The Financial Industry Regulatory Authority recently released a regulatory notice
outlining guidelines that all financial professionals need to be aware of. We will start with a quick summary of the guidelines, then we will show you how to prepare.
The guidelines were released by FINRA, but they do not apply just to broker-dealers. The guidelines specifically mention the U.S. Securities and Exchange Commission's Rule 17a-4, which applies to basically all financial services firms. Because these guidelines will have a broad impact, we wanted all our readers to be informed.
The guidance focuses on contractual arrangements between brokers and third-party record-keeping service providers. Providers must now supply the commission with a document stating that records will be stored according to all applicable regulations. The provider must also supply the SEC with hard copies of any documents it requests. Finally, providers must preserve regulated information even if the broker-provider relationship ends. If the last provision is not met, the service provider could be subject to secondary liability.
Initially, these changes seem small and focused almost entirely on providers and not brokers. In reality, they have important implications for how brokers-dealers manage information and preserve compliance.
Understanding the Impact of New Rules
The FINRA guidelines are designed to protect against a very specific scenario: providers deleting evidence of broker wrongdoing after the relationship between the two parties ends. It doesn’t matter what the motive for destroying the information is. In any event, the provider could be held liable for the broker’s mistakes and misdeeds.
Proving secondary liability is difficult, raising questions about whether record-keeping providers could actually be held liable. However, that uncertainty is not good for either brokers or providers because it means either party could potentially be held financially responsible.
There is also uncertainty about how brokers and providers will need to supply information. The guidelines state that it must be in hard copy, but it’s not clear whether this applies to information that originated in electronic formats. It’s also not clear whether information must be stored in write once, read many (WORM) storage, cold storage, or on long-life hard drives.
Until these unknowns are answered, it’s hard to project the exact impact of these guidelines. What is clear, however, is that brokers and providers must review their contractual agreements and revise their data-storage policies. They won’t need to be scrapped entirely, but they will need to reflect these guidelines.
Redefining the Broker-Provider Relationship
In the wake of these guidelines, brokers will need to reevaluate their relationships with any current or future record-keeping providers. Providers should be vetted on the basis of their financial stability and insurance coverage. Essentially, brokers need to be confident that any provider they partner with is likely to remain in business over the long term. And if they don’t, the provider must be able to retain records beyond the required retention period.
Archiving is a hot industry right now. New companies are trying to innovate using technologies like blockchain. While those innovations may sound beneficial, the simple fact that they are new and unproven should raise red flags. Because stability is now so important, brokers should look for providers with established foundations rather than cutting-edge pedigrees.
Policies are also important to consider. Now that the FINRA requires providers to keep records even after the contractual obligation ends, brokers could simply decide to stop paying because they'd know they would still be compliant. Preventing this scenario will likely require an attestation rather than an entirely new contract. The SEC is expected to provide further guidance on this point.
The last issue to consider is the data ownership and retention clauses contained in broker-provider contracts. Lawyers should review these clauses in the context of the FINRA guidelines and make additions or revisions. Specifically, contracts should state that brokers, not providers, own the data. This action, along with the others mentioned above, will do a lot to ensure compliance even if the details are still being determined.
Partnering With Zix to Manage Compliance
At Zix, we take an all-encompassing view of cybersecurity. That means we understand the threat of hackers and malicious attacks. We also understand that noncompliance is an equal cause for concern. For that reason, we have made compliance management a cornerstone of our solutions. We aim to make it as easy as possible to stay compliant, even after the regulations evolve.
One of the things that sets Zix apart from other record-keeping providers is our commitment to WORM storage. We have employed WORM off-site data backups since day one, meaning that any of our clients can retrieve data from as far back as they need to. WORM tapes and optical drives are not standard in the industry, and many providers that do currently use them have not always used them. Zix is unique in making older information readily accessible.
Zix is also able and eager to accommodate regulators, which is clearly spelled out in our attestation letter. If and when regulators request information, we are happy to provide it immediately. It does not require information to be moved around or redefined. All it takes is a request. Not every company has that same attitude, which may have been beneficial in the past but is now more likely to invite regulatory sanctions.
The new FINRA guidelines exist for a reason: to create stronger relationships between brokers and providers in order to ensure regulators have consistent access to sensitive data. Zix is one of the major players in the archiving industry and the only company to be publicly traded. More than 21,000 organizations rely on our services, including the U.S. Treasury, the Federal Financial Institutions Examination Council, and even the SEC itself. Our company is long-established, highly accomplished, and certainly sustainable.
Regulators are making partnerships a priority. Zix is exactly what you are looking for in a partner.