Electronic Storage of Broker-Dealer Records
SECURITIES AND EXCHANGE COMMISSION
17 CFR Part 241
[Release No. 34-47806]
Electronic Storage of Broker-Dealer Records
AGENCY: The Securities and Exchange Commission.
SUMMARY: The Securities and Exchange Commission is publishing its views on the operation of its rule permitting broker-dealers to store required records in electronic form. Under the rule, electronic records must be preserved exclusively in a non-rewriteable and non-erasable format. This interpretation clarifies that broker-dealers may employ a storage system that prevents alteration or erasure of the records for their required retention period.
EFFECTIVE DATE: May 12, 2003.
FOR FURTHER INFORMATION: Michael A. Macchiaroli, Associate Director, 202/942-0131; Thomas K. McGowan, Assistant Director, 202/942-4886; or Randall W. Roy, Special Counsel, 202/942-0798, Division of Market Regulation, Securities and Exchange Commission, 450 Fifth Street, NW, Washington, DC 20549-1001.
SUPPLEMENTARY INFORMATION: The Securities and Exchange Commission ("Commission") is publishing guidance with respect to paragraph (f)(2)(ii)(A) of Rule 17a-4, which requires broker-dealers maintaining records electronically to use a digital storage medium or system that "[p]reserve[s] the records exclusively in a non-rewriteable, non-erasable format."1
Broker-dealers are allowed to preserve records on "electronic storage media."2 Rule 17a-4 defines that term as "any digital storage medium or system."3 Paragraph (f)(2)(ii)(A) of Rule 17a-4 requires that the electronic storage media preserve the records exclusively in a non-rewriteable and non-erasable format.4 The staff has received oral requests from broker-dealers for guidance on whether this requirement limits them to using optical platters, CD-ROMs, DVDs or similar physical mediums to achieve this result.
Section 17(a)(1) of the Securities Exchange Act of 1934 ("Exchange Act") authorizes the Commission to issue rules requiring broker-dealers to make and keep for prescribed periods, and furnish copies thereof, such records as necessary or appropriate in the public interest, for the protection of investors or otherwise in furtherance of the purposes of the Exchange Act.5 Pursuant to this authority, the Commission adopted Rules 17a-3 and 17a-4. Rule 17a-3 requires broker-dealers to make certain records, including trade blotters, asset and liability ledgers, income ledgers, customer account ledgers, securities records, order tickets, trade confirmations, trial balances, and various employment related documents.6 Rule 17a-4 specifies the manner in which the records created in accordance with Rule 17a-3, and certain other records produced by broker-dealers, must be maintained.7 It also specifies the required retention periods for these records.8 For example, many of the records, including communications that relate to the broker-dealer's business as such, must be retained for three years; certain other records must be retained for longer periods.9
In combination, Rules 17a-3 and 17a-4 require broker-dealers to create, and preserve in an easily accessible manner, a comprehensive record of each securities transaction they effect and of their securities business in general. These requirements are integral to the Commission's investor protection function because the preserved records are the primary means of monitoring compliance with applicable securities laws, including antifraud provisions and financial responsibility standards. Recent events involving the deletion of emails by broker-dealers have affirmed the need to have measures in place to protect record integrity.
In 1997, the Commission amended paragraph (f) of Rule 17a-4 to allow broker-dealers to store records electronically.10 The rule, by its terms, does not limit broker-dealers to using a particular type of technology such as optical disk. Instead, it allows them to employ any electronic storage media, subject to certain requirements, including that the media "[p]reserve the records exclusively in a non-rewriteable, non-erasable format."11 This requirement does not mean that the records must be preserved indefinitely. Like paper and microfilm, electronic records need only be maintained for the relevant retention period specified in the rule.
III. STORING RECORDS IN A NON-REWRITEABLE, NON-ERASABLE MANNER FOR A SPECIFIED PERIOD
Broker-dealers and vendors of electronic record storage systems have asked whether broker-dealers may use, consistent with Rule 17a-4(f), systems they describe as storing records in a manner that prevents the records from being overwritten, erased or otherwise altered without relying solely on the system's hardware features. Specifically, these systems use integrated hardware and software codes that are intrinsic to the system to prevent the overwriting, erasure or alteration of the records. Thus, while the hardware storage medium used by these systems (e.g., magnetic disk) is inherently rewriteable, the integrated codes intrinsic to the system prevent anyone from overwriting the records. Moreover, the codes used by these systems cannot be turned off to remove this feature. Thus, broker-dealers and venders claim these systems achieve the non-rewriteable and non-erasable requirement without relying solely on the systems' hardware features, such as is the case with optical platters, CD-ROMs and DVDs where digital information is permanently written onto the medium and, consequently, can never be changed or deleted.
One method using such a system stores a specified expiry or retention period with each record or file system. The system blocks record deletion or alteration by any manner of intervention until the expiry is reached or the retention period has lapsed. At expiry, or after the retention period, the records may be deleted from the system, thereby freeing space for reuse.
It is the view of the Commission that Rule 17a-4 does not require that a particular type of technology or method be used to achieve the non-rewriteable and non-erasable requirement in paragraph (f)(2)(ii)(A). Specifically, when we adopted Rule 17a-4(f), we stated:
The Commission is adopting a rule today, which, instead of specifying the type of storage technology that may be used, sets forth standards that the electronic storage media must satisfy to be considered an acceptable method of storage under Rule 17a-4.12
A broker-dealer would not violate the requirement in paragraph (f)(2)(ii)(A) of the rule if it used an electronic storage system that prevents the overwriting, erasing or otherwise altering of a record during its required retention period through the use of integrated hardware and software control codes. Rule 17a-4 requires broker-dealers to retain records for specified lengths of time. Therefore, it follows that the non-erasable and non-rewriteable aspect of their storage need not continue beyond that period.
The Commission's interpretation does not include storage systems that only mitigate the risk a record will be overwritten or erased. Such systems - which may use software applications to protect electronic records, such as authentication and approval policies, passwords or other extrinsic security controls - do not maintain the records in a manner that is non-rewriteable and non-erasable. The external measures used by these other systems do not prevent a record from being changed or deleted. For example, they might limit access to records through the use of passwords. Additionally, they might create a "finger print" of the record based on its content. If the record is changed, the fingerprint will indicate that it was altered (but the original record would not be preserved). The ability to overwrite or erase records stored on these systems makes them non-compliant with Rule 17a-4(f).
Any system used by a broker-dealer must comply with every requirement in paragraph (f) of the rule. Among other requirements in paragraph (f), the broker-dealer would need to have in place an audit system providing for accountability regarding the inputting of records into the storage system.13 The audit procedures for a storage system using integrated software and hardware codes to comply with paragraph (f) would need to provide accountability regarding the length of time records are stored in a non-rewriteable and non-erasable manner. This should include senior management level approval of how the system is configured to store records for their required retention periods in a non-rewriteable and non-erasable manner. It would be prudent to configure such a storage system so that records input without an expiry or a retention period, by default, would be assigned a permanent retention period. This would help to ensure the records are maintained in accordance with the retention periods specified in Rule 17a-4 or other applicable Commission rules.
Moreover, there may be circumstances (such as receipt of a subpoena) where a broker-dealer is required to maintain records beyond the retention periods specified in Rule 17a-4 or other applicable Commission rules. Accordingly, a broker-dealer must take appropriate steps to ensure that records are not deleted during periods when the regulatory retention period has lapsed but other legal requirements mandate that the records continue to be maintained, and the broker-dealer's storage system must allow records to be retained beyond the retentions periods specified in Commission rules.
For the foregoing reasons, the Commission finds this interpretation to be consistent with Section 17 of the Exchange Act and Rule 17a-4 thereunder.
List of Subjects in 17 CFR Part 241
Amendment to the Code of Federal Regulations
For the reasons set out in the preamble, the Commission is amending title 17, chapter II of the Code of Federal Regulations as set forth below:
PART 241 - INTERPRETATIVE RELEASES RELATING TO THE SECURITIES EXCHANGE ACT OF 1934 AND GENERAL RULES AND REGULATIONS THEREUNDER
Part 241 is amended by adding Release No. 34-47806 and the release date of May 7, 2003 to the list of interpretive releases.
By the Commission.
Margaret H. McFarland
Dated: May 7, 2003
|1|| 17 CFR 240.17a-4(f)(2)(ii)(A).
|2|| 17 CFR 240.17a-4(f).
|3|| 17 CFR 240.17a-4(f)(1)(ii).
|4|| Under the rule, the electronic storage media also must verify automatically the quality and accuracy of the storage media recording process; serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member. |
|5|| 15 U.S.C. 78q(a)(1).
|6|| 17 CFR 240.17a-3.
|7|| 17 CFR 240.17a-4.
|9|| See e.g. 17 CFR 240.17a-4(a) - (e).
|10|| Exchange Act Release No. 38245 (Feb. 5, 1997), 62 FR 6469 (Feb. 12, 1997)("Adopting Release").
|11|| 17 CFR 240.17a-4(f)(2)(ii)(A).
|12|| Adopting Release, 62 FR at 6470.
|13|| 17 CFR 240.17a-4(f)(3)(v).