Over the past few years, and especially since the early days of COVID-19, workplaces have seen a huge increase in the use of electronic messaging and communications programs. Apps such as Zoom, WhatsApp, Microsoft Teams, and Slack are widely used for daily business and intra-office communications. This is especially true for financial businesses such as broker-dealers and traders, who routinely conduct their business and communications remotely and electronically.
While these modes of electronic communication provide ease and convenience, they present a robust challenge to companies when it comes to properly capturing and keeping electronic communications as records. This challenge is amplified for communications on personal devices. Difficulties retaining records of electronic communications were made painfully evident when in September of 2022, the SEC fined more than a dozen financial firms over $1 billion for failure to properly preserve records of their electronic “off-channel” communications.
Shortly after levying these sanctions, the SEC voted on Oct. 12, 2022, to adopt rule amendments to the electronic recordkeeping, prompt production of records, and third-party recordkeeping service requirements applicable to broker-dealers, security-based swap dealers (SBSDs), and major security-based swap participants. The SEC explained in its press release that the amendments “are designed to modernize recordkeeping requirements given technological changes over the last two decades and to make the rule adaptable to new technologies in electronic recordkeeping.”
Previously, firms subject to SEC broker-dealer regulation were required to keep electronic records exclusively in a non-rewriteable, non-erasable (WORM) format. This can be challenging to comply with when preserving electronic communications (such as emails, text messages/chats, etc.), especially when they are generated from remote or personal mobile devices. The amendments, now codified in 17 CFR 240.17a-4(f)(2)(i)(A), are designed to allow firms greater flexibility in how they keep such records, allowing for an “audit trail alternative.” In other words, firms will have the option to keep electronic records in a manner that allows original records to be recreated if they are altered, overwritten, or erased. This will help firms to configure their electronic recordkeeping systems to be in line with current practices and protect the authenticity and reliability of original records. Now, firms have a choice between the previously mandated WORM format or the new audit trail alternative, depending on their needs and preferences. If they choose the audit trail option, they must:
Preserve a record for the duration of its applicable retention period in a manner that maintains a complete time-stamped audit trail that includes:
(1) All modifications to and deletions of the record or any part thereof;
(2) The date and time of actions that create, modify, or delete the record;
(3) If applicable, the identity of the individual creating, modifying, or deleting the record; and
(4) Any other information needed to maintain an audit trail of the record in a way that maintains security, signatures, and data to ensure the authenticity and reliability of the record and will permit the re-creation of the original record if it is modified or deleted[.]
These rule amendments became effective Jan. 3, 2023, with a compliance date set for May 3, 2023.
If nothing else, the recent sanctions levied by the SEC as well as the amendments to the electronic recordkeeping requirements should signal to firms the seriousness and importance the SEC is placing on proper recordkeeping of electronic communications. The SEC’s division of enforcement director commented that the sanctions: both in terms of the firms involved and the size of the penalties ordered – underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened… Other broker-dealers and asset managers who are subject to similar requirements under the federal securities laws would be well-served to self-report and self-remediate any deficiencies.
Given how much focus the SEC currently is putting on electronic communications recordkeeping, firms – especially those in the financial field that are under the governance of the SEC and CFTC – would be wise to review their policies regarding the use and retention of electronic communications, and make sure such policies are in line with current regulatory requirements. Adjustments should be made as necessary to such policies to ensure consistent, company-wide compliance. A well-defined and uniformly adhered to record retention policy will go a long way to mitigate operational and legal risks, including liability for hefty fines for regulatory noncompliance.
As CFTC Commissioner Kristin N. Johnson noted in a press release: relevant technologies are evolving quickly. Today’s resolutions reveal a need for entities operating within our markets to address imminent operational challenges. Increased reliance on simple, easy-to-access but unauthorized chat and text platforms will pose a significant challenge for many types of entities operating in our markets. Internal compliance programs must adopt internal controls consistent with this new landscape. Firms must inculcate a culture of compliance at all levels of their organization to mitigate the risks associated with using unauthorized chat and text platforms.
Being mindful of these new and emerging communications technologies and the unique recordkeeping challenges they bring, the time to act for companies is now. With some careful planning and strategic implementation of recordkeeping policies, companies can set themselves up for long-term success and compliance, while avoiding fines, legal issues, and other potential negative consequences down the road.