The US Securities & Exchange Commission’s recordkeeping requirements are fundamental to financial institutions under US federal securities law. Recent regulatory enforcement actions have served to further highlight the importance of compliance – not least in the area of electronic communications.

Recordkeeping sits at the core of the SEC’s regulatory process and exams, and violations of the requirements undermine the Commission’s ability to protect investors and preserve market integrity. The SEC accordingly places great emphasis on proper recordkeeping policies and practices and the use of approved channels of communication by personnel.

Since December 2021, over 50 broker-dealers, investment advisors and affiliates have incurred significant financial penalties and fines for violating recordkeeping provisions of the Securities Exchange Act of 1934, the Investment Advisers Act of 1940, or both. There are some indications that the recent change of administration, and a degree of dissent among Commissioners about aggressive enforcement action on recordkeeping, may mean that regulators soften their stance.¹ 

However, to date, the SEC has taken over 50 enforcement actions and ordered over US$1.5bn in total penalties against firms for longstanding failures regarding electronic communications.² The grounds for enforcement include:

• Failure to maintain and preserve electronic communications
• Use of unapproved off-channel communications by the firm’s personnel
• Failure to reasonably supervise personnel to prevent and detect violations
• Failure to address the issue of off-channel communications.
  
  

Key Regulatory Provisions

Under US federal securities law, the preservation of communications is mandated via specific provisions:

• Section 17(a) of the Securities Exchange Act of 1934, Rule 17a-4(b)(4).³ This requires broker-dealers to preserve for at least three years the originals of all communications received, and copies of all communications sent relating to their business as such. Rule 17a-4 was updated in October 2022 to modernize record storage requirements in various ways, e.g. by making them more technology neutral and addressing the use of third-party cloud service providers.³ 
  
  

• 17 CFR § 1.31(a) recordkeeping regulations under the Commodity Exchange Act. These state that, “Regulatory records means all books and records required to be kept by the Act or Commission regulations in this chapter, including any record of any correction or other amendment to such books and records, provided that, with respect to such books and records stored electronically, regulatory records shall also include:
  • (i) Any data necessary to access, search, or display any such books and records; and
  • (ii) All data produced and stored electronically describing how and when such books and records were created, formatted, or modified.” ⁶
    
    

• Section 204 of Investment Advisers Act of 1940, Rule 204-2(a)(7).⁴ This requires registered investment advisors to preserve in an easily accessible place the original of all written communications received, and copies of all written communications sent relating to, among other things, any recommendations made or proposed to be made, and any advice given or proposed to be given.
  
  

Off-Channel Communications and Best Practices

The use of unapproved applications and personal devices (e.g. text messages, WhatsApp, personal email) for business communications is a key cause of violations of recordkeeping rules. The violations involve a wide spectrum of individuals with different titles, roles and functions within organizations, and include both junior and senior employees.

Section 17(a)(1) of the Securities Exchange Act of 1934 (Exchange Act) and Rule 17a-4(b)(4) impose a broad requirement that a broker-dealer retains communications “relating to its business as such”. The Investment Advisers Act of 1940 (Advisers Act) requires that registered investment advisors retain certain specific categories of communications including “any recommendation made or proposed to be made and any advice given or proposed to be given.”⁵ 

To ensure recordkeeping of all business-related communications by personnel in accordance with the SEC’s rules and guidelines, firms should take the following steps:

• Bolster record retention processes and fix issues that could result in future misconduct by the firm’s personnel
• Conduct comprehensive reviews of policies and procedures relating to the retention of electronic communications found on personal devices and the frameworks for addressing non-compliance by employees 
• Harmonize policies and procedures across various departments and functions within the firm to enforce guidelines and hold people accountable in a systematic way.

Firms are encouraged by the SEC to self-report recordkeeping violations, and to cooperate with the SEC and Department of Justice by ensuring the transparency, support and information required to conduct a detailed investigation into potential non-compliance. Historically, the SEC has levied less severe financial penalties on firms that have self-reported such violations.

Separately, firms should also recognize that new technologies require enhanced compliance measures to ensure business records are retained and accessible.


Challenges and Recommendations

Compliance with SEC recordkeeping rules presents various challenges for financial institutions: 

• Existing technology. Technological limitations make comprehensive monitoring and surveillance of employee communications (internal and external) and conduct both challenging and costly for firms
  
  
• Infrastructure costs. There are high costs associated with automating recordkeeping processes and uplifting the existing technology infrastructure to improve surveillance and streamline processes
  
  
• Operational gaps. For example, the improper identification of people falling into the category of ‘associated persons’, and the failure to maintain current records such as the list of personnel who need to be monitored to ensure adherence to policies and best practice
  
  
• Governance, Risk, and Compliance (GRC) frameworks. Lack of robust governance, risk management frameworks and controls to prevent and detect any risks that may lead to recordkeeping violations and regulatory actions
  
  
• Personnel training. Limited training opportunities covering federal securities laws, rules and guidelines for broker dealer and investment advisors related to recordkeeping.
  
  

Our recommendations to help ensure firms can navigate these challenges include:

• Implement cutting-edge technology solutions, including leading AI-driven surveillance tools,  to enhance monitoring and surveillance across business functions
  
  
• Automate record retention and recordkeeping processes to minimize manual intervention, and simplify and streamline communications
  
  
• Implement employee annual attestations to confirm they will not conduct the firm’s business on unapproved personal or external devices and will adhere to regulatory guidelines
  
  
• Review current state of recordkeeping infrastructure and policy and procedures to identify potential gaps and formulate actionable plans on how to close the gaps in line with best practice  
  
  
• Review and update GRC frameworks in accordance with regulatory guidelines and industry best practice
  
  
• Conduct comprehensive training and employee examinations to make sure skills and knowledge remain up to date with regulations
  
  
• Make sure the firm’s efforts are coherent across key functions, sustainable over time, and remain up to date through ongoing monitoring and robust change management processes around new or amended regulations and guidelines.

Leveraging GRC frameworks to mitigate risks, including recordkeeping risks

Conclusion

By leveraging robust GRC frameworks, such as ISO 31000, COSO, and OCEG, and optimizing regulatory change management, firms can align teams, streamline processes, and manage and mitigate global risks including recordkeeping risk across their Three Lines of Defense: operational management, risk management & compliance, and internal audit.

By integrating these elements, firms can:

• Develop a sustainable and proactive compliance culture around recordkeeping
• Strengthen preventive and detective controls across operations
• Leverage advanced tools to monitor communications and address off-channel risks effectively.

The compliance risks of poor recordkeeping and the associated costs and potential for reputational damage have increased in recent years. The aim should be to promote a strategy of continuous improvement and resilience across the enterprise, in ways that take account of the risks and opportunities offered by fast-evolving communication technologies. 



References

¹ https://www.whitecase.com/insight-alert/sec-announces-possible-last-wave-channel-communications-enforcement-actions 
² https://www.sec.gov/newsroom/press-releases/2024-98
  https://www.sec.gov/newsroom/press-releases/2024-18
  https://www.sec.gov/newsroom/press-releases/2023-212
  https://www.sec.gov/newsroom/press-releases/2023-149
  https://www.sec.gov/newsroom/press-releases/2022-174
³ https://www.mayerbrown.com/-/media/files/perspectives-events/publications/2022/10/legal-update--sec-adopts-amendments-to-electronic-recordkeeping-requirements-for-brokerdealers-and-sbs-entities.pdf 
⁴ https://www.mayerbrown.com/en/insights/publications/2024/02/whatsapp-all-over-again-the-sec-brings-more-recordkeeping-charges-against-broker-dealers-and-investment-advisers-for-off-channel-communications
⁵ https://www.sidley.com/en/insights/newsupdates/2023/10/latest-wave-of-sec-off-channel-communications-enforcement-actions-five-takeaways 
⁶ https://www.ecfr.gov/current/title-17/chapter-I/part-1/subject-group-ECFR26e2c365a191fa7?toc=1