Deconstructing SEA FINRA 17a-4 (WORM Compliance)

Transferring files to a write once, read many (WORM) solution is not enough to meet regulatory requirements on its own. You have to be able to prove that the associated metadata, indices, and other information are also protected. Reducing both financial and reputational risk, while providing peace of mind for marketing and compliance leaders, is the key benefit of enforcing retention policies for compliance with FINRA 17a-4, SEC 204-2, and other record retention policies requiring permanent, immutable storage such as a WORM.

Marketers in Financial Services have a responsibility to maintain accurate records of communications and information that need to be:

  • In a static, but searchable format
  • Accessible at a moment’s notice
  • Retained for years

The Securities Exchange Act (SEA) provides necessary guidance and establishes requirements for securities transactions. The Financial Industry Regulatory Authority (FINRA) further defines how certain firms must retain and manage records. Organizational leaders tasked with collecting, maintaining, and storing records are faced with multiple logistical and risk-centric challenges.

First, ask yourself whether your marketing assets are subject to regulatory retention policies, or if your organization’s own compliance requirements are driving the need. Marketing assets such as logos, photographs, banners, or videos may not seem to fall under the requirements for record retention, but it’s important to know for certain. Work management systems are often used to manage the production and approval of certain types of records, such as procedure manuals or training materials for brokers or agents which are definitely subject to storage requirements.

So how does a Financial Services marketing department ensure an effective strategy for FINRA 17a-4 WORM compliance?

Beginning with The Basics: FINRA 17a-4 WORM Compliance

Section 17(a) of the Securities Exchange Act of 1934, and more precisely, Rules 17a-3 and 17a-4 (“The Rules”), require that broker-dealers (the “Firm”) create and maintain a thorough record of not only each securities transaction effected by the Firm, but also of its securities business in general.

These rules establish minimum requirements for recordkeeping:

  • Rule 17a-3 defines which records broker-dealers must retain securities records, order tickets, trade confirmations, account statements, trade blotters, ledgers: asset and liability, customer account, income, along with trial balances, and employment-related documents.
  • Rule 17a-4 defines the record retention policy—the time and manner in which these records must be maintained. Additionally, the Financial Industry Regulatory Authority (FINRA) imposes certain record keeping requirements firms who are members of that Self-Regulatory Organization (SRO).
  • Sub parts of SEA Rules 17a-4 specifically impact marketers, as they impose requirements of the preservation and content of internal and external communications by the company. Sub Part 17a-4 b)(4): The rules require the preservation of all inter-office message and other internal communications.
  • Sub Part 17a-4(e)(7): Compliance, supervisory, and procedures manuals.

The Five “-abilities” Intrinsic to 17a-4 WORM Compliance

As Financial Services regulations go, FINRA 17a-4 is fairly straightforward. But, like most regulations, the devil is in the details.

Originally, the rules applied to paper records and micro-film or microfiche. In 1997, the rules were amended to provide for the use of electronic storage for record retention. Although the rules do not specify any particular technology, they do set forth certain requirements for electronic storage.

17a-4 compliance can be deconstructed into five elements that a company’s approach must demonstrate: the five “-abilities,” if you will.

  • Immutability
  • Discoverability
  • Auditability
  • Retainability
  • Destructibility

IMMUTABILITY: ENSURING FINRA 17A-4 WORM COMPLIANCE WITH DATA STORAGE

Immutability means that the final version of the communications or marketing assets and related documentation—as well as any relevant metadata—must be written to an unchangeable archive device, such as a WORM (write once, read many) drive. This ensures that data cannot be changed once it’s written to the device, even by system administrators or “super users.”

DISCOVERABILITY: EASILY INDEXABLE FINRA APPROVED MARKETING PLATFORMS

Discoverability is the need to have this archive be indexed in a way that makes it fully searchable by the metadata and key attributes so that any information in the communication can be retrieved and reviewed.

Additionally, part of this, 17a-(a)(21), includes that there be “Persons to explain Records and their Content.” This means that there needs to be a listing of the personnel at a particular office who can, with no delay, explain the various information held in the archive and decode how the firm creates, stores, names, and organizes these records.

AUDITABILITY: WORM COMPLIANT SOLUTIONS SIMPLIFY DATA LOGS

Auditability covers the need to log and record every event that occurs from the first writing of the data to the moment it is destroyed. Think of it as a “chain of custody” for your archived communications.

RETAINABILITY: ADAPTABLE FINRA RECORD RETENTION

While 17a-4 specifies the minimum retention period of data (three years), your organization’s timeframe may vary. And even after a file reaches the end of its regulatory retention period, holds placed on the file by your legal team may extend that time. Therefore, the system must support the ability to retain different records per your company’s retention policies and procedures while being sensitive to legal holds. When all of those policies expire, you end up at the last “-ability.”

DESTRUCTIBILITY: SEC RULES 17A-4 AND RECORD ERADICATION

The final step for retained records is their expiration and destruction. Financial institutions do not want to hold records for a moment longer than their policies require. Although it’s not explicitly called out in FINRA 17a-4, a key piece of this is the ability to destroy the records when they expire. Your organization will have record-destruction policies that dictate the method of destruction and how many times the device would be overwritten to eradicate any trace of data.

The Right Technology Makes FINRA 17a-4 WORM Compliance Easy

How do you ensure that your company complies with SEA FINRA 17a-4 by putting the five “-abilities” to work?

With content operations technology seamlessly working with your immutable storage.

To make sure that your company’s technology helps you comply with FINRA 17a-4, consider these questions:

  • Can I “lock down” all communications and marketing assets and their associated metadata to prevent further edits, but still provide search functionality?
  • Can I quickly produce the required information to comply with Legal and Compliance audit requests?
  • Does my technology have the capability to retain different records according to my company’s retention policies and procedures?

Can we back up these records to compliant storage at an offsite location?

Content Operations as a Backbone of your Compliance

As customers are becoming more and more demanding with personalized experiences, the ability for teams within marketing and customer experience to scale content production without sacrificing compliance has become a basic requirement.

Content operations solutions, like Aprimo, are modern, vital components of your compliance strategy. A complete content operations solution ensures that the content you’re distributing is being planned, approved, and created in a single solution that supports WORM compliance.

If you’re at a firm that handles investments (broker-dealer) and your marketing tech stack doesn’t include a WORM-compliant solution for marketing communications, it’s time to close that gap and reduce human error as much as possible—before you incur penalties and fines.

For more information on these regulations, visit these supporting sources:

Be sure to consult your corporate counsel or compliance officer to ensure that you fully understand your company’s policies and procedures as it relates to FINRA 17a-3 and 17a-4 compliance.

About the Author

Brett Molotsky is Aprimo’s Vice President of Industry Solutions. He has spent the majority of his career helping enterprises leverage technology to meet customer needs while enforcing compliance with internal and external policies. As a thought leader in this space he has published several articles and has authored a book on applying business requirements to technology solutions. He currently resides in Southern California and has been with Aprimo since 2006.

More Content By BRETT MOLOTSKY
Brett Molotsky, Vice President of Industry Solutions, Aprimo
 

Join over 45,000 people who receive marketing insights every two weeks.

By signing up you agree to our Privacy Policy.