Under the oversight of the SEC, FINRA protects investors in the United States by requiring broker-dealers to conduct fair financial market transactions. Compliance with the FINRA retention requirements helps broker-dealers secure the financial data they handle. Read on to learn what they are and how they apply.
FINRA Retention Requirements, Explained
The FINRA retention requirements are a subset of a broader set of regulations aimed at helping broker-dealers secure their customers’ financial data.
In this blog, we’ll discuss:
- An overview of FINRA and its regulatory authority
- A breakdown of the FINRA data retention requirements
Applying the guidelines listed in the FINRA retention requirements will help your company safeguard the privacy and sensitivity of customers’ data year-round, especially with the help of a FINRA compliance partner.
What is FINRA?
The Financial Industry Regulatory Authority (FINRA) is a regulatory body that oversees securities transactions and the New York Stock Exchange. FINRA is overseen by the Securities and Exchange Commission (SEC), which ensures these transactions remain fair for all investors.
FINRA’s essential functions include:
- Protecting investors as they conduct financial transactions
- Verifying the testing, qualification, and licensing of broker-dealers
- Ensuring the advertising of securities products is truthful
- Regulating the disclosure of investments products
Organizations that engage in securities transactions must comply with various categories of FINRA’s requirements.
When it comes to collecting, retaining, and disposing of customers’ data, broker-dealers are required to follow the guidelines stipulated in the FINRA retention requirements.
Assess your Financial Cybersecurity
Breakdown of the FINRA Retention Requirements
Compliance with the FINRA retention requirements starts with understanding which records broker-dealers must retain. Per Section 17(a)(1) of the Securities Exchange Act of 1934, the SEC mandates these organizations to store books and records for specified durations and in certain formats.
Broker-dealers are also required to comply with specific FINRA record retention rules, depending on the transactions they conduct.
In general, these FINRA document retention requirements include:
- Storing legible, accurate, and true records of books and records to protect their integrity
- Maintaining stored books and records in three specific formats:
- Paper
- Micrographic media
- Electronic storage media
- Retaining books based on your organization-specific policies, which are derived from the FINRA data retention requirements
Broker-dealer firms must also establish oversight systems to ensure their users fully comply with these FINRA record retention requirements. Furthermore, these firms must routinely test these processes to verify adherence to FINRA’s regulations.
Let’s further break down the FINRA retention requirements:
Electronic Storage Media Retention
When using electronic storage media (ESM), a broker-dealer firm must comply with these FINRA data retention requirements:
- Notifying its Designated Examining Authority (DEA) at least 90 days in advance of using ESM for the first time
- Proving to the DEA that the ESM is:
- Retained in a non-rewritable, non-erasable format
- Kept accurate and in the original quality
- Time-dated and duplicated
- Establishing an audit system to differentiate between original and duplicate records
- Maintaining secured access to stored records and indexes that can be provided to the SEC upon request
Compliance with these FINRA data retention requirements will help your company maintain the integrity and accessibility of books and records stored as ESM.
Outsourcing Records Retention
Broker-dealers can also use a third-party service to retain and maintain required securities records. When doing so, they must exercise oversight of the contracted party’s recordkeeping activities, ensuring these activities comply with the FINRA retention requirements.
FINRA requires the broker-dealers to conduct their due diligence to confirm that these third-party organizations implement reasonable cybersecurity safeguards to secure securities data retained on their behalf.
Furthermore, the broker-dealer’s recordkeeping service must file a written undertaking with the SEC to detail this agreement. The broker-dealer is also required to disclose the terms of this agreement.
Electronic Communications Records Retention
When retaining records of communications about financial transactions, such as emails and instant messages, the FINRA record retention rules require broker-dealers to keep all the originals they have received for at least three years.
And, communication records for the first two years must be kept in an easily accessible location. These requirements also apply to communications sent by the broker-dealer regarding “business as such” transactions.
Importantly, these requirements cover all external and internal communications pertaining to a broker-dealer firm’s business transactions, even when they are sent or received via a third party’s system or platform. However, firms must retain all emails regarding securities transactions, regardless of who sent them and from which platform.
Ultimately, data privacy and security are critical for every securities transaction your organization handles. Navigating the FINRA retention requirements and securing these transactions is much simpler when guided by a FINRA compliance advisor.
Comply with the SEC FINRA Requirements
By complying with the FINRA retention requirements, your organization will safeguard customers’ sensitive data against cybersecurity threats. Partnering with a FINRA/SEC compliance specialist will help you identify which data to retain—and in the right amounts.
To learn more about FINRA compliance, contact RSI Security today!