Broker-Dealer Resource Page

Broker-Dealers must comply with strict recordkeeping and supervision rules. These rules extend to all written business-related communications, including email, instant messaging, Bloomberg®, Thomson Reuters, text messaging, and social media. This page provides an overview of SEC and FINRA requirements for electronic communications under SEC Rules 17a-3 and 17a-4 and FINRA Rules 2210, 3110, 3130, 3120, and 4511.

Recordkeeping Requirements

Significance of Rules

In recognition of the use of email, instant messaging, and social media as principal business communication tools, the Securities and Exchange Commission (SEC) Rules 17a-3 and 17a-4 mandate the preservation and retention of all business-related electronic correspondence. These requirements are designed to protect investors from misrepresentation and fraud and to prevent record tampering. FINRA Rule 4511 cross-references SEC Rule 17a-4 in setting requirements for electronic record formats, mediums, and retention periods.

Who Must Comply

Generally, these Rules are applicable to all persons engaged in trading securities or acting as a broker, including Broker-Dealer firms and registered representatives subject to the SEC and FINRA. Note that SEC Rule 17a-4(b)(4) requires preservation of all correspondence of a Broker-Dealer “relating to business as such,” which should include the preservation of all electronic communications of a firm’s registered representatives, as well as all associated persons to the business.

Requirements

In connection with electronic communications, firms must:

  • Preserve records of transactions and general securities business, including originals of all communications (incoming, outgoing and internal) related to their “business as such”;
  • Store electronic records in a non-rewriteable, non-erasable format, the quality of which must be verifiable;
  • Store original and duplicate copies of records in separate locations;
  • Create and store original and duplicate indexes of electronic records;
  • Have an auditing system in place for all electronic records and store audit results;
  • Retain records for specified periods (3 to 6 years), the first two years in an easily accessible place;
  • Appoint an independent third party with the ability to access and download electronic records upon the request of regulators; and
  • Promptly furnish legible, true, complete, and current copies of records to regulators.
  • Make and preserve books and records as required under the FINRA rules, the Securities Exchange Act of 1934 and applicable Exchange Act rules;
  • Preserve for a period of six years those FINRA books and records for which there is no specified retention period under FINRA rules or applicable Exchange Act rules; and
  • Preserve books and records in an SEC 17a-4 compliant format and media.

Repercussions of Non-Compliance

Broker-Dealers cannot afford to have a casual attitude toward message management, as the repercussions of non-compliance include internal and/or regulatory disciplinary actions, civil liability, costly penalties, damaged corporate reputation, and loss of goodwill. The imposition of fines for electronic communications recordkeeping violations can range into the millions.

Supervision Requirements

Significance of Rules

In response to the ever increasing role of electronic communications in business, regulators have imposed rules requiring firms to supervise business related electronic communications. Broker-Dealers have historically been subject to NASD Rule 3010, which required the supervision and review of incoming and outgoing correspondence. As part of the FINRA rulebook consolidation process, FINRA has replaced NASD Rule 3010 with new FINRA Rule 3110. The new rule expands the obligation to supervise and review business-related correspondence to include internal communications between employees of the same firm. It also incorporates existing guidance from Regulatory Notice 07-59, including standards for risk-based review of correspondence and internal communications.

Who Must Comply

Generally, these Rules are applicable to all persons engaged in trading securities or acting as a broker, including Broker-Dealer firms and registered representatives subject to the SEC and FINRA.

Requirements

In connection with electronic communications, firms must:

  • Develop written supervisory policies and procedures for the review of all business-related incoming, outgoing and internal communications;
  • Identify, review and address incoming and outgoing communications (“correspondence”) containing customer complaints, instructions, funds and securities, and content of a subject matter that requires review under FINRA rules and securities laws (and conduct risk-based reviews to determine whether additional supervisory policies are necessary for their business);
  • Identify and review internal communications of a subject matter that requires review under FINRA rules and securities laws, including communications between research and non-research departments, communications with the public that require pre-approval, identification and reporting of customer complaints, and identification and prior written approval of account name changes or designations regarding customer orders (and conduct risk-based reviews to determine whether additional supervisory policies are necessary for their business);
  • Capture, acknowledge, and respond to all written customer complaints;
  • Educate and train employees on procedures governing correspondence, and log such training;
  • Maintain an audit trail and record of supervisory reviews that includes: (i) the identities of both the author and reviewer(s) of the message, (ii) the date of review, and (iii) any actions taken;
  • Monitor and evaluate supervisory procedures to ensure compliance;
  • Prohibit individuals from supervising their own activities; and
  • Ensure supervisory systems are not compromised by conflicts of interest.

Note: FINRA Rule 2210 includes retail and institutional communications and correspondence in its requirements regarding communications with the public. FINRA Rule 3130, Annual Certification of Compliance and Supervisory Processes, requires firms to designate a CCO who, together with the CEO, must annually certify to having a process in place to establish, maintain, review, modify, and test policies and procedures reasonably designed to achieve compliance with applicable rules and laws of the SEC and FINRA. Note also that FINRA Rule 3120 (replacing NASD Rule 3012) requires FINRA members to set up an independent “supervisory control system” to evaluate, test, and modify compliance policies and procedures.

SEC/FINRA Filings

Global Relay provides a complete best practice compliance solution for SEC and FINRA recordkeeping requirements. This solution includes a Broker-Dealer Legal Compliance Documentation package that simplifies and expedites compliance with SEC Rule 17a-4 and FINRA Rule 4511. The package provides:

SEC Rule 17a-4(f)(2) Documentation and Instructions

Customized legal documents and corresponding compliance instructions relating to each legal document:

  1. Legal Direction and Authorization for Third Party Downloader (SEC Rule 17a-4(f)(3)(vii)) – This legal document appoints Global Relay as your impartial third party with independent access to, and the ability to download, the archived electronic records of your firm, if required upon request by the SEC or FINRA (this is the third part of the Regulatory Compliance Letter below).
  2. Regulatory Compliance Letters (SEC Rule 17a-4(f)(2)(i) and 17a-4(f)(3)(vii)) – These documents provides (i) the required Notification and Representation attesting to Electronic Storage Media Compliance and (ii) the Third Party Downloader Undertaking Letter. The Regulatory Compliance Letter satisfies the following regulatory requirements:
    • Electronic Storage Media Notification (SEC Rule 17a-4(f)(2)(i)) – Notification to the regulators that your firm is using Global Relay Archive for electronic communications compliance;
    • Attestation to Electronic Storage Media Compliance (SEC Rule 17a-4(f)(2)(i)) – Global Relay attests that Global Relay Archive meets the SEC/FINRA compliance requirements set forth in SEC Rule 17a-4(f)(2)(ii)(A)-(D);
    • Third Party Downloader Undertaking (SEC Rule 17a-4(f)(3)(vii)) – This letter identifies Global Relay as your impartial Third Party Downloader with independent access to, and the ability to download, the archived electronic records of your firm, if required by the SEC or FINRA under SEC Rule 17a-4; and
    • Service Provider Undertaking (SEC Rule 17a-4(i)) – Global Relay attests that books and records maintained on behalf of your firm are the property of your firm and will be surrendered promptly on request.

Global Relay’s Compliance Solutions for SEC Rule 17a-4(f)(2)(ii)(A)-(D)

In the Representation Letter prepared by Global Relay on your firm’s behalf, your firm must attest that it is using a recordkeeping system that satisfies the electronic storage media requirements of SEC Rule 17a-4(f)(2)(ii), conditions (A)-(D). Below is a summary description of the technology used by Global Relay Archive, as it is important that you have a basic understanding of how Global Relay Archive assists your firm in meeting SEC and FINRA requirements.

  1. Non-Rewriteable, Non-Erasable Storage - (f)(2)(ii)A

    Rule: Preserve the records exclusively in a non-rewriteable, non-erasable format

    Global Relay Archive preserves copies of all messages and attachments in a tamperproof non-rewriteable, non-erasable format with write verification. Archived messages are stored in our two mirrored, SOC-audited data centers.

  2. Message Write Verification - (f)(2)(ii)(B)

    Rule: Verify automatically the quality and accuracy of the storage media recording process

    Global Relay Archive automatically verifies the quality and accuracy of the storage media recording process as messages and attachments are written to tamperproof storage. As messages are processed, Global Relay Archive automatically compares the post-processed message with the original message before the original message is deleted.

  3. Message Serialization - (f)(2)(ii)(C)

    Rule: Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention for the information placed on such electronic storage media

    Global Relay Archive sequentially serializes and time-date stamps each message at the time of import. Any message can be retrieved within seconds by serial number. All messages are replicated in near real time between two mirrored, SOC-audited data centers such that there are always multiple copies of every message preserved.

  4. Index and Record Download - (f)(2)(ii)(D)

    Rule: Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member

    Global Relay Archive full-text indexes all archived messages and preserves both messages and their related indexes for the length of a firm’s specified retention period. All archived data is readily available for (i) online access and viewing by authorized users (such as the SEC/FINRA), or (ii) download to DVD, hard drive, or secure FTP.

Additional Information

The Broker-Dealer Legal Compliance Documentation, as described above, is prepared by Global Relay’s in-house lawyers. Any questions may be directed to legal@globalrelay.net.

Outsourcing Requirements

In accordance with FINRA Notice to Members 05-08, FINRA firms must:

  • Conduct due diligence on service vendors before outsourcing;
  • Determine and ensure that outsourced service provider's systems comply with applicable securities laws and regulations; and
  • Monitor and supervise the performance of service providers.

Investment Advisor Resource Page

Investment Advisors, Private Equity Funds, and Hedge Funds registered with the SEC under the Investment Advisors Act must comply with strict recordkeeping and supervision rules. These rules extend to all written business-related communications, including email, instant messaging, Bloomberg®, Thomson Reuters, text messaging, and social media. This page provides an overview of SEC requirements for electronic communications under SEC Rules 204-2 and 206(4)-7.

Recordkeeping Requirements

Significance of Rules

Regulators do not tolerate inadequate recordkeeping. In response to the explosive growth of email, instant messaging, text messaging, social media and other electronic messages as principal business communication tools, the SEC adopted amendments to Part 275 — Rule 204-2 under the Investment Advisors Act, which identifies records relating to investment advisory business that must be retained and imposes requirements regarding the preservation, accessibility and retention periods of all such records. These requirements are designed to protect investors from misrepresentation and fraud and prevent record tampering.

Who Must Comply

Investment Advisors, including Hedge Funds and Private Equity Funds, registered or required to be registered under Section 203 of the Investment Advisors Act. The majority of state-registered Advisors have similar compliance regulations. Note that Rule 204-2(a) requires preservation of records relating to a firm’s “investment advisory business,” which should include the preservation of all electronic communications of a firm’s registered advisors, as well as those of all associated persons to the business.

Requirements

Under SEC Rule 204-2 firms must:

  • Preserve originals of written communications regarding their investment advisory business;
  • Store electronic records on tamperproof media;
  • Retain records in an easily accessible place for a 5 year retention term from the end of the fiscal year during which the last entry was made;
  • Retain records in an appropriate office for the first two years of the retention term1;
  • Arrange and index electronic records for easy search, retrieval and access;
  • “Promptly” furnish records to regulators (defined as within 24 hours; online access meets this requirement);
  • Provide legible, true and complete copies and printouts of records to regulators;
  • Provide regulators with means to access, view and print records;
  • Store original and duplicate copies of records in separate locations;
  • Establish and maintain procedures to protect records from loss, alteration or destruction, and to limit record access to authorized personnel and regulators;
  • Ensure electronic reproduction of a hard copy record is complete, true, and legible; and
  • Implement an annual review system and ensure the ability to store review results (cross-referenced with Rule 206(4)-7).

Repercussions of Non-Compliance

Increasingly, SEC investigations focus on business records and on stricter enforcement of recordkeeping rules. Firms cannot afford to have a lackadaisical attitude toward message management, as the consequences of non-compliance include internal and/or regulatory disciplinary actions, costly penalties, civil liability, damaged corporate reputation and loss of goodwill and clients.

1 Appropriate Office Requirement – SEC Rule 204-2(e)(1) requires Investment Advisors to preserve records in an “appropriate office of the investment advisor” for two years. This language was established before the widespread use of cloud computing and electronic data storage. Its spirit was to address the requirement of maintaining the actual physical paper record in an appropriate office of the advisor. As far back as 1995, the SEC clarified that this provision does not require investment advisors to physically store electronic records at their particular local office as long as the records are readily accessible from the office. Today, it well accepted practice for Advisors to engage cloud providers to assist with the record retention function.

Supervision Requirements

Significance of Rules

It is unlawful for Investment Advisors to provide investment advice to clients unless they implement internal supervisory controls pursuant to Rule 206(4)-7 under the Investment Advisors Act. Advisors are required to establish, maintain and enforce written supervisory policies and procedures to detect and prevent compliance violations, including the misuse of non-public material information. Controls designed to protect investors from misrepresentation and fraud via electronic communications are mandated as part of these supervisory policies and procedures.

Who Must Comply

Investment Advisors, including Hedge Funds and Private Equity Funds, registered or required to be registered under Section 203 of the Investment Advisors Act. The majority of state-registered Advisors have similar compliance regulations. Note that Rule 206(4)-7(a) requires implementation of internal controls to prevent violations by the Advisor and its “supervised persons,” which includes, “any partner, officer, director (or other person occupying a similar status or performing similar functions), or employee of an Investment Advisor, or other person who provides investment advice on behalf of the Investment Advisor and is subject to the supervision and control of the Investment Advisor.”

Requirements

In connection with the supervisory compliance controls of Rule 206(4)-7, SEC Final Rule Release IA-2204, and corresponding SEC guidance, firms must:

  • Implement internal compliance controls designed to detect and prevent regulatory violations;
  • Establish supervisory policies and procedures for all business-related communications with clients, including: (1) methods of detecting and addressing regulatory violations in electronic communications, and (2) restricting such communications if they cannot be adequately archived and supervised;
  • Implement safeguards to protect the privacy of client records and information;
  • Monitor the accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements;
  • Implement controls for the accurate creation and maintenance of required records in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction;
  • Annually review written supervisory policies and procedures;
  • Designate a chief compliance officer to administer supervisory compliance systems; and
  • Implement an annual review system and ensure the ability to store review results (cross-referenced with Rule 202-4).

Health Care Resource Page

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology Act (HITECH) restrict the use and disclosure of protected health information (PHI) and mandate stringent privacy and security controls to safeguard PHI that is created, transmitted, or stored electronically (ePHI). This page provides an overview of HIPAA’s Privacy and Security Rules, as well as an overview of the modifications of HIPAA mandated by HITECH.

Privacy Rule

Significance of Rules

Covered entities and business associates are responsible for complying with increasingly complex, comprehensive regulations to safeguard patient information. The Privacy Rule prohibits covered entities and business associates from using or disclosing PHI except as permitted or required by HIPAA regulations. The Privacy Rule applies to the use and disclosure of all PHI held or transmitted by an organization in any form or media – electronic, paper, or oral. Due to the growth of email, IM, and text messaging as principal communication tools in the health care industry, controls designed to protect against unlawful use and disclosures of information via electronic communications should be a fundamental part of any HIPAA-regulated organization’s privacy policies and procedures.

Who Must Comply

Health care providers, health plans, health care clearinghouses, and business associates who create, receive, maintain, or transmit PHI must comply with the Privacy Rule.

Requirements

The Privacy Rule enumerates the permitted uses and disclosures of PHI by covered entities and business associates. The PHI that organizations have a responsibility to protect is broadly defined and includes: personal medical records, genetic information, conversations concerning patient care, billing transactions, and most personally identifiable health information. Permitted uses and disclosures include:

Covered EntitiesBusiness Associates
  • To the individual
  • For the covered entity’s own treatment, payment, or health care operations
  • To another covered entity for treatment, health care operations, or payment activities
  • To business associates if satisfactory assurance is obtained that the associates will safeguard the information as required by HIPAA regulations
  • When required by HHS as part of an investigation into the covered entity’s compliance with HIPAA regulations
  • In the course of a judicial or administrative proceeding
  • As otherwise permitted by HIPAA regulations
  • As permitted by their business associate contracts
  • As required by law
  • When required by HHS as part of an investigation into the business associate’s compliance with HIPAA regulations
  • To covered entities, individuals, or individuals’ designees to satisfy an individual’s request for a copy of PHI
  • As otherwise permitted by HIPAA regulations

Security Rule

Significance of Rules

The Security Rule sets national standards for the security of electronic protected health information (ePHI). It requires all covered entities and business associates to establish and maintain rigorous security controls to ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit. Security standards are organized into three categories: administrative safeguards, physical safeguards and technical safeguards. To ensure organization-wide compliance with these standards, regulated organizations should identify all sources and locations of ePHI (including electronic communications), assess the associated security risks, and implement appropriate controls to mitigate these risks.

Who Must Comply

Health care providers, health plans, health care clearinghouses, and business associates who create, receive, maintain, or transmit ePHI must comply with the Security Rule.

Requirements

In connection with the Security Rule, organizations must:

  • Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit;
  • Develop and implement security measures that allow them to reasonably and appropriately meet security standards and specifications;
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI;
  • Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required under HIPAA regulations;
  • Implement policies and procedures to address security incidents;
  • Implement administrative safeguards to prevent, detect, contain, and correct security violations;
  • Implement physical safeguards to restrict access to information systems and facilities containing ePHI; and
  • Implement technical safeguards to prevent unauthorized access to ePHI

Repercussions of Non-compliance

The Department of Health and Human Services, Office for Civil Rights has the authority to administer and enforce HIPAA regulations and has investigated claims against hospital chains, group health plans, national pharmacy chains, major medical centers, and small provider offices. A civil money penalty may be imposed if HHS determines that a violation has occurred. For violations occurring after February 18, 2009, HHS may impose penalties based on four levels of violations, with corresponding increases in fines. These penalties range from $100 to $1,500,000 for each violation.

HITECH

In 2009, Congress passed the Health Information Technology Act (HITECH) as part of the American Recovery and Reinvestment Act. The Act required modifications to HIPAA rules to enhance patient privacy, increase patients’ rights to access their PHI, expand the definition of business associates, and toughen enforcement of health care privacy laws. The modified rules became effective on March 26, 2013. The modifications include:

Expanded Definition of Business Associates

The definition of a business associate has been expanded and clarified to cover all organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity. The definition now explicitly includes patient safety organizations, health information exchange organizations, e-prescribing gateways, regional health information organizations, and organizations that provide data transmission services unless they only access data on a “random or infrequent basis.” This exception is known as the “conduit” exception. The conduit exception is narrow and is only intended to exclude organizations acting solely as “courier services.”

Additional Restrictions on Third Party Disclosures

An organization that stores or maintains protected health information on behalf of a covered entity is a business associate regardless of whether it views the information it holds. Business associates must comply with the Security Rule and certain provisions of the Privacy Rule.

HITECH places additional restrictions on disclosures of PHI for marketing and fundraising, and prohibits the sale of PHI without individual authorization. It also requires modifications to covered entities’ notices of privacy practices.

Mandatory Breach Notifications

Under HITECH, covered entities are required to notify affected individuals and the Department of Health & Human Services (HHS) of a PHI breach. Business associates are required to inform covered entities of breaches. Any data breaches affecting over 500 individuals must be posted on the HHS website.

Increased Enforcement

HITECH strengthened the government’s ability to enforce health care privacy laws by increasing civil suit penalties and establishing more objective standards of non-compliance.

Canadian Financial Resource Page

Canadian financial firms regulated by IIROC, the MFDA, National Instrument (NI) 31-103, and Universal Market Integrity Rules (UMIR) must comply with strict recordkeeping, supervision, and business continuity rules. These rules extend to all written business-related communications, including email, instant messaging, Bloomberg®, Thomson Reuters, text messaging, and social media.

This page provides an overview of the requirements applicable to electronic communications.

Recordkeeping Requirements

Significance of Rules

Canadian regulators are no longer tolerating inadequate recordkeeping and supervision of electronic communications.

IIROC Rule 29.7 (supplemented by IIROC Notice 11-0349) requires firms to archive, monitor, and review electronic advertisements, sales literature, and correspondence for clients. IIROC has clarified that “all methods used to communicate, including, but not limited to, Facebook, Twitter, YouTube, blogs, and chat rooms, are subject to the IIROC Rules.” The content of a communication determines whether it is related to a firm’s business, not the method by which the communication takes place.

For mutual fund dealers, MFDA Rule 5 sets out the regulator’s recordkeeping requirements.

In addition to the IIROC and MFDA Rules, National Instrument 31-103 requires financial firms to document correspondence with clients.

Who Must Comply

Generally, these rules are applicable to all persons engaged in trading or acting as a dealer under the jurisdiction of IIROC, the Canadian Securities Administrators (CSA), and/or the MFDA. Canadian companies registered in the U.S. will also be subject to SEC and FINRA requirements.

Requirements

Investment Dealers (IIROC Rule 29.7 and Notice 11-0349)

In connection with electronic communications under IIROC Rule 29.7 and IIROC Notice 11-0349, firms must:

  • Retain advertisements, sales literature, and related documents for 2 years;
  • Retain correspondence with the public for 5 years;
  • Implement systems with compliant record retention and retrieval functionality;
  • Design and implement retention systems and programs that can reliably capture all types of electronic communications used for business purposes (including, if permitted, those sent via personal mobile devices);
  • Retain records of reviews and approvals related to electronic communications;
  • Have readily accessible for inspection by IIROC:
    • All stored business-related electronic communications prepared for clients; and
    • All records of supervisory reviews of electronic communications.
Mutual Fund Dealers (MFDA Rule 5)

In connection with MFDA Rule 5, firms must:

  • Retain all books, records, and other documents necessary for the proper recording of their business transactions and financial affairs (Rule 5.1);
  • Retain all books, records, and other documents necessary for the proper recording of transactions that they execute on behalf of others (Rule 5.1);
  • Store electronic records such that:
    • The method of storage guards against the risk of falsification;
    • Records can be provided promptly to regulators;
    • Suitable back-up and disaster recovery programs are in place (Rule 5.2); and
  • Retain records for 7 years from the date of creation or such other terms as required by the MFDA (Rule 5.6).
All Securities Firms (NI 31-103 and UMIR Rule 10.11)

In connection with electronic communications under NI 31-103, firms must:

  • Retain records of business activities, financial affairs, and transactions (including correspondence with clients);
  • Retain such records for 7 years from the date of creation;
  • Store records in a durable form in a safe location; and
  • Provide records to regulators in a “reasonable period of time.”

Note: Section 7.1 of UMIR Rule 10.11 requires firms to verify that electronic order information is “stored, retrievable, and accurate.”

Supervision Requirements

Significance of Rules

IIROC Rule 29.7 requires firms to develop, establish, and maintain a supervisory system to ensure advertisements, sales literature, and correspondence with clients comply with all applicable rules. MFDA Rule 2 also includes supervisory responsibilities. In addition, UMIR Policy 7.1 and NI 31-103 require firms to implement a compliance supervision and preservation system.

Who Must Comply

Generally, these rules are applicable to all persons engaged in trading or acting as a dealer, including Investment Dealer firms and registered representatives that fall under the jurisdiction of IIROC, MFDA, and the CSA. Canadian companies registered in the U.S. will also be subject to SEC and FINRA requirements.

Requirements

Investment Dealers (IIROC Rule 29.7 and Notice 11-0349)

In connection with electronic communications under IIROC Rule 29.7 and IIROC Notice 11-0349, firms must:

  • Establish IIROC-approved written supervisory policies and procedures for all business-related communications for clients,including:
    • Methods of detecting and addressing prohibited communications;
    • Methods and frequency for reviewing business-related communications and distinguishing types of records;
    • Implementation of a supervisory hierarchy for conducting reviews and cross-supervision;
  • Depending on the type of material and their specific business, conduct supervision via pre-use approval, post-use review, or post-use sampling;1
  • Educate and train employees on procedures governing electronic correspondence with the public;
  • Monitor and evaluate supervisory procedures to ensure compliance;
  • Pre-approve social media content that constitutes an original template advertisement (typically static content such as profile or background information); and
  • Pre- or post-review interactive electronic forums that involve real time discussions (for example, tweets).

1 Note: Rule 29.7(3) requires six types of materials to be reviewed prior to use.

Mutual Fund Dealers (MFDA Rule 2)

In connection with electronic communications under MFDA Rule 2, firms must:

  • Establish, implement, and maintain policies and procedures to ensure business is conducted in compliance with all applicable rules and legislation (Rule 2.5.1);
  • Pre-approve all advertisements and sales communications (Rule 2.7.3);
  • Send no written communication to clients that:
    • Is untrue or misleading;
    • Makes unwarranted or exaggerated claims or conclusions;
    • Fails to identify material assumptions;
    • Is detrimental to the interests of clients, the public, the MFDA, or MFDA members;
    • Violates any applicable legislation, guideline, policy, rule, or directive; and
    • Is inconsistent or confusing (Rule 2.8);
All Securities Firms (UMIR Policy 7.1 and NI 31-103)

In connection with UMIR Policy 7.1, firms must:

  • Implement a compliance monitoring system designed to detect compliance violations; and
  • Maintain an audit trail and record of supervisory reviews for 5 years.1

1 Note: NI 31-103 requires firms to retain records of supervisory review for 7 years.

Business Continuity Requirements

Significance of Rules

In the event of a market-wide disruption, the resilience of the Canadian financial sector depends on the rapid recovery and resumption of critical activities. Canadian regulators have therefore mandated high levels of business protection and contingency measures.

IIROC Rule 17.16 requires firms to develop a business continuity plan (BCP) to manage significant business interruptions and efficiently resume operations. Under MFDA Rule 2.9, members are required to establish and maintain internal controls as prescribed by the MFDA. MFDA Notice MR-0056 sets out the prescribed business continuity planning requirements.

Who Must Comply

All IIROC and MFDA members must make adequate BCP preparations appropriate for their size, business, and organizational structure.

Requirements

Investment Dealers (IIROC Rule 17.16)

Under IIROC Rule 17.16, firms must:

  • Establish a customized BCP based on a business impact analysis of a serious or prolonged disruption or emergency;1
  • Pre-designate alternate sites, located a prudent distance from primary sites;
  • Develop organizational strategies to ensure continuity of IT and business functions (such as access to client data);
  • Implement processes for the storage, protection, and recovery of data (electronic records);
  • Implement back-up procedures for all applications and hardware;
  • Develop processes for handling lost work in progress or backlog processing;
  • Identify alternative methods of communication available during a disruption;
  • Resume effective operation within an acceptable period of time after a significant business disruption;
  • Ensure continued compliance with all relevant regulations, legal obligations, and duties to clients;
  • Review, test, and audit the BCP regularly;
  • Update the BCP in the event of any material change to operations, structure, business or location; and
  • Incorporate all regions in which the firm has a presence into the BCP.

1 IIROC guidelines include duplication of critical technology, vital records, and other critical data in a secure, geographically removed location.

Mutual Fund Dealers (MFDA Notice MR-0056)

Under MFDA Notice MR-0056, firms must:

  • Develop a BCP that is appropriate for their size and business model
  • Define critical operations and services, triggers for invoking the BCP, and management and staff obligations;
  • Establish procedures for maintaining core business functions;
  • Allocate adequate resources to the BCP;
  • Have back-up systems for the preservation and recovery of all records (including electronic records);
  • Establish procedures to ensure communication of all necessary information between all relevant parties and stakeholders in case of a disaster or crisis situation; and
  • Ensure mission critical third party suppliers have adequate business continuity plans in place.

UK Financial Firms Resource Page

In accordance with the Financial Services Bill, which received Royal Assent in December 2012, the Financial Services Authority (FSA) has split into two bodies: a prudential regulator and a conduct regulator. The Financial Conduct Authority (FCA) regulates and supervises the conduct of all firms and individuals that carry out a regulated financial service market activity in the UK. Deposit takers, insurance companies, and systemically important investment firms are also supervised by the Prudential Regulation Authority (PRA), whose mandate is to promote the safety and soundness of the UK financial system.

In addition to FCA and PRA regulations, all UK firms must comply with the UK Data Protection Act of 1998 (DPA), which regulates the processing of personal information.

Recordkeeping Requirements

Significance of Rules

In order to prevent, detect and deter market abuse, COBS Rule 11.8 requires financial firms to record and retain electronic communications related to receiving, negotiating, arranging, or executing client orders. As well, SYSC Rule 9.1 requires firms to keep orderly records of their business, including all services and transactions. With the majority of business being conducted using electronic communications such as email, IM, and text messaging, firms should retain indexed and searchable records of such communications to ensure they can provide regulators with sufficient evidence of compliance with regulatory obligations.

Who Must Comply

All firms and individuals that carry out a regulated financial service market activity in the UK must comply. This includes mutual societies, banks, financial advisers, investment managers, stockbrokers, building societies, wholesale investment firms and other organizations.

Requirements

Under SYSC 9.1, firms must:

  • Retain records that are sufficient to allow the appropriate regulator or other competent authority to monitor compliance with regulations, with a particular focus on identifying whether firms have fulfilled all of their obligations to clients;
  • Retain records related to MiFID business for at least 5 years;
  • Retain non-MiFID records for as long as is relevant for the purpose(s) for which they were made;
  • Ensure records are readily accessible by the appropriate regulator or other competent authority;
  • Ensure regulators can use records to reconstitute each key stage of the processing of each transaction;
  • Ensure any corrections or amendments to records, as well as the original contents of the records, are easily identifiable, and that records cannot otherwise be manipulated or altered; and
  • For the retention of records that are not related to MiFID business, implement appropriate controls to ensure records are adequate, accurate, and secure.

Under COBS 11.8, firms must:

  • Take reasonable steps to record oral and electronic communications - including communications via facsimile, email and instant messaging - between employees/contractors and clients (or between employees/contractors and another person when the employee/contractor is acting on behalf of a client) that:
    • Conclude an agreement by the firm to carry out the activities listed in COBS 11.8.1;
    • Are conducted with a view to executing such an agreement;1 or
    • Retain records of such communications for at least 6 months;
  • Retain all relevant communications, regardless of the devices used to transmit them; and
  • Take reasonable steps to prevent employees from using devices and equipment that prevent capture of relevant communications.

1 Covered activities include receiving client orders, executing client orders, arranging for client orders to be executed, and carrying out transactions on behalf of a firm.

Supervision Requirements

Significance of Rules

SYSC Rules 3.1 and 3.2 require UK financial firms to develop, establish and maintain supervisory systems and controls to monitor compliance with regulatory requirements. Each firm must tailor its supervisory systems and controls to its specific business and activities. In Supervision (SUP) 1A.3.2, the FCA describes the principles on which it bases its supervisory approach. These principles include:

  • Being more interventionist;
  • Being consumer-centric;
  • Focusing on firms’ business models and cultures as well as product supervision; and
  • Viewing poor behaviour through the lens of its impact on consumers.

With the majority of business, including communications with prospective clients, current clients and the general public, being conducted electronically, firms’ supervisory controls should include the monitoring of electronic communications, including email, IM, mobile messaging and social media. Such supervisory controls can assist firms with efficiently identifying, managing and resolving potential or actual compliance violations.

Who Must Comply

All firms and individuals that carry out a regulated financial service market activity in the UK must comply with SYSC 3.1 and 3.2. This includes mutual societies, banks, financial advisers, investment managers and stockbrokers, building societies, wholesale investment firms, sole advisers, and others.

Requirements

Under SYSC 3.1 and 3.2, firms must:

  • Take reasonable care to implement and maintain systems and controls that are appropriate to their business and are designed to ensure compliance with applicable requirements and standards under the regulatory system;
  • Develop systems and controls that take into account the nature and scale of the business, the risk associated with each area of operation, the diversity of operations, and the volume and size of transactions;
  • Implement controls that are comprehensive and proportionate to their business activities;
  • Implement controls that aid in identification of money laundering risk;
  • Conduct regular reviews and assessments of systems and controls to ensure their adequacy;
  • Depending on their nature and size, consider establishing a separate compliance function;
  • If they carry on designated investment business with or for retail or professional clients (e.g. managing investments or advising on investments), appoint a director or senior manager to hold responsibility for oversight of compliance;
  • Require the appointed individual to report to the governing body; and
  • Retain records of “matters and dealings” that are subject to regulatory requirements and standards.

Supervision Requirements

Significance of Rules

The UK Data Protection Act (DPA) regulates the collection, storage, use, disclosure, and deletion (collectively “processing”) of personal data. Personal data is data that relates to a living individual who can be identified either: (i) from that data, or (ii) from that data and other information that is in the possession of, or is likely to come into the possession of, the organization. The DPA sets out eight principles governing the processing of personal data.

Who Must Comply

All organizations that:

  • Control the purposes for and the manner in which personal data is processed; and
  • Are established in the UK; or
  • Use equipment located in the UK to process personal data (for purposes other than transit through the UK).

Requirements

Under the DPA, data controllers that enter contract with a third party to process personal data on their behalf must comply with the following requirements:

  • Due Diligence: Choose a data processor that provides sufficient guarantees of technical and organizational security measures and take reasonable steps to ensure the ensure the data processor complies with these measures.
  • Written Contract: Ensure the processing of personal data is carried out under a written contract. The contract must stipulate that:
    • The data processor must enforce appropriate technical and organizational measures against (i) unauthorized or unlawful processing of personal data, and (ii) accidental loss, destruction of, or damage to personal data; and
    • The data processor may act only on instructions of the data controller.
  • International Transfer: Ensure data is not transferred outside of the European Economic Area unless there is an adequate level of protection in the country of destination.

Public Company Resource Page

The Sarbanes-Oxley Act (SOX) requires publicly traded companies to implement reliable records management practices and controls, including systems to efficiently retain and retrieve data. These requirements are designed to ensure corporate accountability, accuracy of financial results, and improve the transparency and disclosure of information by public companies and their auditors. The consequences of non-compliance are severe. In addition to fines, depending on the violation, non-compliance can be punished by a period of detention.

Who Must Comply

Generally, these rules are applicable to all publicly traded companies under the SEC'€™s jurisdiction. However, Sarbanes-Oxley has created a corporate governance benchmark for all businesses to establish and adhere to systematic records management, including email retention policies and practices.

Requirements

Under SOX, public companies must comply with the following requirements:

  • Audit and Quality Control (Section 103): Retain all audit work papers and other information related to an audit report for at least 7 years in sufficient detail to verify the conclusions of the report.
  • Production of Data (Section 105(b)): Have the ability to produce all audit-related information to verify the accuracy of any documents or information supplied.
  • Corporate Responsibility (Section 302): Have senior management personally attest to the accuracy of financial results.
  • Internal Supervision Controls (Section 404): Ensure management is responsible for the implementation and maintenance of internal controls for the purposes of financial reporting.
  • Tamperproof (Section 802(a)): Prevent intentional alteration, destruction or mutilation of records or documents in order to impede an investigation.

Under Section 802 of SOX, auditors must retain all audit-related information for a period of not less than 7 years. This includes work papers, memoranda, correspondence, communications, and electronic records (including email and IM).

Swaps, Futures & Commodities Resource Page

CFTC regulations require registered firms to preserve comprehensive and wide-ranging records of their business activities. These regulations extend to written and oral business-related communications, including email, instant messaging, Bloomberg®, Thomson Reuters, text messaging, social media, and voice. Firms must also supervise their employees to ensure compliance with all applicable rules and regulations.

Recordkeeping Requirements

Significance of Rules

CFTC Rule 1.31 establishes recordkeeping and retention standards for all registered firms. This rule explicitly states that firms may store records electronically and establishes standards for record format and retention. CFTC registrants are also subject to additional recordkeeping rules according to their specific line(s) of business.

Who Must Comply

All swap dealers, major swap participants, retail foreign exchange dealers, futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers required to register with the CFTC must comply with CFTC Rule 1.31. Firms may also be subject to additional rules based on their specific line(s) of business:

Line of BusinessApplicable Rule(s)
Futures commission merchants 
Retail foreign exchange dealersCFTC Rules 1.35 and 1.40
Introducing brokers 
Members of contract markets 
Line of BusinessApplicable Rule(s)
Commodity pool operatorsCFTC Rule 4.23
Commodity trading advisorsCFTC Rule 4.33
Swap dealers and major swap participantsCFTC Rules 23.201, 23. 202 and 23.203
Swap execution facilitiesCFTC Rules 1.35 and 1.40

Requirements

In connection with electronic records under CFTC Rule 1.31, all CFTC registered firms must:

  • Retain all CFTC required books and records for 5 years, the first 2 years in a readily accessible place;1
  • Retain records in their native file format;
  • Allow representatives of the CFTC or the DOJ to inspect records upon request;
  • Promptly provide copies of records to the CFTC in the format specified by any Commission representative;
  • Store records in a format that is non-rewritable, non-erasable;
  • Automatically verify the quality and accuracy of the storage media recording process;
  • Serialize and time-date stamp each record;
  • Index records to facilitate retrieval;
  • Store duplicate copies of records and indexes in physically separate locations;
  • At all times, be ready to immediately provide the following: (i) an easily readable electronic projection or production of records, (ii) hard copies of records, and (iii) record indexes;
  • Develop written procedures and controls (an "audit system") to ensure accountability for and accuracy of records;
  • Appoint a qualified third party ("Technical Consultant") to access and download records when requested by the CFTC or DOJ; and
  • Provide a representation to the CFTC that the electronic storage system in use meets all of the requirements of this rule.

1 With the following exceptions: (i) records of any swap or related cash or forward transaction must be retained until the termination, maturity, expiration, transfer, assignment or novation date of the transaction and for a period of five years after, and (ii) records of oral communications kept pursuant to CFTC Rules 1.35 and 23.202 must be retained for 1 year

In connection with CFTC Rules 1.35 and 1.40, futures commission merchants, retail foreign exchange dealers, introducing brokers, members of contract markets, and swap execution facilities must:

  • Retain "full, complete and systematic" records that include all pertinent data and memoranda of all transactions relating to their business in commodity interests and cash commodities;
  • Retain all records prepared in the course of their business in commodity interests and related cash or forward transactions;
  • Retain all documents on which trade information is originally recorded ("original source documents");
  • Retain original source documents such that they are identifiable and searchable by transaction;
  • Retain all oral and written communications sent or received concerning quotes, solicitations, bid, offers, instructions, trading and prices that lead to the execution of a transaction in a commodity interest and related cash or forward transactions, whether these communications occur over telephone, voicemail, facsimile, instant messaging, chat rooms, email, mobile device, or other digital or electronic media (with exemptions for certain types of oral communications); and
  • Upon request, provide true copies of any published or circulated letter, circular, telecommunication, or report that concerns crop or market information or conditions that affect or tend to affect the price of any commodity, including any exchange rate.

In connection with CFTC Rule 4.23, commodity pool operators must:

  • Maintain accurate, current and orderly books and records at their main business office or at an entity such as the pool's administrator as specified in this rule (or maintain records with a third party recordkeeper provided "timely and complete" access to records is available);
  • Retain all "records, data and memoranda" prepared or received relating to the operation of the pool and all other activities in which they engage;
  • Retain records of every letter, circular, memorandum, publication, writing, advertisement or other literature or advice that is distributed or caused to be distributed to existing or prospective pool participants or received by the pool operator from one of the pool's commodity trading advisors;
  • With some exceptions, provide copies of all required records by mail to any pool participant within 5 business days, with reasonable costs paid by the participant;
  • Make records available for copying and inspection during normal business hours at their main office;
  • If not maintaining records at their main business office, file a statement with the CFTC identifying the third party recordkeeper and the services it will provide; and
  • If not maintaining records at their main business office, file a statement with the National Futures Association from the third party recordkeeper that acknowledges the recordkeeper will (i) preserve records on their behalf in accordance with CFTC Rule 1.31 and (ii) make such records available to the Commission, DOJ, or pool participants in compliance with applicable rules.

In connection with CFTC Rule 4.33, commodity trading advisors must:

  • Maintain accurate, current and orderly books and records at their main business office (or maintain records with a third party recordkeeper provided "timely and complete" access to records is available);
  • Retain records of every letter, circular, memorandum, publication, writing, advertisement or other literature or advice distributed or caused to be distributed to existing or prospective clients or subscribers; and
  • Retain records of all transactions in all business dealings in trading commodity interests and cash market transactions.

In connection with CFTC Rules 23.201, 23.202 and 23.203, swap dealers and major swap participants must:

  • Retain "full, complete, and systematic records," including all pertinent data and memoranda, of all swap activities;
  • Retain daily trading records of all executed swaps and related cash and forward transactions, including all documents on which transaction information is originally recorded;
  • Retain all records necessary to conduct a comprehensive and accurate trade reconstruction for each swap and related cash and forward transactions;
  • Retain transaction records such that they are identifiable and searchable by transaction and counterparty;
  • Retain all marketing and sales presentations, advertisements, literature, and communications;
  • Retain records of pre-execution trade information, including records of all oral and written communications sent or received concerning quotes, solicitations, bids, offers, instructions, trading, and prices that lead to the execution of a swap, whether communicated by telephone, voicemail, facsimile, instant messaging, chat rooms, electronic mail, mobile device, or other digital or electronic media;
  • Retain records of the date and time of (i) quotations sent to or received from counterparties, (ii) the execution of swaps and related cash and forward transactions, and (iii) swap confirmations with time-date stamps to the nearest minute using Coordinated Universal Time (UTC).
  • Retain records at the firm's "principal place of business";
  • Retain records for 5 years from the date the record was created, the first 2 years in a readily accessible place during the first 2 years1; and
  • Allow inspection of records by any representative of the CFTC, DOJ or applicable prudential regulator.

1 With the following exceptions: (i) records of swap or related cash or forward transactions must be retained until the transaction's termination, maturity, expiration, transfer, assignment or novation date and for 5 years thereafter, and (ii) records of oral communications required by CFTC Rule 23.202 must be retained for 1 year.

Supervision Requirements

Significance of Rules

CFTC Rule 166.3 requires all registered firms to supervise employees to ensure compliance with applicable rules and regulations. Additionally, CFTC Rule 3.3 requires futures commission merchants, swap dealers and major swap participants to appoint a Chief Compliance Officer (CCO) who must establish, maintain and enforce written supervisory policies and procedures to detect and prevent compliance violations. With widespread use of electronic communications as primary business communication tools, it is essential to supervise employees' email, IM, social media and other electronic communications in order to identify and resolve any compliance violations.

Who Must Comply

All CFTC registrants must comply with CFTC Rule 166.3. Futures commission merchants, swap dealers and major swap participants must comply with CFTC Rule 3.3.

Requirements

Under CFTC Rule 166.3, all CFTC registered firms must:

  • "Diligently supervise" all activities of their partners, officers, employees and agents relating to their business as CFTC registrants.

In connection with CFTC Rule 3.3, futures commission merchants, swap dealers and major swap participants must:

  • Appoint a qualified individual to serve as their Chief Compliance Officer (CCO);
  • Require the Chief Compliance Officer to:
    • Meet with the board of directors or senior officer at the time of his or her designation as CCO and at least once annually thereafter;
    • Develop and administer written policies and procedures reasonably designed to ensure compliance with CFTC regulations;
    • Resolve any conflicts of interest in consultation with the board of directors or senior officer;
    • Establish procedures to handle compliance violations; and
    • Prepare an annual report, presented first to the board of directors or senior officers of the firm and subsequently to the CFTC, that includes a description of the firm's written compliance policies and procedures and, for each applicable CFTC requirement:
      • Describes existing written policies and procedures and assesses their effectiveness;
      • Discusses possible modifications to written policies and procedures;
      • Lists any "material changes" made to the policies and procedures during the period;
      • Documents the resources dedicated to ensuring compliance with CFTC regulations, including any inadequacies or deficiencies in resource allocation; and
      • Describes any compliance violations and how these violations were handled.