SEC Offers Alternative to ‘Worm’ Books and Records Retention for Broker-Dealers and Security-Based Exchange Entities | Goodwin

On November 18, 2021, the United States Securities and Exchange Commission (“SEC”) proposed amendments to Rules 17a-4 and 18a-6 under the Securities Exchange Act of 1934 regarding record-keeping requirements for brokers and certain securities swaps (“SBS” entities).[1] The industry could see a quick timeline in 2022 for SEC adoption of the proposed changes. In the meantime, broker-dealers, SBS entities and recordkeeping providers should consider how this proposal might affect their recordkeeping systems and related practices, including internal and external data and information security. .

PROPOSED CHANGES [2]

The proposal would modify the electronic record retention and prompt filing requirements of Rules 17a-4 and 18a-6, including by:

  1. Provide an alternative audit trail to the current requirement that electronic broker records be maintained exclusively in non-rewritable, non-erasable format (also known as write-once, read-many, or “WORM” format ).
  2. Eliminate third party access and engagement requirements for broker-dealers and replace with a requirement that at least one senior officer of the broker-dealer (or SBS entity) – with independent access to records and ability to provide them – executing an undertaking to provide, at the request of the SEC, a record and its audit trail (if any), which must be maintained on an electronic filing system in an electronic format “reasonably usable “.
  3. Elimination of the requirement for the dealer to notify its designated review authority before using an electronic record keeping system.
  4. Require brokers and SBS entities to be ready at all times to provide records stored on an electronic archiving system. The amendments would also replace current rules that require brokers and SBS entities to organize and index all information retained on original and duplicate storage media with a requirement only that the electronic record system organize and retain necessary information. to locate records.
  5. Requiring brokers and SBS entities to have a back-up set of records when records are maintained on an electronic filing system, which is similar to the current requirement that firms retain and separately store copies of duplicate records. This suggests that the SEC will expect the broker or SBS entity to have a second electronic filing system that serves as a redundant source from which to retrieve records. Records stored on the backup electronic archiving system shall be retained in accordance with the record retention requirements of Rules 17a-4 or 18a-6, as applicable.[3]

Under the proposed new audit trail alternative to WORM, a firm’s electronic records system should retain records for the duration of their applicable retention periods so as to maintain a complete audit trail and timestamped. The electronic archiving system must have the ability to easily download and transfer copies of a record and its audit trail (if any) in a “human readable format” (i.e. i.e. a format that can be read naturally by an individual) or a “reasonably usable electronic format.” The audit trail should include the following information:

  1. All changes and deletions to a record or part thereof;
  2. The date and time of operator entries and actions that create, modify, or delete the record;
  3. The identity of the person(s) creating, modifying or deleting the record; and
  4. Any other information necessary to maintain an audit trail of each separate record in a manner that preserves security, signatures, and data to ensure the authenticity and reliability of the record and that allows recreation of the record original and intermediate iterations of the record.

COMMENTS

The industry should generally view the proposal as a welcome attempt by the SEC to modernize recordkeeping requirements and address legacy constraints in this area. Nevertheless, the proposal seems to raise as many questions as solutions.

  1. The proposal states that a “reasonably usable” electronic format is a format that is common and compatible with commonly used systems for accessing and reading electronic documents. In other words, a proprietary file format that is not easily accessible or readable by common systems would not be allowed. The SEC is seeking comment on the types of electronic record formats that should be considered reasonably usable, and any final rule would benefit from additional guidance as to what the SEC considers a reasonably usable electronic format.
  2. The elimination of third party access and engagement requirements would mean that at all times a broker or SBS entity must have at least one senior official with independent access to – and the ability to provide – records of the company at the SEC. The senior executive would also be required to perform required covenants, similar to what is required of third-party custodians of electronic records under the current rules. Independent access would mean that “the senior manager has the knowledge, credentials and information necessary to access and provide the documents” on his own, without having to rely on anyone else in the company. If adopted, and given the extensive access that this requirement would require of a senior executive, firms may wish to consider developing and implementing executive access policies to ensure such access is only used in response to a regulatory request or for other valid firm requests. or for regulatory purposes. This is especially true for companies that separate business and regulatory decision-making from access to information. It may also be difficult (if not impossible) for a person in a company to meet these commitments individually. In other words, businesses don’t work that way. This element of the proposal also raises data and information security issues, including apparently ignoring the long-established principle of “least privilege” (i.e. the concept of security in which a user receives the minimum level of access or authorization necessary to perform the user’s job function).
  3. Currently, some businesses use a WORM archiving system almost exclusively for the purpose of meeting the requirements of Rule 17a-4 and maintaining separate working copies of records for use in day-to-day business operations. In the view of the SEC, the proposed amendments are intended to facilitate the use of a single electronic record-keeping system for business and regulatory purposes. However, requiring companies to maintain backup “systems” and the ability to have WORM and audit trail systems in parallel could add confusion in an area that the SEC is no doubt trying to streamline and modernize. We expect the SEC to clarify what is sufficient as a “fallback electronic filing system.” In other words, will redundant records stored in separate locations in a company’s filing system be sufficient, or does the SEC really intend companies to keep backup records on entirely separate “systems”?
  4. The proposal aims to give companies the option to (eventually) phase out WORM once and for all. Additionally, brokers and SBS entities will have the option of continuing to retain certain records in WORM format, while using the audit trail for other types of records. It may be easier, for example, to store certain types of static records, such as emails, in WORM format, while using an audit trail for regularly updated records. Notably, the proposed audit trail method would only apply to records created after the eventual effective date of the rule change. Firms that choose to adopt an audit trail recording system would be permitted to keep new records on a system that meets audit trail requirements, but would be required to keep old records on a WORM-enabled system. (although the audit trail method only applies to records created after adoption, it is unclear what the SEC considers an alternative). This implies that companies would face the burden of maintaining old and new systems in parallel at least until the retention periods for old records kept by WORM expire.

The public comment file closed on January 3, 2022 and is surprisingly thin. This may be a result of the timing of the proposal (a week before Thanksgiving) and the brief comment window (which spanned the December 2021 holiday season and the end of the calendar year). SEC Commissioner Peirce has previously argued for extended comment periods on rulemaking, generally. We’ll be watching closely for updates in this area, including a potential comment window extension and, of course, any future SEC adoption.[4]


[1] In 2019, the SEC signaled its intention to proceed with this modernization when it chose not to extend the WORM requirement nor the Designated Third Party Registrar requirement to the rules applicable to SBS entities, noting that “the Commission Believes that any changes to broker-dealer electronic storage arrangements should be addressed in a separate regulatory initiative in which the Commission intends to examine issues relating to electronic storage media in a broader context, including with respect to other market players.

[2] This proposed regulation was quite substantial. This Customer Alert discusses the changes that we consider to be the most important.

[3] Although similar to the current requirement that a broker or SBS entity store separately from the original, in any medium acceptable under Rule 17a-4, a copy of a record for the required period, the proposal would modernize the duplicate copy requirement slightly by eliminating the WORM requirement. The SEC believes that this backup electronic filing system will facilitate reviews and support business continuity for the broker or SBS entity in the event of a disruption to the primary filing system.

[4] The Commission often considers comment letters received after the comment deadline, even without an extension, particularly when seeking industry comments and have received fewer comments than expected.

About the author