Regulatory audits can be demanding on your business system – even more so when focused on the technical aspects of your business operations. Many broker-dealers can struggle to be “audit ready” for compliance with the records retention provisions (see Rule 17a-4) of the Exchange Act. Being prepared is the best protection for your business, and the best way to ensure a positive audit with no punitive action by regulators. Here’s a few important and manageable steps to take to have successful audits of your records retention compliance.
Review (and Enhance) Your Records Retention Processes
Your technology and data infrastructure isn’t in a fixed state. It’s constantly evolving, with new tools and services added on a regular basis. Each of these enhancements may require you to revisit your data retention program. SEC Rule 17a-4 provides a framework for proper records retention: how long electronically-preserved records should be retained (can be over 6 years), what format they should be retained (‘must be preserved exclusively in a non-rewriteable, non-erasable format’), and what forms of records fall under the regulator’s definition of Books and Records. Without exception, you must conduct an annual internal data retention audit. Make sure the scope of that audit not only assesses the integrity and consistency of the retention process, but also examines that all data subject to retention requirements is in your retention program. Firms that are offside with the retention requirements of Rule 17a-4 can face very substantial findings and fines. Recently, a firm was ordered to pay a fine of $175,000 for improper retention of trade confirmations, statements and instant messages. The firm had also failed to ensure that millions of electronic records that were preserved in a WORM compliant format. Read more about FINRA’s actions against the firm here.
Communicate Regularly with Regulators
Don’t wait for your audit! Your regulators can be an agent in your success, especially if you keep open communication with them. In general, audits are smoother when a regulator is not surprised by changes in policy and procedure. Tactically, as you move to enhance your data retention pursuant to Rule 17a-4, it is critical that you provide at least a 90-day notice to your designated examining authority prior to your beginning use of electronic retention. Ask your records retention vendor and your Designated Third Party partner for assistance with communication materials and support. Increase your examination success and ease by communicating regularly with your regulators to notify them of material changes in your business.
Implement a Rigorous Self-Auditing Program
You have systems and processes to monitor your compliance and general compliance reporting and you conduct periodic spot checks of the execution of that to ensure your day-to-day activities are tight. It is critical that you deploy an auditing system that examines your records retention processes. According to Exchange Act Rule 17a-4(f)(3)(v), broker-dealers are required ‘to have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved.’
Remember: Your Designated Third Party is Your Partner
The role of a Designated Third Party is to be the go-to resource for the regulator with respect to validating and interpreting the retained records. The scope of responsibility is specifically summarized in the regulation section 17a-4(f)(3)(vii). They will file a Letter of Undertaking acknowledging their role as your Designated Third Party. Most importantly, your Designated Third Party should assist you with an annual review of your records retention readiness.
Protect your business by ensuring your compliance with SEC records retention requirements. Xtiva customers have access to Xtiva Vault, a modern, immutable data retention service designed to manage and protect critical business operations data, most notably books and records information. Xtiva Vault complies with SEC Rule 17a-4 requirements.