In a much anticipated (and, to many, long overdue) release published in mid-November, the U.S. Securities and Exchange Commission (SEC) proposed to update its decades-old recordkeeping requirements for broker-dealers to, among other things, allow for electronic records to be retained in a manner other than “exclusively in a non-rewriteable, non-erasable format” (aka write once, read many, or WORM). The proposal would allow electronic records to be retained, as an alternative to WORM, using an audit-trail methodology.
Under the current recordkeeping requirement for broker-dealers, set forth in SEC Rule 17a-4, broker-dealers may retain records in paper format or electronically. Currently, records retained electronically must, among other things, be retained in WORM format. This has increasingly led to challenges in compliance with electronic recordkeeping requirements, particularly with dynamic records, and has led to broker-dealers’ typically needing two separate record systems — one for use in day-to-day business activities (including responding to regulatory requests) and one solely for WORM storage purposes (and responding to regulatory requests that specifically ask for the WORM-compliant version of a record). The WORM storage requirement, first adopted in 1997, is not standard in the data storage industry, with the result that broker-dealer record storage costs have not decreased in line with costs in the remainder of the data storage industry.
While the audit-trail proposal is still more prescriptive than the “principle-based requirements” imposed under the Commodity Futures Trading Commission’s electronic recordkeeping rule, it should provide broker-dealers with more flexibility, modernity, and clarity concerning record retention than the current rule. It should also help reduce costs, at least in the future: Unfortunately, the proposal would apply only prospectively, and so the financial and nonfinancial burdens of WORM would remain for records in existence at the time of the rule adoption. As a result, broker-dealers may have to consider the practical implications of moving away from WORM-compliant systems, particularly as it relates to the cost and efficiency of maintaining required records. Broker-dealers should look closely at the proposed changes and begin assessing and discussing with their IT professionals and third-party vendors the opportunities and burdens of converting record retention to a new non-WORM system, exclusively to the future. For now, broker-dealers are well advised to continue to meet the WORM requirement in current Rule 17a-4 for any new electronic records until the proposal is adopted.
Comments on the rule proposal are due January 3, 2022.
Proposed Audit-Trail Alternative to WORM
The proposed amendments to Rule 17a-4 would provide an audit-trail alternative to the current WORM requirement — specifically, by permitting storage on a system that would allow for the recreation of an original record if it is altered, overwritten, or erased. The audit trail system would need to preserve the records for their applicable retention period, in a manner that maintains a complete time-stamped audit trail that includes
- all modifications to and deletions of a record or any part thereof
- the date and time of operator entries and actions that create, modify, or delete the record
- the individual(s) creating, modifying, or deleting the record
- any other information needed to maintain an audit trail of each distinct record in a way that maintains security, signatures, and data to ensure the authenticity and reliability of the record and will permit re-creation of the original record and interim iterations of the record
Emergency Access to Records Requirements
In addition to the audit trail alternative, the proposal would amend the existing requirement, applicable to broker-dealers who exclusively retain certain records electronically, to designate a third party to undertake to provide “emergency” access to such records upon request of the SEC and other securities regulators. Specifically, the proposal would replace the third party with a senior officer of the broker-dealer who has independent access to and the ability to provide such records. This amendment brings in-house a responsibility that third-party vendors and broker-dealers have looked on with increased reluctance as cybersecurity concerns continue to rise. This proposed amendment also shifts the burden of liability for compliance to such in-house senior official.
Replacement of Audit System
The proposed amendments would also replace the “audit system” requirement with a specific list of information that broker-dealers must record, and be able to produce upon request, as part of its “auditable system of controls.” The list includes, among other things, (1) each input, alteration, or deletion of a record; (2) the names of individuals inputting, altering, or deleting a record; and (3) the date and time such individuals input, altered, or deleted the record.
Elimination of FINRA First-Use and Escrow Requirements
The proposal would also eliminate (1) the “first-use” requirement to notify the Financial Industry Regulatory Authority (or the broker-dealer’s other designated examining authority) at least 90 days before using a new electronic recordkeeping system and (2) the requirement to keep in “escrow” a current copy of the physical and logical file format or information necessary to access the broker-dealer’s records.
Parallel Amendments to Recordkeeping Rules for Security-Based Swap Entities
Separately, the proposal would also amend SEC Rule 18a-6, applicable to nonbank security-based swap dealers and major security-based swap participants, to require, among other things, that their electronic recordkeeping systems preserve electronic records consistent with Rule 17a-4, as amended (i.e., in WORM or via the audit-trail alternative) and that a senior officer make the emergency access undertaking.
Although the long-awaited proposed amendments present opportunities for less onerous recordkeeping requirements, the proposed amendments would apply only to newly created records, not to those created prior to the compliance date of the final adoption of the proposed amendments. As such, broker-dealers are well advised to continue to meet the WORM requirement in current Rule 17a-4 for any new electronic records until the proposal is adopted.