation issued by the US Securities and Exchange Commission (SEC) in accordance with the US Securities Exchange Act of 1934. Under this Act, any organizations that operate in the financial service industry (including stockbrokers and brokerage firms) must comply with certain requirements for electronic data storage. That includes aspects such as retention period, discoverability, accessibility, and accountability.
This rule, specifically, requires that financial firms retain and index records of transactions on indelible media and provide immediate accessibility to this content for two years, and non-immediate access for a minimum of six years. There should be duplicate records kept at an off-site location for the same amount of time. Other communications, including (but not limited to) physically written communication, emails, and instant message should also be retained for three to six years, period dependent on the documents.
What are the consequences for non-compliance?
These requirements are enforced by the Financial Industry Regulatory Authority (FINRA). A non-profit organization authorized by US Congress, FINRA controls the operations and enforces rules that govern the activities of organizations operating in the financial services industry. The SEC and FINRA are two of the most important regulatory bodies in the US financial system.
Under SEC 17a-4, financial firms are under continuous observance and face substantial fines for non-compliance. Monetary fines for breaking regulation range from $1,000 to over $140,000 per breach. There are also non-monetary penalties including suspension or expulsion of the responsible individual and/or entire company, depending on the nature of the breach. One example is when Scottrade got fined $2.6 million, and this case is not unique.
With consequences like these, relevant organizations will want to ensure compliance. We’ve listed out some of the challenges organizations can run into for SEC17a-4, and how using the right tool can address these to make sure all is correctly in line.
What four challenges do organizations face with this regulation?
1. Ensuring proper retention for all record types
SEC17a-4, sections a-e outline the rules for records preservation. Organizations will need to make sure that they have the capabilities to properly retain all relevant content for at least six years. And while there are many software vendors that capture and retain emails specifically, organizations must capture and archive all transaction-related data, including any structured and unstructured data records of invoices, contracts, etc.
2. Storing records in a non-rewriteable, non-erasable format
SEC 17a-4(f) states that any electronically stored content must be preserved exclusively in a ‘non-rewriteable, non-erasable format, essentially requiring WORM storage. An official FINRA press release stated that many firms had failed to maintain electronic records in this format when they fined 12 firms over 14 million dollars due to a lack of proper protection from record alterations.
What is WORM storage?
An abbreviation for Write-Once-Read-Many, all data stored in WORM-compliant storage cannot be overwritten, tampered with or deleted. FINRA rules require this standard for SEC 17a-4 compliance to ensure that all business-related records cannot be altered. Lacking this storage-type will result in non-compliance.
3. Scattered systems = lacking ability to discover and retrieve records (including Physical Records)
From the inbox to local file networks, the data that SEC 17a-4 demands be retained can come from one of many different systems. Section 17a-4(j) necessitates the ability to discover and retrieve these records. However, records can get lost across various systems, since not all content is known and/or discoverable without the proper tools. Not being able to search and access content poses a massive risk of non-compliance.
Another challenge can arise with properly storing and retaining physical office records for the necessary two years, which is outlined in SEC17a-4(l).
4. Pass audits to avoid penalties
As discussed in the prior section, consequences of regulation breach are substantial. To avoid fines, loss of certification, loss of credibility, and damaging press coverage, organizations must be able to conduct periodic internal and external audits with FINRA to prove that they are SEC-compliant.
How to overcome the four challenges and ensure SEC 17a-4 compliance
To meet these requirements, financial firms can select tools which not only comply with SEC 17a-4, but automate the retention process to ensure that compliance is achieved without strain or time demand from the organization's end users.
Using a tool like Collabspace, a cloud content management solution, will not only ensure that compliance is met, but will optimize eDiscovery and offer content review and audit features. By using Collabspace, organizations will have...
1. Automated retention and disposition of all record types to ensure SEC 17a-4 compliance
All Collabspace products use a data lake approach to records management, meaning that data is automatically streamed from go-to content sources into a unified cloud repository. Being able to back up and retain all your information ensures not only SEC 17a-4 compliance, but overall security while giving you a full picture of your organizational data as a whole.
This includes emails, Teams communications and any structured data (ex: spreadsheets) or unstructured data (ex: scanned pdfs, images, text-based docs) from repositories like SharePoint or File Shares. Email attachments (including image-based formats) are processed by OCR for text extraction. Full email conversation threads are given conversation IDs to be kept intact, even if they have split off in different directions.
And when a retention period has ended, rules can be created in Collabspace to delete the records that are no longer required. This defensible disposition also includes a disposition certificate to capture and show details around the deletion.
Throughout the lifecycle, geo-replication and container + multi-part item-level encryption ensure the content will be retained securely for SEC17a-4 and disaster recovery purposes. Read more about Collabspace security measures.
2. WORM Storage to prevent alteration
Making the content immutable after the initial write is critical to prevent any tampering or deletion so it is truly locked in and compliant with SEC 17a-4. Every Collabspace product, from ARCHIVE through to CONTINUUM, has WORM-compliant storage to ensure no data can be overwritten or deleted.
Collabspace WORM storage also ensures that recovering data is quick and seamless in the event of accidental deletion or any another incident in the original repositories.
3. Unified content discovery and export capabilities
All content retained in any Collabspace product is discoverable with powerful search available in Collabspace ARCHIVE, and Collabspace DISCOVERY offering even deeper content discovery options, such as automatic optical character recognition (OCR), text extraction and audio/video transcription features.
So whether it be emails, scanned pdfs or even signs or handwritten markings in a picture, they can be made searchable and exported whenever need be.
4. Version Tracking and Audit Lists
With features like version tracking and audit lists, organizations can access and export full audit trails and receive content review notifications. Even if documents or emails have been altered or deleted from their original source, Collabspace will have tracked all activities, including who made changes, when they were made and to what portion of the content. This way, audits can be easily conducted both internally and externally whenever necessary to prove SEC17a-4 regulations are being met.
SEC 17a-4 has specific requirements for financial services organizations to properly retain and manage their electronic business records in WORM-compliant storage. While many organizations have had to pay large fines for failure to do so, this can be avoided by using products such as Collabspace for proper WORM-storage, retention, duplication and audit capabilities.
Want to learn more about how Collabspace can ensure that your organization meets SEC 17a-4, or another, regulation? We work hard to provide products that meet your organization's regulatory requirements. Contact us with your questions, read our Compliance Checklist, or download our free brochure about Collabspace ARCHIVE, DISCOVERY and CONTINUUM features below:
Note: this article was originally published in 2020, and has since been edited and updated by Nadia Lepak to stay current.