Five questions about books and records compliance
A conversation with Bart Siegel and Paul Yackinous
For many years, the Financial Industry Regulatory Authority (FINRA) has demonstrated its oversight of financial institution electronic communications with dozens of enforcement actions and millions of dollars in fines. At the same time, regulators have largely not focused on other records, such as trade blotters, transaction logs, and client onboarding communications. Many of the enforcement actions to-date that reference record-keeping requirements are secondary to other rule violations, including the inability to produce records or inaccurate records being produced. That being said, we are starting to see increased interest and scrutiny by the regulators in electronic record-keeping requirements beyond email.
Starting in early 2016, FINRA signaled increased interest in institutions’ other books and records, including documents and database records (as indicated in its enforcement priorities). It should also be noted that participants in the futures markets should expect that the Commodity Futures Trading Commission (CFTC) will be focusing on record-keeping. Finally, broker-dealers and futures markets participants can benefit from recognizing this increased focus and taking steps to review and, as necessary, shore up their record-keeping technology implementations and governance.
Bart Siegel, managing director, Deloitte Transactions and Business Analytics LLP, and Paul Yackinous, senior manager, Deloitte Transactions and Business Analytics LLP, answer the top five questions you need to know about FINRA's regulations regarding books and records compliance:
What are the regulatory requirements pertaining to the electronic storage of SEC and CFTC required books and records?
Securities and Exchange Commission (SEC) Rule 17a-3 and related regulations catalog the broad range of record types that FINRA members, brokers, and dealers are required to preserve. The CFTC’s rules also establish like requirements for futures market participants. The conditions under which these records must be kept are documented in SEC Rule 17a4-f and CFTC Rule 1.31(b) respectively.
A large broker-dealer may be required to produce and properly store several hundred different types of records, largely based on the types of products they sell, market, or service. Similarly, those firms involved in futures are required to produce a similarly large number of records, including notably database records, voice recordings, and other complex record types. In addition to the sheer number of record types, many of the records are assembled from data stored in multiple information systems, external sources, and markets.
What factors are driving the increased emphasis on books and records?
Both FINRA and the CFTC have signaled a growing focus on records. FINRA-ordered restitution payments to investors tripled from 2014 to 2015. Among FINRA’s 2016 enforcement priorities is the review of firms’ ability to protect customer information in accordance with SEC Rule 17a-4(f). Such protection includes the preservation of electronically stored records in a non-rewriteable, non-erasable format. Also, the FINRA Series 27–Financial and Operations Principal Exam (FN) exam now includes questions regarding how firms maintain required books and records beyond those pertaining to electronic communications.
CFTC enforcement of Rule 1.31(b) appears on the upswing, too. Evidence of this shift can be seen in commission activity in 2016, including ongoing enforcement actions involving multiple institutions for failure to create, maintain, and produce trade records.1
As an aside, we are seeing a significant uptick in inquiries about books and records from our clients who are broker-dealers, futures market participants, and service providers, both pro-actively and as a result of regulatory action. We are also assisting several clients on remediation of electronic record-keeping systems, enhancements in records inventories/retention schedules, and establishment of regulated books and records governance programs.
What are some of the potential risks associated with increasing FINRA and CFTC enforcement?
Many large firms have faced enforcement actions regarding the electronic communications aspects of Rule 17a-4(f) in past years. In such cases, the SEC typically issues a fine and, importantly, enjoins the firm against violating that rule again. Firms that have already seen enforcement actions related to electronic communications face increased scrutiny and regulatory action if they are found to be violating SEC Rule 17a-4 with respect to other books and records.
In addition, many firms do not have the inventory of records required based on regulation fully documented. Since these records go far beyond electronic communications, it may be difficult for firms to understand their regulatory exposure.
What are some challenges that firms face in addressing the expanding FINRA and CFTC scrutiny?
Often, the first challenge for firms is to identify which records they need to produce and retain. Building an inventory starts with understanding the products around which the firm conducts business, which rules apply to those products, and what records the rules require be created. In completing these inventory exercises, some firms have found that they are either not storing required records appropriately, or are not creating the records in the first place. Both types of shortcomings must be addressed to remain compliant and avoid enforcement actions.
Another challenge is understanding and applying regulatory requirements written to address antiquated technologies, such as optical platters, microfiche, and microfilm, to today’s complex world of integrated software and hardware archives. Understanding the nuances of the record-keeping requirements will require involvement of technology professionals, compliance officers, and legal departments as well as outside counsel.
What actions can firms take to address increasing books and records scrutiny and potential sanctions?
An important first step is to assemble a books and records task force or steering committee. This group, which can include such stakeholders as legal, compliance, risk, records management, IT, and business operations, provides the structure for the records inventory and subsequent action. Next steps can include technology and business representatives working jointly to develop requirements for Rule 17a-4(f) and Rule 1.31(b) compliance based on reasonable regulatory interpretation. Further, firms should evaluate their electronic record-keeping systems for adherence to their record-keeping requirements.
Also important is establishing governance, risk, and control frameworks that foster compliance sustainability. Without ongoing management, compliance status can quickly deteriorate.
The complexity of establishing a books and records framework and related processes may compel a bank or firm to seek outside support. In selecting counsel, it is important to consider resources with both broad experience in regulatory communications and specific expertise in books and records.