The SEC recently adopted new record-keeping requirements for broker-dealers and “SBS entities” (dealers in securities swaps and principal participants in securities swaps). Most notably, the SEC will no longer require brokers to maintain records in “write-once, read-many” or “WORM” format. Instead, brokers will be able to use a new “audit trail” alternative for their electronic record keeping systems.
New audit trail alternative
Firms using the new audit trail alternative will need to retain records in a manner that allows for the re-creation of an original record and intervening iterations if the original record is altered, overwritten, or erased. Specifically, audit trail records must track each separate record in a manner that maintains its security, signatures, and data to ensure its authenticity and reliability for the duration of each record’s applicable retention period in a manner that maintains a complete timestamped audit trail. including:
- All changes and deletions to a record or part thereof
- The date and time of actions that create, modify, or delete the record (both human-initiated and automated actions)
- The identity of the person(s) creating, modifying or deleting the record (which may be reflected in the audit trail as a unique identifier for the person)
The SEC noted that it is taking a “principles-based” approach to allowing companies to keep their regulatory filings on the same electronic filing system they use for business purposes, while making the means to do so more technologically neutral. Nevertheless, companies (and their service providers) that choose to use the audit trail alternative will likely need to modify their current systems to meet the technology requirements specified by the SEC. Firms may also need to maintain two systems in parallel for several years until applicable record keeping periods expire – the new audit trail system for new records and a separate WORM-compatible system for records inherited.
Use of cloud service providers
The regulations provide companies with greater assurance that they can use cloud service providers to meet their record keeping requirements. In particular, a cloud service provider will be permitted to file an “alternative undertaking” with the SEC that does not require it to provide the SEC with access to a broker’s records or to produce them upon request. The alternative commitment includes the following three requirements:
- The third party must acknowledge that the records are the property of the broker
- The third party must acknowledge that the broker-dealer has made these three representations to the third party (in a service agreement or otherwise)
- Broker is subject to SEC rules governing the maintenance and retention of certain records
- The broker-dealer has independent access to the records maintained by the third party
- The broker-dealer agrees that the third party fulfills the obligations provided for in its commitment
- The third party must agree to facilitate to the best of its ability, and not interfere with or prevent, the review, access, downloading or transfer of the records by an SEC representative or designate (or of a trustee of SIPA)
Broker-dealers will be required to ensure that arrangements with third-party registrars comply with these new requirements. Cloud storage providers will also need to be aware of the obligations they assume. In an undisguised threat to service providers who may “withhold, delete, or discard” required records due to contractual, financial, or other disputes with a company (e.g., broker non-payment), the enacting version states that deletion or deletion of a broker-dealer’s records “would constitute a primary breach of the rule by the broker-dealer and may subject the service provider to secondary liability for causing or aiding and abetting the breach”. Contractual provisions that would, among other things, allow a service provider to withhold, delete or reject recordings are inconsistent with the retention requirements of Rule 17a-4 and the escrow requirements of Rule 17a-4(i) .
Historically, a designated third party or “D3P” who prepares or maintains broker regulatory filings in paper or electronic format has been required to file a written and signed undertaking (the “Traditional Undertaking”) with the SEC in which the D3P agrees , among other things, to permit examination of the records of the SEC and its personnel and to promptly provide the SEC and its personnel with true, correct, complete, and current paper copies of all or any part of such books and records . Traditional enterprise has led to confusion and challenges in the context of cloud storage, especially regarding whether the cloud storage provider or the enterprise itself has control, access and management rights to records. Cloud service providers often cannot access (or grant the SEC access) encrypted records of brokers on their servers or produce such records on demand.
The regulations also allow brokers to select a “designated officer” who is a member of senior management, and up to two other designated officers, to take responsibility for providing records to regulators if the firm fails or is unable to do so. TO DO. Today, only a D3P is authorized to play this role. Businesses can continue to use unaffiliated D3P. Selected employees must have the same ability as the senior manager to access and provide records independently, either directly or through a specialist reporting directly or indirectly to them. The designated officer may appoint in writing up to three specialists to help him fulfill his obligations.
The compliance date for broker-dealers is May 3, 2023 (November 3, 2023 for SBS entities).
SEC staff will likely continue to request companies’ business records instead of records stored in WORM format or replicated through the audit trail alternative. In the event that SEC staff believe they need an original, that is when the company should recreate the original record via the audit trail information (or produce the WORM version).
It wouldn’t be surprising to see SEC staff issue additional guidance to the industry as nuanced questions arise. Without guidance from SEC staff, companies may be reluctant to move from WORM to the audit trail alternative. Companies can actually expect their service providers to keep the original records in addition to any iterations, modifications, etc. later, at least until the industry has a better understanding of the expectations of SEC staff.
Companies will likely continue to wrestle with the age-old question of whether a particular record is a draft or a final version and when the record keeping requirement is triggered. The SEC tries to add clarity here by noting that “the audit trail requirement applies to final records…rather than to drafts or iterations of records that would otherwise not be required to be kept and preserved”. Companies should be able to rely on existing WORM practices to comply in this regard. However, companies that opt for the new audit trail alternative will need to reconsider their approach to compliance. Many companies lean towards a conservative approach in this regard.
Finally, recordkeeping isn’t usually the hottest topic in the FinReg space, but the SEC and CFTC recently fined brokers $2 billion for recordkeeping violations. The SEC has accused these companies of failing to oversee the communications of their staff’s personal devices. Even with the new audit trail requirement, unless companies require employees to back up their personal devices to a cloud system, for example, it’s hard to see how the new audit trail alternative will help filers to respond to conduct regulators considered the most egregious.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.