Guide the design, implementation, and maintenance of recordkeeping programs for broker-dealers and investment advisers under federal securities laws. This skill covers the creation, retention, and storage of required records under SEC Rules 17a-3, 17a-4, and 204-2, FINRA recordkeeping obligations, electronic storage standards including WORM (Write Once, Read Many) requirements, and the archiving of electronic communications and social media. It enables users to build compliant document retention systems and respond to regulatory examinations of books and records.

9 — Compliance & Regulatory Guidance

prospective

SEC Rule 17a-3 (17 CFR 240.17a-3) specifies the books and records that every registered broker-dealer must create and maintain. These records form the foundation of regulatory oversight, enabling examiners to reconstruct transactions, verify compliance, and protect investors. The principal categories of required records are:

SEC Rule 17a-4 (17 CFR 240.17a-4) prescribes the retention periods for broker-dealer records. Records are categorized into three tiers based on their required retention period:

First two years — easily accessible: For all records subject to three-year or six-year retention, the records must be maintained in an easily accessible place during the first two years of the applicable retention period (Rule 17a-4(a), (b)). "Easily accessible" means the firm must be able to produce the records promptly upon regulatory request — they cannot be stored in a manner that requires extensive effort or delay to retrieve during this initial period.

Electronic storage requirements (Rule 17a-4(f)): Rule 17a-4(f) governs the conditions under which broker-dealers may maintain required records in electronic format. Historically, this rule mandated that electronic records be preserved exclusively in non-rewriteable, non-erasable format — the WORM (Write Once, Read Many) standard. The 2022 SEC amendments to Rule 17a-4(f) (Exchange Act Release No. 34-96034, effective January 3, 2023) modernized these requirements by introducing an alternative to WORM storage. Under the amended rule, electronic records may now be maintained in either:

Regardless of which option is chosen, the following requirements apply:

SEC Rule 204-2 (17 CFR 275.204-2) under the Investment Advisers Act of 1940 specifies the books and records that SEC-registered investment advisers must make and keep. Investment adviser recordkeeping requirements differ from broker-dealer requirements in scope and emphasis, reflecting the advisory relationship and fiduciary obligations. Required records include:

Retention period: Most records required under Rule 204-2 must be retained for five years from the end of the fiscal year during which the last entry was made or the record was created. During the first two years of the five-year period, records must be kept in an easily accessible place (i.e., the adviser's principal office or another readily accessible location).

Custody-related records: Investment advisers that have custody of client assets must maintain additional records per Rule 206(4)-2 (the custody rule), including records of all client funds and securities over which the adviser has custody, a journal showing all purchases, sales, receipts, and deliveries of securities and funds for such accounts, and copies of all account statements delivered to clients.

FINRA member firms are subject to FINRA-specific recordkeeping obligations that supplement and reinforce the SEC requirements under Rules 17a-3 and 17a-4.

FINRA Rule 4511 (General Requirements): FINRA Rule 4511 requires each member firm to make and preserve books and records as required under the FINRA rules, the Securities Exchange Act of 1934, and the applicable SEC rules (i.e., Rules 17a-3 and 17a-4). Rule 4511 also requires that all books and records be maintained in a format and medium that comply with Rule 17a-4. This means FINRA firms must meet the electronic storage, index, and accessibility requirements of Rule 17a-4(f) for all records — including FINRA-specific records not explicitly addressed by the SEC rules.

FINRA Rule 3110 (Supervision) — Recordkeeping Implications: FINRA Rule 3110 generates significant recordkeeping obligations through its supervision requirements:

FINRA Rule 4513 (Records of Written Customer Complaints): Requires a separate file of all written customer complaints, indexed by complaint type and by associated person. The complaint record must include the complainant's name, date received, associated person identified, nature of the complaint, and disposition. These records are retained for at least four years.

SEC and FINRA rules require broker-dealers and investment advisers to capture, retain, and supervise all business-related electronic communications. The regulatory framework does not distinguish between communication platforms — the obligation applies uniformly regardless of the technology used.

Scope of covered communications: The requirement extends to all written business communications, including email, instant messaging (Bloomberg chat, Reuters Eikon messaging, proprietary IM systems), text messages (SMS and messaging apps such as iMessage and WhatsApp), collaboration platforms (Microsoft Teams, Slack, Zoom chat), and any other electronic medium used to communicate about firm business.

Retention requirements for electronic communications: Electronic communications related to the broker-dealer's business are treated as "correspondence" under Rule 17a-4(b)(4) and must be retained for a minimum of three years (the first two years in an easily accessible place). For investment advisers, written communications are retained for five years under Rule 204-2(a)(7).

Supervision requirements: Beyond mere retention, firms must supervise the content of electronic communications. FINRA Rule 3110 requires that firms establish procedures to review correspondence and internal communications. The review methodology may include automated keyword or lexicon surveillance, statistical sampling, targeted reviews of high-risk registered representatives or activity patterns, and escalation procedures for flagged communications. Supervisory reviews must be documented, and the firm must retain evidence of the review process.

BYOD (Bring Your Own Device) policies and challenges: Firms that permit employees and registered representatives to use personal devices for business communications face heightened compliance challenges. BYOD policies must address: mandatory installation of archiving applications on personal devices, prohibition of non-approved communication channels for business communications, technical controls to capture communications from personal devices, procedures for device collection or data preservation when an employee departs, and employee attestations acknowledging the firm's right to monitor and archive business communications on personal devices.

Rule 17a-4(f) has historically been the most technically prescriptive provision in the books-and-records framework. Understanding the WORM standard and the 2022 amendments is essential for designing compliant electronic recordkeeping systems.

WORM (Write Once, Read Many) standard: Under the original Rule 17a-4(f), electronic records had to be stored on non-rewriteable, non-erasable media — the WORM standard. The purpose of this requirement was to prevent firms from altering or destroying records to conceal violations. WORM-compliant storage options have historically included optical disks (CD-R, DVD-R), magnetic tape with write-protect mechanisms, and purpose-built WORM storage appliances. Cloud-based WORM storage solutions (such as those offered by Amazon S3 Object Lock, Azure Immutable Blob Storage, and similar services) are now available and widely used, provided they meet the non-rewriteability and non-erasability requirements.

Index and retrieval system: Regardless of storage format, the firm must maintain an index of all records stored electronically. The index must be organized to permit prompt identification and retrieval of any individual record. The index itself must be stored on a medium separate from the records and must be duplicated for disaster recovery purposes.

Audit trail: Under the 2022 amendments (Exchange Act Release No. 34-96034), firms that elect the audit-trail alternative (rather than WORM) must maintain an electronic recordkeeping system that creates a time-stamped, tamper-evident audit trail of every modification, deletion, or alteration of any record. The audit trail must preserve the original record and all subsequent versions, and it must be possible to reconstruct the complete history of any record from creation through its current state.

Third-party access agent: The broker-dealer must file with its designated examining authority (DEA) and the SEC the name, address, telephone number, and facsimile number of the designated third party who will provide access to electronic records in the event the broker-dealer ceases operations. The designated third party must file with the SEC an annual undertaking agreeing to provide such access. This requirement was designed to address the risk that electronic records could become inaccessible if the firm failed and its technology infrastructure was dismantled. The third-party access agent requirement remains in effect under the 2022 amendments for firms using either WORM or audit-trail storage.

Annual letter from the designated third party: The designated third party must file annually with the SEC a written statement affirming its agreement to provide the required access. Failure to maintain a current designated third party and annual undertaking is itself a books-and-records violation.

2022 SEC amendments (effective January 3, 2023): The amendments to Rule 17a-4 were designed to modernize the rule by: (1) offering the audit-trail alternative to WORM, (2) eliminating the requirement that firms notify the SEC before using electronic storage (firms previously had to file a notice 90 days before beginning to store records electronically), (3) permitting the use of any electronic recordkeeping system that meets the requirements, without specifying particular technologies, and (4) streamlining certain notification requirements. These amendments were adopted in recognition that WORM technology, while effective, imposed significant operational costs and that modern audit-trail technologies could achieve equivalent regulatory objectives.

Social media presents unique recordkeeping challenges that have been the subject of extensive regulatory guidance. The core principle remains unchanged: business-related communications on social media platforms must be captured, retained, and supervised just like any other written business communication.

Ephemeral content: Features such as Instagram/Facebook Stories, Snapchat, and disappearing messages on platforms like Telegram and WhatsApp present heightened compliance risk. If a registered representative uses an ephemeral messaging feature for business communication, the firm must capture and retain that content. Most regulatory enforcement actions involving off-channel communications have cited the failure to capture ephemeral or disappearing messages.

Personal device usage: Registered representatives who use personal social media accounts or personal devices for business-related communications create archiving gaps if the firm does not have technology in place to capture those communications. Firms should maintain policies that either (a) prohibit the use of personal social media accounts and unapproved platforms for business communications, or (b) deploy technology solutions to capture communications from approved personal accounts.

Third-party archiving vendors: The regulatory requirements have given rise to a market of specialized archiving vendors (such as Smarsh, Global Relay, Proofpoint, and others) that provide capture, retention, supervision, and retrieval capabilities across multiple communication platforms. When selecting a vendor, firms should evaluate whether the vendor's solution captures content from all platforms the firm uses, meets WORM or audit-trail requirements under Rule 17a-4(f), provides lexicon-based surveillance capabilities for supervisory review, supports search and retrieval for examination requests, and maintains its own disaster recovery and business continuity capabilities.

FINRA guidance on social media records: FINRA has emphasized that firms must: (1) inventory all social media platforms used by the firm and its associated persons for business purposes, (2) establish written policies identifying approved and prohibited platforms, (3) deploy archiving technology for all approved platforms, (4) train associated persons on social media policies and the consequences of using unapproved platforms, and (5) conduct periodic attestations from associated persons confirming compliance with the firm's social media policies.

The following table maps common document types to their required retention periods and source rules:

For all broker-dealer records subject to three-year or six-year retention, the first two years must be maintained in an easily accessible place. For investment adviser records, the first two years of the five-year period must be maintained in an easily accessible place.

Scenario: A mid-size broker-dealer migrates from an on-premises email system to a cloud-based platform. The migration takes place over a two-week period. Six months later, during preparation for a routine FINRA examination, the compliance department discovers that emails sent and received during the migration window were not captured by the firm's archiving vendor. The gap affects approximately 3,500 emails across 120 registered representatives over the two-week period. The firm cannot determine the content of the missing emails.

Analysis: The firm should take the following remediation steps: (1) Conduct a forensic analysis to determine the exact scope of the gap — which users were affected, the precise dates, and whether any emails can be recovered from backup systems, individual mailboxes, or the cloud platform's own logs. (2) Engage the archiving vendor and the cloud platform provider to determine whether any copies of the missing emails exist in alternative storage. (3) Document the root cause of the gap — was it a failure in the migration plan, a vendor configuration error, or a lack of testing before cutover. (4) Self-report the deficiency to FINRA if the gap is material. FINRA considers self-reporting a mitigating factor in enforcement proceedings. (5) Implement preventive controls for future migrations, including parallel archiving during transition periods (running both old and new systems simultaneously), pre-migration testing of archiving capture, and post-migration validation audits. (6) Review the firm's vendor management procedures — the archiving vendor should have been involved in migration planning and should have validated capture continuity. The regulatory exposure depends on the scope of the gap and whether any of the missing communications related to customer complaints, order instructions, or other high-risk content. FINRA has brought enforcement actions for email archiving failures, with fines ranging from $10,000 to over $1 million depending on the scope and duration of the deficiency and the firm's remediation efforts.

Scenario: An SEC-registered investment adviser has been operating for five years, managing $400 million in assets across 200 client accounts. The firm has maintained basic financial records (journals and ledgers) and client agreements, but has never established a systematic recordkeeping process for investment recommendations. Investment recommendations are made verbally in client meetings and documented informally in advisors' personal notes, personal email accounts, and handwritten notebooks. The firm has no centralized repository for investment recommendations, no records of the research or analysis supporting recommendations, and no documentation of how investment opportunities were allocated among clients. The deficiency is discovered when the firm receives an SEC examination notification.

Analysis: The firm faces a serious examination outcome. The remediation plan should include: (1) Immediately implement a centralized recordkeeping system for investment recommendations — this may include a CRM or portfolio management system that captures the recommendation, the date, the supporting rationale, the adviser who made it, and the client accounts that received it. (2) Collect and centralize whatever informal records exist — personal notes, emails, presentation materials — and incorporate them into the firm's official books and records going forward. Advisors should be directed to forward any business-related emails from personal accounts to the firm's archive. (3) Implement a written trade allocation policy and begin documenting how investment opportunities are allocated among clients. (4) Engage outside compliance counsel to prepare for the SEC examination. The firm should be prepared to explain the deficiency, present its remediation plan, and demonstrate that the new system satisfies Rule 204-2. (5) Consider whether a deficiency letter or self-disclosure to the SEC is appropriate before the examination begins. (6) Train all advisory personnel on recordkeeping obligations and implement attestation procedures. The SEC's examination staff will likely issue a deficiency letter at minimum. If the lack of records conceals substantive violations (unfair allocation, conflicted recommendations), the matter could escalate to an enforcement referral. The firm's prompt and comprehensive remediation will be a mitigating factor.

Scenario: A broker-dealer's compliance department learns that several registered representatives have been communicating with clients via personal cell phone text messages (iMessage and WhatsApp) for the past two years. The firm's policies prohibit the use of personal devices and unapproved platforms for business communications, but the prohibition has not been enforced. The firm has no archiving solution for text messages sent from personal devices. An estimated 15 registered representatives have exchanged thousands of text messages with clients discussing investment recommendations, trade instructions, account transfers, and complaints. The firm discovers the issue when a customer arbitration claimant produces text messages that the firm has no record of.

Analysis: This scenario reflects a pattern that has been the subject of major SEC and FINRA enforcement actions in recent years. Beginning in 2021, the SEC and FINRA initiated a series of sweeping investigations into off-channel communications at broker-dealers and investment advisers. These investigations resulted in billions of dollars in aggregate penalties across the industry. The SEC imposed fines of $125 million on individual firms, with total industry penalties exceeding $2 billion by 2024. FINRA has brought parallel actions with fines ranging from hundreds of thousands to tens of millions of dollars. The firm should take the following steps: (1) Immediately deploy a text message archiving solution for all registered representatives. Solutions include firm-issued devices with built-in archiving, mobile archiving applications installed on personal devices (with employee consent), or enterprise mobility management platforms that capture text messages from approved applications. (2) Collect and preserve all available text messages from the affected registered representatives' personal devices. This may require cooperation from the representatives and potentially forensic data collection. (3) Conduct a review of the collected text messages to identify any customer complaints, trade instructions, or other records that should have been maintained under Rules 17a-3 and 17a-4. (4) Self-report the deficiency to FINRA and the SEC. Given the current enforcement environment, self-reporting is strongly advisable — regulators have imposed significantly higher penalties on firms that failed to self-report or that were discovered through examination rather than voluntary disclosure. (5) Strengthen the firm's policies to include: a clear prohibition on unapproved communication channels, mandatory use of the firm's archiving solution for all business communications, annual (or more frequent) attestations from registered representatives confirming compliance, technical controls where feasible (e.g., monitoring for unapproved application usage on firm-issued devices), and disciplinary consequences for violations. (6) Retrain all registered representatives on the firm's communications policies, the regulatory basis for the requirements, and the personal liability exposure for off-channel communications. The regulatory exposure is significant. In the current enforcement climate, the SEC and FINRA have treated off-channel communications failures as serious violations warranting substantial monetary penalties, undertakings to engage independent compliance consultants, and requirements to implement enhanced supervisory systems.