Crawling into modernity: SEC amends WORM recordkeeping requirements for broker-dealers and SBSDs

The SEC recently adopted amendments (the Amendments) to its recordkeeping rules for broker-dealers and non-bank security-based swap dealers (SBSDs).[1]  The recordkeeping requirements have historically been a significant pain point for broker-dealers; in part, this has been because the provisions relating to electronic records were adopted in 1997 and embedded assumptions about technologies that have since become outmoded.  Unlike many other current SEC rulemaking efforts seeking to expand or create new obligations, the amendments have generally been welcomed by the industry as a necessary update to outdated rules.

The Amendments reflect an effort to modernize existing recordkeeping requirements and make them more “technology neutral” by modifying the means by which broker-dealers may maintain and preserve electronic records, rely on third-party recordkeeping services to hold such records, and produce records to the SEC and its designees.  The Amendments revise Rule 17a-4, applicable to broker-dealers, and expand the requirements of Rule 18a-6, applicable to SBS entities.

Background

Rule 17a-4(f) allows broker-dealers to meet their recordkeeping obligations, other than through paper records, so long as several conditions are met.  When adopted in 1997, the rule contemplated records being kept on microfilm or “electronic storage media,” generally presumed to be optical storage technology, like CD-ROMs.  Given the SEC’s concerns about electronic storage’s reliability, accessibility, and resistance to forgery, several conditions were imposed on the use of electronic recordkeeping.  Specifically, a broker-dealer using electronic storage media was required to:

• Notify its designated examining authority (DEA) (typically FINRA) prior to employing electronic storage;
• Provide 90-days’ prior notice to its DEA when using technology other than optical storage media;
• Use electronic media that met certain technological requirements, including that it be “WORM” compliant—“write-once, read-many”—so that the records could not be tampered with or changed;
• Separately store a duplicate copy of the records, also in WORM format; and
• Employ a third-party that has access and ability to download the records, with the third-party filing an undertaking agreeing to provide securities regulators with access to the records.

Further, if records (electronic or otherwise) were held by a third‑party, the third-party was required to file an undertaking to provide the SEC with access to the records, described in greater detail below.

SBSDs are subject to recordkeeping requirements in Rule 18a-6 (adopted in 2019), which, prior to the Amendments, imposed only a few of these requirements on SBSDs using electronic storage. In particular, SBS entities were not subject to DEA notification, WORM technology, or third-party downloader requirements.

New “audit-trail” alternative to WORM

Broker-dealers have long viewed WORM records as providing little benefit and presenting an unnecessary expense.  Because of their static nature, WORM records are of less use in a business context with constantly-changing data, leading broker-dealers to maintain one set of records for daily business use and a separate set of WORM-compliant records solely for regulatory purposes.  Indeed, broker-dealers typically use their ordinary non-WORM business records to respond to regulatory requests for records, except where regulators specify otherwise.

The Amendments mitigate these concerns by introducing an “audit trail” alternative to WORM.  Broker-dealers can continue using WORM.  However, broker-dealers may instead use an electronic recordkeeping system that is not “write once” —so long as the broker-dealer can recreate an original record if it has been modified or deleted.  In particular, to satisfy the audit-trail requirement, an electronic recordkeeping system must maintain and preserve records for their retention period in a manner that maintains a complete time-stamped audit trail that includes:

1. all modifications to and deletions of a record or any part thereof;
2. the date and time of operator entries and actions that create, modify, or delete the record;
3. the individuals creating, modifying, or deleting the record; and
4. any other information needed to maintain an audit trail of each distinct record in a way that maintains security, signatures, and data to ensure the authenticity and reliability of the record and will permit re-creation of the original record and interim iterations of the record.

A broker-dealer is not obligated to comply with either the WORM or audit-trail approach for all records—it can use both approaches for different sets of records.

More flexible backup requirements

Prior to the Amendments, Rule 17a-4 required broker-dealers to maintain a complete backup copy, in WORM-format, of their WORM records.  Consistent with the SEC’s efforts to modernize and make these rules more technology neutral, the Amendments provide more flexibility.  As amended, a broker-dealer is required to either maintain a backup copy that meets the same technological requirements (i.e., WORM or audit trail) or “have other redundancy capabilities.”  Though the amended rule is not specific on what these other redundancy capabilities must be, the SEC indicated that they must provide for “a level of redundancy that is at least equal to the level that is achieved through using a backup recordkeeping system.”

Alternative to third-party downloaders

As noted above, Rule 17a-4(f) has traditionally required that broker-dealers using electronic recordkeeping systems provide a third party with access to and ability to download information from the electronic system, and that the third-party file an undertaking with the broker-dealer’s DEA agreeing to provide regulators with access.  Many broker-dealers worried that giving a third party this access raised data and cybersecurity risks.  Under the Amendments, the SEC will allow broker-dealers, as an alternative, to designate a “member of senior management” who would undertake the personal responsibility, directly or through other designated officers or specialists, to make the records available in lieu of a third party.

Third-party record-holder undertakings and cloud service providers

Prior to the Amendments, Rule 17a-4 required that, where a broker-dealer has its records (electronic or otherwise) prepared or maintained by a third party, the broker-dealer was required to ensure that the third party filed with the SEC an undertaking agreeing to “permit examination of such books and records” by the SEC or its designees.  While sensible for physical records held in third party-owned storage, many technology vendors, such as cloud service providers, felt unable to provide this undertaking on the basis that although they physically had access to the servers, they could not actually access or provide the SEC with access to the encrypted data.

To address this, the Amendments provide an alternative undertaking.  Where a broker-dealer maintains “independent access” to electronic records held by a third party (i.e., they can access it directly without intervention by the third party), it requires the third party to acknowledge ownership of the records by the broker-dealer, confirm that the broker-dealer has independent access to the records, undertake to facilitate to the extent able and not to impede access to the records by the SEC or its designees.

Other changes

The amended rule makes various other updates and changes, such as:

• Elimination of a broker-dealer’s obligation to provide its DEA with prior notice of its use of electronic recordkeeping;
• Permitting a broker-dealer to transition from a WORM-compliant electronic recordkeeping system to an audit-trail electronic recordkeeping system without notifying the SEC;
• Requiring that electronic records be produced in a reasonably usable format (i.e., compatible with commonly used systems for accessing and reading electronic records), if requested by a representative of the SEC; and
• Revising electronic record location and organization requirements by mandating that broker-dealers more generally provide “information needed to locate the electronic record” instead of, for example, indexes or data fields.

Application to SBSDs

The SEC modeled the SBSD recordkeeping requirements in Rule 18a-6, adopted in 2019, on the broker-dealer recordkeeping requirements in Rule 17a-4.  However, in the original Rule 18a-6, the SEC did not include many technical requirements for electronic storage from Rule 17a-4.  The Amendments impose on SBSDs many of the recordkeeping obligations, as amended, of Rule 17a-4.  Thus, while the Amendments may be seen as modernizing or relaxing some of the broker-dealer recordkeeping requirements, they impose certain requirements on SBSDs for the first time.  In particular, SBSDs were not previously subject to WORM requirements, but now will be required to maintain records in WORM or utilizing the audit-trail alternative.  In addition, SBSDs were not previously required to employ a third-party downloader, but now will be required to either use a third-party downloader or appoint an executive officer instead.

Compliance dates

Broker-dealers will be required to comply with Rule 17a-4, as amended, six months after the Amendments are published in the Federal Register, which has not yet occurred.  SBSDs are required to comply with Rule 18a-6, as amended, twelve months after Federal Register publication.

Associate Ryan P. Hayden contributed to this update.