Skip to main content

Books and Records

Regulatory Obligations

SEA Rules 17a-3 and 17a-4 specify minimum requirements with respect to the records that broker-dealers must make, how long those records and other documents relating to a broker-dealer’s business must be kept, and in what format they may be kept. SEA Rule 17a-4(b)(4) and FINRA Rules 3110(b)(1) (Supervision), 3110.09 (Retention of Correspondence and Internal Communications), and 2210(b)(4)(Communication with the Public) require firms to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to, among other things, create and preserve, in an easily accessible place, originals of all communications received and sent relating to their “business as such” (e.g., emails, instant messages, text messages, chat messages, interactive blogs). In addition, FINRA Rule 3110(b)(1) (Written Procedures) requires firms to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules. 

FINRA Rule 4511(a) (General Requirements) requires firms to make and preserve books and records as required under the FINRA Rules, the SEA and applicable SEA Rules. The obligations set forth in SEA Rules 17a-3 and 17a-4 and FINRA Rules 2210(b)(4) and 4511(a) (collectively, Books and Records Rules) apply to all firms.

SEA Rule 17a-4 sets forth the requirements regarding the maintenance and preservation of electronic records, including the use of third-party recordkeeping services to hold records and the prompt production of records. Effective January 3, 2023, the SEC amended these requirements. In part, these amendments impact the required language of the third-party access undertakings applicable to firms that use an electronic recordkeeping system to maintain and preserve records required under SEA Rules 17a-3 and 17a-4. As a result, those firms that preserve required records electronically, including those firms that elect to continue using their current third-party access arrangements, must file with FINRA updated third-party access undertakings that reflect the new language specified under SEA Rule 17a-4(f)(3)(v). 

Recent Amendments Concerning FINRA Rule 2231 (Customer Account Statements)

  • Effective January 1, 2024, FINRA Rule 2231 (Customer Account Statements) now includes eight supplementary material sections, one of which pertains to the disclosure of a customer's assets that are not held at the firm.
  • FINRA Rule 2231.06 (Assets Externally Held) provides that for a customer's externally held assets, the customer's account statement must:
    • clearly identify and distinguish those assets on customer account statements; 
    • clearly indicate that such externally held assets are included on the statement solely as a courtesy to the customer; 
    • disclose that information, including valuation, for such externally held assets is derived from the customer or other external source for which the firm is not responsible; and 
    • identify that such externally held assets may not be covered by Securities Investor Protection Corporation (SIPC). 
  • For additional guidance—including summaries of all eight Supplementary Materials sections and the amended text for the rule—please see Regulatory Notice 23-02 (FINRA Amends FINRA Rule 2231). 

Findings and Effective Practices

Findings

  • Not Maintaining Email Correspondence: Not capturing, reviewing and archiving electronic correspondence of associated persons—including part-time chief compliance officers and Financial and Operations Principals (FINOPs)—conducting firm business via third-party vendor email addresses.
  • Not Maintaining Electronic Communications: Not retaining, archiving and reviewing non-email electronic communications conducted through firm-approved channels. 
  • Not Maintaining Converted Records: Not maintaining policies and procedures and related controls to protect the integrity of records from the time the records are created or received throughout the applicable retention period, and confirm physical books and records converted to electronic records were accurate, complete and readable. 
  • Inadequate Due Diligence of Third-Party Vendors: Not performing adequate due diligence to verify third-party vendors’ ability to comply with Books and Records Rules requirements; or not confirming that service contracts and agreements comply with applicable Books and Records, including records stored by third-party vendors.
  • Inadequate Supervision:
    • Not reviewing electronic communications for indications of associated persons’ potential use of off-channel communications.1
    • Not establishing procedures and controls to retain and review written, business-related electronic communications made through non-firm-approved email accounts and other communication tools
    • Not preserving and reviewing business-related text messages. 
  • Inadequate WSPs: Relying on policies and procedures that were overly general and did not adequately specify:
    • permitted and prohibited platforms;
    • methods to determine if registered representatives are engaging in business communications on unapproved platforms; and
    • corrective actions for registered representatives if they violate firm policy and engage in business communication using unapproved platforms.
  • Contacting Firm Customers Through Off-Channel Platforms: Associated persons using personal email accounts, and other off-channel platforms to communicate with customers when conducting firm business. 
  • Inadequate Reviews: Reviewing electronic communications without selecting adequate samples or using targeted key word searches; and failure to review electronic communications in non-English languages in which the member conducts business.
  • Inadequate Third-Party Vendor Supervision: Not properly supervising third-party vendors that support firms’ monitoring of their associated persons’ electronic communications, resulting in firms not supervising or retaining communications.

Effective Practices

  • Testing and Verification: Testing recordkeeping third-party vendors’ capabilities to fulfill regulatory obligations by, for example, simulating a regulator’s examinations by requesting records to confirm compliance with the recordkeeping requirements.
  • Providing Appropriate Access to Books and Records: If your firm uses a part-time Financial and Operations Principal (FINOP), contracted chief compliance officer (CCO), or a part-time employee or contractor for other roles, ensuring there is a process in place to set up appropriate access to the firm’s books and records to allow for the individuals to fulfill their regulatory obligations.
  • Supervisory Procedures: 
    • Monitoring for indications that associated persons are using off-channel communications (e.g., a decrease or cease in activity on certain previously used firm-approved communication channels or tools).
    • Frequently revising key words used to surveil for associated persons’ potential use of off-channel communications, and tailoring key word searches to the business models.

Additional Resources


1 In the context of the Report, “Off-Channel Communications” are defined as business-related communications sent or received on a communication tool that has not been authorized for business use. The term “Off-Channel Communications” can include, but is not limited to, electronic messaging services such as instant messaging applications, text messages, personal email, direct messaging applications, chat services, and messaging features through third-party vendor applications or social media platforms that are not routinely captured, supervised or retained by an associated person’s member firm systems.