Deconstructing SEA FINRA 17a-4 (WORM Compliance)

Reducing both financial and reputational risk, while providing peace of mind for marketing and compliance leaders, is the key benefit of  FINRA 17a-4 WORM compliance and regulated record retention policies. As marketers in Financial Services, we have a responsibility to maintain accurate records of communications and information.

These records need to be

  • In a static, but searchable format
  • Accessible at a moment’s notice
  • Retained for a minimum of several years

The Securities Exchange Act (SEA) provides necessary guidance and establishes requirements for securities transactions. The Financial Industry Regulatory Authority (FINRA) further defines how certain firms must retain and manage records. Organizational leaders tasked with collecting, maintaining, and storing records are faced with multiple logistical and risk-centric challenges.

So how does a Financial Services marketing department ensure an effective strategy for FINRA 17a-4 WORM compliance?

Beginning With The Basics: FINRA 17a-4 WORM Compliance

Section 17(a) of the Securities Exchange Act of 1934, and more precisely, Rules 17a-3 and 17a-4 (“The Rules”), require that broker-dealers (the “Firm”) create and maintain a thorough record of not only each securities transaction effected by the Firm, but also of its securities business in general.

These rules establish minimum requirements for recordkeeping:

  • Rule 17a-3 defines which records broker-dealers must retain securities records, order tickets, trade confirmations, account statements, trade blotters, ledgers: asset and liability, customer account, income, along with trial balances, and employment-related documents.
  • Rule 17a-4 defines the record retention policy—the time and manner in which these records must be maintained. Additionally, the Financial Industry Regulatory Authority (FINRA) imposes certain recordkeeping requirements firms who are members of that Self-Regulatory Organization (SRO).

It’s sub-part, SEC Rules 17a-4(b)(4), that specifically impacts marketers, as it imposes requirements of the preservation and content of internal and external communications by the Firm.

  • Internal Communications: The rules require the preservation of all inter-office message and other internal communications.

The Five “-abilities” Intrinsic to 17a-4 WORM Compliance

As Financial Services regulations go, FINRA 17a-4 is fairly straightforward. And, like most regulations, the devil is in the details. Originally, the rules applied to paper records and micro-film or microfiche. In 1997, the rules were amended to provide for the use of electronic storage for record retention. Although the rules do not specify any particular technology, they do set forth certain requirements for electronic storage.

When I talk to a marketer about 17a-4 compliance, I deconstruct it into five elements that their firm’s approach must provide: the five “-abilities,” if you will.

  • Immutability
  • Discoverability
  • Auditability
  • Retainability
  • Destructibility

Immutability: Ensuring FINRA 17a-4 WORM Compliance With Data Storage

Immutability means that the final version of the communications or marketing assets and related documentation—as well as any relevant metadata—must be written to an unchangeable archive device, such as a WORM (write once, read many) drive. This ensures that data cannot be changed once it’s written to the device.

Discoverability: Easily Indexable FINRA Approved Marketing Platforms

Discoverability is the need to have this archive be indexed in a way that makes it fully searchable by the metadata and key attributes so that any information in the communication can be retrieved and reviewed.

Additionally, part of this, 17a-(a)(21), includes that there be “Persons to explain Records and their Content.” This means that there needs to be a listing of the personnel at a particular office who can, with no delay, explain the various information held in the archive and decode how the firm creates, stores, names, and organizes these records.

Auditability: WORM Compliant Solutions Simplify Data Logs

Auditability (my favorite made-up word) covers the need to log and record every event that occurs from the first writing of the data to the moment it is destroyed. Think of it as a “chain of custody” for your archived communications.

Retainability: Adaptable FINRA Record Retention

While 17a-4 specifies the minimum retention period of data (three years), your organization’s timeframe may vary. Therefore, the system must support the ability to retain different records per your company’s retention policies and procedures. When those policies expire, you end up at the last “-ability.”

Destructibility: SEC Rules 17a-4 and Record Eradication

The final step for retained records is their expiration and destruction. Financial institutions do not want to hold records for a moment longer than their policies require. So although it’s not explicitly called out in FINRA 17a-4, a key piece of this is the ability to destroy the records when they expire. Your organization will have record-destruction policies that dictate the method of destruction and how many times the device would be overwritten to eradicate any trace of data.

The Right Technology Makes FINRA 17a-4 WORM Compliance Easy

How do you ensure that your company complies with SEA FINRA 17a-4 by putting the five “-abilities” to work? Through marketing operations technology. This is 2017, after all.

To make sure that your company’s technology helps you comply with FINRA 17a-4, consider these questions:

  1. Can I “lock down” all communications and marketing assets and their associated metadata to prevent further edits, but still provide search functionality?
  2. Can I quickly produce the required information to comply with Legal and Compliance audit requests?
  3. Does my technology have the capability to retain different records according to my company’s retention policies and procedures?
  4. Can we back up these records to compliant storage at an offsite location?

If you’re at a firm that handles investments (broker-dealer) and your martech stack doesn’t include a WORM-compliant solution for marketing communications, it’s time to close that gap – before you incur penalties and fines. It’s time to invest in a marketing operations platform that automates these procedures. Of course, Aprimo can help.

For more information on these regulations, visit the following supporting sources:

SEC Interpretation: Electronic Storage of Broker-Dealer Records

(17a-3) Records to be Made by Certain Exchange Members, Brokers and Dealers

(17a-4) Records to be Preserved by Certain Exchange Members, Brokers and Dealers

This author is not a lawyer… he hasn’t even played one on TV. However, he has two decades of success operating at the intersection of Marketing, Technology, and CRM for global enterprises. Consult your corporate counsel or compliance officer to ensure that you understand your company’s policies and procedures as it relates to FINRA 17a-3 and 17a-4 compliance.

About the Author

The Aprimo Mobilizer represents a collection of experts at Aprimo who have specialities across every industry we serve. From in-depth analysis to groundbreaking ideas, articles published under Aprimo Mobilizer demonstrate some of Aprimo’s brightest minds addressing complex marketing challenges.


Join over 45,000 people who receive marketing insights every two weeks.

By signing up you agree to our Privacy Policy.