As regulators continue to put pressure on financial firms to maintain robust record keeping processes, it is vital to be aware of your regulatory obligations and ensure that your firm has the tools at its disposal to remain compliant.
In this blog, we explore communications record keeping compliance in North America, including the key books and records requirements, the risks of getting compliance wrong, and the next generation tech solutions that can help you meet your regulatory record keeping obligations.
Topics covered:
Why robust communications record keeping is important
Robust record keeping is a key pillar of compliance. From record retention and archiving to retrieval and auditing, global regulatory directives stipulate the processes that organizations must follow to store their records.
These requirements (often referred to as Books and Records rules) are intended, in part, to provide regulators with the ability to access and review business records so that they can effectively oversee the financial markets. Record keeping data is used by regulators to identify and investigate any potentially fraudulent activity, market abuse or other forms of financial crime.
Generally, the record keeping rules require firms to securely archive and store their data, including communications (such as emails, messaging, meeting notes and, in some jurisdictions, phone conversations) and monitor their books and records to identify potential malpractice.
The push for greater transparency in financial services
The SEC, FINRA, IIROC and new regulations under Dodd-Frank have introduced increasingly stringent rules around the requirement for tamper-proof books and records retention in a push to increase transparency and reduce the likelihood of another financial crash like the one in 2008.
Who governs the North American financial services markets and ensures compliance with books and records requirements?
In the U.S., the Securities and Exchange Commission (SEC) - a government organization set to protect investors and ensure the integrity of the securities market - governs the books and records retention requirements and wider financial services compliance rules. The SEC was established after the great stock market crash in 1929, following the implementation of two major securities laws in the US; the Securities Act of 1933 and the Securities Exchange Act of 1934.
Another key regulatory body in the U.S. is the Financial Industry Regulatory Authority (FINRA), which handles the licensing and regulation of broker-dealers. Although it has regulatory powers, FINRA (which is overseen by the SEC) is not part of the government. It is the largest self-regulatory organization in the securities industry within the U.S.
In Canada, Securities commissions in each jurisdiction combined with self-regulatory organizations oversee the investment industry to protect investors.
The self-regulated organization, Mutual Fund Dealers Association of Canada (MFDA), regulates certain mutual fund dealers in Canada through regulatory standards, compliance audits, investigations and enforcement actions.
There is also the Investment Industry Regulatory Organization of Canada (IIROC), which regulates all investment dealers. IIROC carries out its regulatory responsibilities through setting and enforcing rules regarding the proficiency, business and financial conduct of Canadian investment dealer firms.
Several acts and regulations play into the overall data retention, archiving and record keeping compliance rules for North America, with various intricacies and reams of legislative text. Let’s take a look at the key things you need to know.
The key rules around communications and record keeping in North America
There are rules and regulations across the globe for communications record keeping compliance that apply to financial firms, but these vary slightly in different countries and regions around the world.
In this section, we look at the key rules and considerations for North American firms, in particular books and records retention requirements for communications.
Required format for the storage of communications records
In the U.S. and Canada, communications and record keeping rules require that communications must be recorded in a written or electronic format.
Data must be stored for a fixed period in a secure environment, and should be in an immutable, tamper-proof, Write Once, Read Many (WORM) format. Key components of WORM storage include:
-
Preservation of records in a non-rewriteable, non-erasable format
-
Verification of the quality and accuracy of the storage / record recording process
-
Timestamping of each record to ensure compliance with the required retention period
-
Ability to readily download indexes and records preserved to demonstrate compliance to the SEC, FINRA or other regulator
What forms of communications are required to be captured and archived?
Today, firms carry out communications in various ways and mediums. Communications that need to be captured and archived include the following forms:
-
Mail, email and eComms
-
VComms
-
Social media or instant messaging platforms (such as WhatsApp, Facebook, LinkedIn, Signal, etc.)
-
Other forms of digital communications
For dedicated information and insights on eComms and vComms archiving, read our article: Record Keeping – All you need to know about eComms & vComms archiving.
What are the main rules and how long do firms need to keep communications records?
What are the key rules around communications record retention in the U.S.?
In the United States, communications records must be kept for up to 7 years, but the retention period varies according to certain factors.
-
SEC (SEA) 17a
Rules 17a-3 and 17a-4 require broker-dealers to create, and preserve in an easily accessible manner, a comprehensive record of each securities transaction they effect and of their securities business in general. This includes archiving of email records for six years.
-
SEC 204(2)
Requires every SEC-registered investment adviser to retain copies of all advertisements and other communications (collectively, "advertisements") that the adviser has circulated, directly or indirectly, to ten or more persons (excluding persons connected with the adviser).
-
FINRA rule 2210
Requires FINRA members to maintain all retail communications and institutional communications for the retention period required by SEA Rule 17a-4(b) and in a format and media that comply with SEA Rule 17a-4.
-
FINRA rule 4511
Requires FINRA members to make and preserve books and records in accordance with FINRA rules, the Exchange Act and the applicable Exchange Act rules. Where there is no specified period under the applicable rules, the Members shall preserve for a period of at least six years.
In addition to these rules, FINRA have published a number of notices to add clarity to the rules, specifically with reference to social media and texting:
-
FINRA Notice 10-06
Since Americans are increasingly using social media for business and personal communications, this notice provides guidance to firms around the FINRA rules governing communications on social networking sites.
-
FINRA Notice 11-39
This is an extension on Notice 10-06 which addresses additional questions regarding the application of the rules for electronic communications.
-
FINRA Notice 17-18 - This Notice provides additional guidance regarding the application of FINRA rules governing digital communications, in light of emerging technologies and communications innovations.
What are the key rules around communications record retention in the Canada?
In Canada, financial entities must retain communications records for a minimum of 5 years, in accordance with IIROC rules including:
-
IIROC 29.7 - All advertisements, sales literature and related documents must be retained for a period of 2 years from the date of creation and all correspondence and related documents must be retained for a period of 5 years from the date of creation.
-
IIROC Rule 38001 - Dealer Members (Dealers) must maintain adequate books and records for audit trail, compliance and reporting purposes.
-
IIROC Rule 3804 - Dealer Members (Dealers) must retain copies of all records in a safe location, in a durable and accessible form, for a minimum of seven years from the date the record is created unless IIROC requirements or securities laws relating to the specific type of record require a different retention period.
-
IIROC Rule 3900 - Dealer Members (Dealers) must establish a supervisory system to supervise the activities of all its employees and Approved Persons that provides reasonable assurance they comply with IIROC requirements and securities laws.
How do firms demonstrate record keeping compliance for auditing and retrieval purposes?
The most important thing is that financial firms ensure the quality and legibility of all required communications records related to regulated activities. Firms, auditors and regulators must be able to decipher the content from conversations that are captured and archived. Here are some of the things to be aware of:
-
Just like WORM storage, all records should be timestamped.
-
Any changes made to original or duplicate records must be documented.
-
The record keeping system must be made available for examination, and when requested by the regulator, records must be provided promptly.
SteelEye's Record Keeping Factsheet
Key challenges for firms in meeting communications record keeping compliance obligations
The wide range of communication channels and formats available today has made the job of recording and storing employee communications much more challenging. This is especially true in the wake of the Covid-19 pandemic which caused an increased use of instant messaging platforms like WhatsApp, Signal and Telegram.
Covid-19, remote working and changing behaviours
The global pandemic has forced a shift in working conditions, behaviors and how interactions between financial firms, institutions and clients are operated. This has presented both challenges and opportunities. However, for communications and record keeping compliance, it has meant additional pressure.
Off-premise communications
Capturing, monitoring and arching communications data is now a trickier proposition. As the pandemic hit, certain record keeping solutions were not able to capture staff communications taking place at off-premise locations. Initially, this meant that many firms had to find new and often manual ways of ensuring that communications are tracked and logged.
New channels emerging
The fast pace of technological change and introduction of remote working has resulted in a wealth of new communications channels being used to engage with clients, colleagues and partners. This has created complexities around integrating additional data channels or using corporate policies to ban the use of specific communications platforms.
Increased risk
With communications carried out off-premises and via new channels, there is a greater level of risk of something falling through the cracks and not being recorded properly. Plus, detecting potential market abuse can be more difficult as the volume of data that needs to be recorded increases.
Unstructured data and silos
A big challenge for firms meeting record keeping compliance requirements is the time and resources needed for recording, managing and monitoring communications data. This is because communications data is unstructured, meaning that one piece of data looks very difficult from another.
Legacy systems and processes are not well equipped to handle unstructured pieces of information, such as voice calls and text messages, and have therefore historically led to data silos, time-consuming manual workflows and difficulties consolidating data from different sources.
Regulatory change
In the financial services sector, regulatory change is one of the biggest challenges and highest priorities for banks, asset managers and other financial institutions, as updating policies and processes to accommodate changes is a big undertaking. Future-proofing internal systems for regulatory compliance is key.
The risks of getting record keeping compliance wrong
Falling foul of books and records rules and communications record keeping compliance comes at a cost, both financially and from a reputational perspective. Compliance breaches can be damaging for your brand, whilst hitting your pocket and even leading to criminal prosecution. Compliant record keeping for communications is important for firms who want to:
Increasing regulatory penalties for communications record keeping breaches
Penalties for communications record keeping violations in North America depend on the nature and severity of the violation. Fines range from $1000s for one-off incidents and $100,000s for repeated or continued violations, right up to multi-million-dollar penalties.
In September 2020, the US Securities and Exchange Commission (SEC) handed a broker-dealer a fine of $100,000 for failing to retain text messages. In December 2021, JP Morgan Securities agreed to pay $125 million to the SEC and $75 million to the Commodity Futures Trading Commission (and other related entities) for violations between January 2018 and November 2020, where the investment management giant failed to preserve communications by employees about their securities business on personal devices, email and other communication platforms and was therefore unable to produce responsive materials.
Technology solutions to help firms meet books and records requirements
It’s important to embrace technology that can empower your firm to meet books and records retention requirements for communications. RegTech software for record keeping and communications surveillance can help firms to streamline books and records compliance and stay up to date with the latest regulations.
These solutions provide communications capture and monitoring capabilities, powered by automation, to enable firms to archive records, transcribe voice calls, and translate communications from multiple languages and monitor communications.
Cloud-based systems can help with fast retrieval of communications data, storage scalability and greater efficiency and auditability for regulators. Leading cloud providers like AWS provide SEC compliant storage options to allow vendors and financial firms to meet these specific demands.
How SteelEye can support North American firms with communications record keeping compliance
SteelEye’s Comms Oversight product is a complete communications compliance platform for record keeping, analytics, monitoring and surveillance. Our market-leading platform captures communications data from a wealth of eComms, vComms and traditional channels (consolidating structured and unstructured data) and stores records in a compliant, immutable format, in line with regulations such as FINRA, SEC, IIROC, Dodd-Frank, MAR and MiFID II. So, for firms based in North America, rest assured it can support your compliance needs.
Key benefits of SteelEye’s communications records keeping system and solutions
-
Advanced surveillance algorithms to identify early warning signs of misconduct
-
Enhanced risk detection and reduced false positives
-
All-in-one platform to monitor, manage and control your communications data
-
Data consolidation of structured and unstructured sources
-
Voice transcription and translations (54 languages)
-
Advanced call analytics and AI-driven lexicon
-
Real-time tracking and audit trail for demonstrable compliance
-
Fast record retrieval for data requests and auditing purposes
-
Sophisticated communications oversight technology and machine learning capabilities
-
Highly customizable and scalable software
SteelEye’s compliance tools are suitable for a range of roles and organizations. Our cutting-edge platform simplifies communications capture, archiving, eDiscovery and surveillance. This enables you to save time and money, reduce risks and streamline your record keeping compliance processes.
Learn more about our communications record keeping solutions or get in touch with SteelEye to discuss your firm’s needs or book a demo of our award-winning record keeping platform.
Book a demo
