How to Comply with Rule 17a-4

In January, the Financial Industry Regulatory Authority (FINRA) released its 2017 Annual Regulatory and Examination Priorities Letter to inform firms about weaknesses in regulatory programs and ways they can strengthen compliance, supervisory and risk management controls to protect investors, the markets and themselves.

One area the letter pointed to was the failure of many firms to comply with Rule 17a-4(f) under the Securities Exchange Act (SEA), which requires firms to, among other things, preserve certain records in a non-rewriteable, non-erasable format. Put another way, SEA Rule 17a-4(f) requires a broker-dealer (B/D) to retain and index numerous types of transactions with immediate access for a specific period of time.

When you break down the 65-page document, there are two main requirements:

  1. Compliant Data Backup: 17a-4(f)(3)(iii) requires a B/D to store separately from the original, a duplicate copy of the [firm's electronic records]

  2. Third-Party Access (TPA or D3P): 17a-4(f)(3)(vii) requires a B/D to engage the services of at least one-third partywho has access to and the ability to download information from the [B/D's] electronic storage media.

So what do these FINRA regulations mean for you? And how can you properly comply with them?

Small firms tasked with FINRA compliance regulations face unique challenges and pressing demands due to this SEC ruling - especially with the limited budgets they have. All record types falling under this regulation and electronic storage systems to manage these records must meet specific conditions. In fact, FINRA announced enforcement actions against 12 firms for failure to preserve B/D and customer records in the appropriate format.

It's essential to find a third-party firm that not only understands the ins-and-outs of these regulations but has a consolidated solution to store and archive data. After implementation, you must continue to regularly test internal controls and identify gaps - especially if your company is growing or changing compliance systems.

To dig into the details, let's discuss compliance requirement 17a-4(f)(2)(ii)(A): A firm must preserve the records in a non-rewritable, non-erasable format. Essentially, electronic records must be maintained in an unalterable form so they can be accurately reproduced for later reference.

To meet these requirements, your software solution must utilize integrated control codes. This could be a unique record identifier, a date and time stamp or special marking to differentiate the document from others. Plus, a systematic retention period must define a period in which the records could not be erased. At that point, you're in compliance.

When configured to your unique business, a robust information governance and data management solution should automatically define the classification of documents - eliminating any manual classification and ensuring all relevant documents fall under management regardless of their location.

With our solutions from DRS Imaging, you can do this in three ways:  (1) document attribute classification that enables high performance on high volumes of data; (2) application of pattern analysis; or (3) inguistic-statistical analysis based on machine learning. Each of these three out-of-the-box capabilities not only fulfills 17a-4 requirements but also enables verifiable and auditable document classification.

When you implement our technology, structured and unstructured enterprise data can be accurately classified and managed. You'll also be using centralized policy management to set and lock retention policies - without giving end users the ability to modify defined processes. Take this example: If a file is archived and moved, the file classification stays the same, and the file cannot be deleted if it's within the retention period.

Whether you're a firm facing FINRA compliance rules or not, you should take these regulations and considerations seriously. Complying with SEA rules can make or break your business if an audit occurs, or if you're asked to retain specific documents in a lawsuit. Be prepared and learn how to tackle the FINRA record retention policies outlined in Regulation 17a-4.