March 8, 2017
Planning & Performance
Transferring files to a write once, read many (WORM) solution is not enough to meet regulatory requirements on its own. You have to be able to prove that the associated metadata, indices, and other information are also protected. Reducing both financial and reputational risk, while providing peace of mind for marketing and compliance leaders, is the key benefit of enforcing retention policies for compliance with FINRA 17a-4, SEC 204-2, and other record retention policies requiring permanent, immutable storage such as a WORM.
Marketers in Financial Services have a responsibility to maintain accurate records of communications and information that need to be:
The Securities Exchange Act (SEA) provides necessary guidance and establishes requirements for securities transactions. The Financial Industry Regulatory Authority (FINRA) further defines how certain firms must retain and manage records. Organizational leaders tasked with collecting, maintaining, and storing records are faced with multiple logistical and risk-centric challenges.
First, ask yourself whether your marketing assets are subject to regulatory retention policies, or if your organization’s own compliance requirements are driving the need. Marketing assets such as logos, photographs, banners, or videos may not seem to fall under the requirements for record retention, but it’s important to know for certain. Work management systems are often used to manage the production and approval of certain types of records, such as procedure manuals or training materials for brokers or agents which are definitely subject to storage requirements.
So how does a Financial Services marketing department ensure an effective strategy for FINRA 17a-4 WORM compliance?
Section 17(a) of the Securities Exchange Act of 1934, and more precisely, Rules 17a-3 and 17a-4 (“The Rules”), require that broker-dealers (the “Firm”) create and maintain a thorough record of not only each securities transaction effected by the Firm, but also of its securities business in general.
Which regulation covers the requirements for storage of records?
As Financial Services regulations go, FINRA 17a-4 is fairly straightforward. But, like most regulations, the devil is in the details.
Originally, the rules applied to paper records and micro-film or microfiche. In 1997, the rules were amended to provide for the use of electronic storage for record retention. Although the rules do not specify any particular technology, they do set forth certain requirements for electronic storage.
17a-4 compliance can be deconstructed into five elements that a company’s approach must demonstrate: the five “-abilities,” if you will.
Immutability means that the final version of the communications or marketing assets and related documentation—as well as any relevant metadata—must be written to an unchangeable archive device, such as a WORM (write once, read many) drive. This ensures that data cannot be changed once it’s written to the device, even by system administrators or “super users.”
Discoverability is the need to have this archive be indexed in a way that makes it fully searchable by the metadata and key attributes so that any information in the communication can be retrieved and reviewed.
Additionally, part of this, 17a-(a)(21), includes that there be “Persons to explain Records and their Content.” This means that there needs to be a listing of the personnel at a particular office who can, with no delay, explain the various information held in the archive and decode how the firm creates, stores, names, and organizes these records.
Auditability covers the need to log and record every event that occurs from the first writing of the data to the moment it is destroyed. Think of it as a “chain of custody” for your archived communications in a worm compliant database.
While 17a-4 specifies the minimum retention period of data (three years), your organization’s timeframe may vary. And even after a file reaches the end of its regulatory retention period, holds placed on the file by your legal team may extend that time. Therefore, the system must support the ability to retain different records per your company’s retention policies and procedures while being sensitive to legal holds. When all of those policies expire, you end up at the last “-ability.”
The final step for retained records is their expiration and destruction. Financial institutions do not want to hold records for a moment longer than their policies require. Although it’s not explicitly called out in FINRA 17a-4, a key piece of this is the ability to destroy the records when they expire. Your organization will have record-destruction policies that dictate the method of destruction and how many times the device would be overwritten to eradicate any trace of data.
How do you ensure that your company complies with SEA FINRA 17a-4 by putting the five “-abilities” to work?
With content operations technology seamlessly working with your immutable storage.
To make sure that your company’s technology helps you comply with FINRA 17a-4, consider these questions:
Can we back up these records to compliant storage at an offsite location?
As customers are becoming more and more demanding with personalized experiences, the ability for teams within marketing and customer experience to scale content production without sacrificing compliance has become a basic requirement.
Content operations solutions, like Aprimo, are modern, vital components of your compliance strategy. A complete content operations solution ensures that the content you’re distributing is being planned, approved, and created in a single solution that supports WORM compliance.
If you’re at a firm that handles investments (broker-dealer) and your marketing tech stack doesn’t include a WORM-compliant solution for marketing communications, it’s time to close that gap and reduce human error as much as possible—before you incur penalties and fines.
For more information on these regulations, visit these supporting sources:
Be sure to consult your corporate counsel or compliance officer to ensure that you fully understand your company’s policies and procedures as it relates to FINRA 17a-3 and 17a-4 compliance.