Skip to main content

SEC Amendments to Electronic Recordkeeping Requirements for Broker-Dealers and Security-Based Swap Dealers (Including Bank SBSDs)

Client memorandum | October 26, 2022

  1. Background

The SEC has adopted amendments (the “Amendments”) to its broker-dealer (“BD”) and security-based swap dealer (“SBSD”; and together with BDs, “Firms”) electronic recordkeeping requirements .[1] Prior to the adoption of the Amendments, the rules regarding maintenance of records had been hardly updated in the last twenty-five years and had not kept pace with technological developments.[2] The SEC stated that the Amendments are intended to (i) make its recordkeeping rules "technology neutral," such that they are compatible with future electronic recordkeeping innovations, (ii) improve electronic recordkeeping requirements and (iii) facilitate inspections and examinations. While the Amendments do not go as far as the CFTC did in 2017 by moving to a less prescriptive, principles-based approach,[3] the Amendments do provide meaningful alternative methods of complying with the requirements relating to electronic recordkeeping systems.

Separate from the technology-related rules changes, the Amendments also impose new obligations on certain SBSDs utilizing electronic recordkeeping systems, which more closely conform the obligations imposed on SBSDs with those to which BDs are subject, as discussed in Section II.d below.

The remainder of this memorandum follows the following outline:

  • Section II.a addresses the Amendments requirements for electronic recordkeeping systems;
  • Section II.b addresses the Amendments to contractual relationships and other obligations of Firms relating to electronic recordkeeping systems;
  • Section II.c addresses ancillary changes made by the Amendments;
  • Section II.d addresses the application of the Amendments to SBSDs;
  • Section II.e details the Amendments’ compliance dates;
  • Section III concludes with a review of the Amendments in light of recent enforcement actions; and
  • The Appendix contains the SEC’s chart summarizing the Amendments.
  1. Summary of the Amendments
  1. Technical Requirements for Electronic Recordkeeping Systems
  1. General Applicability of the Amendments

As to technology, the Amendments primarily allow for alternative means to satisfy existing obligations, rather than impose new requirements, and thus permit BDs to keep their existing systems largely unchanged (though we believe the new alternatives are materially less burdensome than existing requirements and thus expect many Firms to make use of these alternatives).

  1. Audit-Trail and WORM Requirements

Under the current rules, electronic storage media must satisfy the WORM requirement, meaning that BDs keeping records electronically must have a system that preserves records exclusively in a non-rewritable, non-erasable format.[4] The Amendments introduce an audit-trail requirement as an alternative to the WORM requirement.

The audit-trail requirement does not prescribe a specific technology; rather, it requires that the electronic recordkeeping system being used preserve the records in a manner that maintains a complete time-stamped audit trail that includes:

“(1) All modifications to and deletions of the record or any part thereof; (2) The date and time of actions that create, modify, or delete the record; (3) If applicable, the identity of the individual creating, modifying, or deleting the record; and (4) Any other information needed to maintain an audit trail of the record in a way that maintains security, signatures, and data to ensure the authenticity and reliability of the record and will permit re-creation of the original record if it is modified or deleted.”[5]

The Adopting Release very importantly states that the audit-trail requirement is not intended to impose a new requirement to create additional records and only applies to final records required to be kept, rather than to “drafts or iterations of records” not required to be preserved under the rules.[6]

  1. Additional Technology-Related Requirements

The Amendments make a number of additional changes to existing recordkeeping system requirements.[7]

Verification. The current rules require that the system verify automatically the quality and accuracy of the storage media recording process.[8] The Amendments require (i) that the verification be of completeness rather than quality and (ii) that the process for storing and retaining records be verified, not just the recording process.[9]

  • Serialization. The current rules require that the system serialize both original and duplicate units of the storage media and track the retention periods of retained data.[10] The Amendments provide that the serialization requirement only applies to systems using optical disks to satisfy the WORM requirement.[11]
  • Download and Transfer. The current rules require that the system have capacity to readily download the index and records preserved on it to any medium acceptable under the rules as required by the regulators.[12] The Amendments remove references to indexes and require that the system be able to download and transfer stored records and any associated audit trail in both (i) a format that is readable by humans, and (ii) a reasonably usable electronic format.[13]
  • Backup or Redundant System. The current rules require that Firms utilizing electronic storage media store a duplicate copy of each record separately from the original on an acceptable medium for the duration of the relevant retention period.[14] The Amendments require that electronic recordkeeping systems either (i) include a backup electronic recordkeeping system (which satisfies the other requirements of the rules) that will serve as a redundant set of records if the original system is inaccessible or (ii) have other redundancy capabilities designed to ensure access to the records.[15]
  1. Requirements for Firms Using Electronic Recordkeeping Systems
  1. Designated Executive Officer or Third Party

The current rules require a Firm using electronic storage media for some or all of its recordkeeping to (i) have a third party (the “Designated Third Party”) with access and the ability to download information from the Firm’s electronic storage media to any medium acceptable under the relevant rules and (ii) have such Designated Third Party file an undertaking with the SEC agreeing to provide regulators with information necessary to download information kept on the Firm’s recordkeeping systems and to take reasonable steps to provide access to information contained on the Firm’s systems, including by the Designated Third Party downloading records in the event the Firm fails to do so upon request from a regulator.[16] The Amendments allow a Firm to designate an executive officer of the Firm (the “Designated Executive Officer” or “DEO”), with certain individuals providing support, in lieu of a Designated Third Party.[17]

The DEO must be a member of senior management who has access to, and the ability to provide, records directly or through a designated specialist who reports directly or indirectly to the DEO.[18] Additionally, the DEO can appoint up to two designated officers to fulfill the DEO’s obligations in the event the DEO is unable to do so.[19] The DEO’s appointment of a designated officer or designated specialist does not satisfy the DEO’s ultimate obligations under the rules.

The Amendments require the DEO or Designated Third Party to file an undertaking with the regulator agreeing, among other things, to promptly furnish information, to download copies of a record and its audit trail in a human readable and electronic format, and to take reasonable steps to provide access to information in an acceptable format.[20] As the Amendments modify the form of the undertakings applicable to BDs electing to use the Designated Third Party option, a BD using this option will need to file updated undertakings with its Designated Examining Authority.[21]

  1. Requirements for Certain Third Parties that Maintain Firms’ Records

While the current rules require a third party preparing or maintaining records on a Firm’s behalf to file an undertaking with the regulators agreeing to permit examination of books and records and promptly furnish copies of such records (the “Traditional Undertaking”), the Amendments provide a new option for Firms utilizing recordkeeping services from cloud service providers that maintain such Firms’ records.[22] Specifically, the Amendments permit a cloud service provider to make an alternative undertaking tailored to how cloud service providers maintain records (“Alternative Undertaking”).[23] The Amendments permit filing the Alternative Undertaking if (i) the relevant records are maintained and preserved by means of an electronic recordkeeping system utilizing servers or other storage devices that are owned or operated by a third party (including an affiliate of the Firm)[24] and (ii) the Firm has independent access to the records.[25] The Amendments do not change the fact that the ultimate responsibility to prepare and maintain records remains with the Firm.[26]

In the Alternative Undertaking, the third party must acknowledge (i) that the records are the property of the Firm, and (ii) that the Firm has made representations to the third party that the Firm is subject to SEC rules, has independent access to the records, and consents to the third party fulfilling the obligations set forth in the Alternative Undertaking.[27] In addition to the acknowledgements, the third party must undertake to facilitate, within its ability, the examination, access, download, or transfer of the records by the SEC or its designee (e.g., FINRA). The third party also must undertake to facilitate, within its ability, a trustee appointed under SIPA to liquidate the broker-dealer in accessing the records as permitted under the law.[28]

  1. Additional Requirements for Firms
  • Facilities to Produce Records. The current requirements for BDs relating to examinations of records require BDs to provide “facilities for immediate, easily readable projection or production of micrographic media or electronic storage media images and for producing easily readable images.”[29] The Amendments remove references to outdated technology and processes (i.e., projecting micrographic media) and require Firms at all times to have available, for examination by regulators, facilities for immediate production of records stored on the electronic recordkeeping system and for producing copies of such records.[30]
  • Ability to Provide Records Stored Electronically. The current rules require BDs to immediately provide any facsimile enlargement the regulators request.[31] The Amendments remove references to outdated technology and processes (i.e., facsimile enlargement) and require Firms to immediately provide regulators with records stored on an electronic recordkeeping system.[32]
  • Information to Access and Locate Records. The current rules require Firms to (i) organize and index information on original and duplicate systems, (ii) have such indexes available for examination and (iii) duplicate each index and store such duplicate separately.[33] Further, the current rules require Firms either to (i) maintain and promptly provide to regulators all information necessary to access records and indexes or (ii) place in escrow and keep current a copy of the physical and logical file format of the electronic storage system, the field format of all different information types written on the electronic storage system and the source code, together with the appropriate documentation and information necessary to access records and indexes.[34] The Amendments replace these requirements with the requirement to organize, maintain and promptly provide to regulators upon request all information necessary to access and locate records stored on electronic recordkeeping systems.[35]
  1. Other Amendments
  1. Definition of Electronic Recordkeeping System

The Amendments replace the terms “electronic storage media” in SEA Rule 17a-4(f) and “electronic storage system” in SEA Rule 18a-6(e) with the term “electronic recordkeeping system.” This term is defined as “a system that preserves the records in a digital format in a manner that permits the records to be viewed and downloaded.”[36] There is not a requirement for a specific technology necessary for accessing such records (i.e., a computer), an omission intended to make the rules more technology neutral and resilient to future developments.[37] The Adopting Release also notes that the term “electronic recordkeeping system” is intended to refer to the technological means by which records are stored, accessed and retrieved, rather than to an overall supervisory system and broader recordkeeping obligations for Firms and their employees.[38]

  1. Elimination of Notice and Representation Requirements

The Amendments eliminate the requirement that a BD using electronic storage media (i) notify its Designated Examining Authority and (ii) provide a representation (or obtain such representation from its vendor or an experienced third party) that the relevant system satisfies the relevant regulatory requirements.[39]

  1. Applicability of Amendments to SBSDs

SEA Rule 18a-6(e), the rule establishing requirements regarding electronic recordkeeping systems of SBSDs, diverged in a number of ways from the rules for BDs, including by not requiring (i) that records be kept in WORM format, (ii) that a third party be engaged to have access to the Firm’s records and (iii) that the SBSD notify the SEC if using electronic storage systems other than optical disk technology. The Amendments align (i) the obligations of SBSDs and BDs using electronic recordkeeping systems and (ii) the technological requirements for systems used by BDs and nonbank SBSDs not applying substituted compliance.

Specifically, the Amendments to the obligations of Firms utilizing electronic recordkeeping systems, including relating to accessing and producing records, filing certain undertakings, and facilitating inspections, will apply to all SBSDs, including bank SBSDs that are prudentially regulated.[40] The Amendments to technological requirements for electronic recordkeeping systems require non-prudentially regulated SBSDs not availing themselves of substituted compliance to keep records on a system that satisfies either WORM or the new audit trail requirements.[41]

  1. Compliance Dates

The compliance date for the amendments to Rule 17a-4 applicable to BDs is six months after the amendments are published in the Federal Register; the compliance date for the amendments to Rule 18a-6 applicable to SBSDs is twelve months after the amendments are published in the Federal Register.

  1. Conclusions

While the Amendments will generally be welcomed by Firms, and while they do not impose significant new obligations, Firms that take advantage of the alternative requirements must proceed with extreme caution. Records that have been maintained under the existing rules must still be maintained for the time required by the relevant regulations. If these records cannot be transitioned to the new recordkeeping systems, Firms making the transition must maintain their old systems for a substantial period going forward. The penalties for the loss of data, or the failure to maintain required data, can be very substantial, as illustrated by the over $1 billion of fines for recordkeeping violations that the SEC recently imposed.

Firms should also be mindful that while the Amendments generally provide new means to satisfy existing recordkeeping requirements, they also impose some new obligations. Firms will need to, among other things, (i) ensure that they are able to produce records in human readable and reasonably useable electronic formats, (ii) file revised undertakings relating to the use of Designated Third Parties or DEOs and (iii) file Alternative Undertakings (if using a cloud service provider).

Appendix[42]

The following table summarizes the electronic recordkeeping amendments to Rules 17a-4 and 18a-6

Provision Rule 17a-4 Rule 18a-6
Current As Amended Current As Amended
DEA Notification Required No longer required Not required Not required
WORM Required WORM or audit trail required Not required WORM or audit trail required for nonbank SBS Entities
3rd Party Undertaking Regarding Electronic Records Required 3rd Party or executive officer undertaking required Not required 3rd Party or executive officer undertaking required
Produce Electronic Records in a Reasonably Useable Format Not required Required Not required Required
Alternative Undertaking for Cloud Service Providers Not permitted Permitted Not permitted Permitted

 


[1] Securities & Exchange Commission (“SEC “), Release No. 34-96034: Electronic Recordkeeping Requirements for Broker-Dealers, Security-Based Swap Dealers and Major Security-Based Swap Participants (Oct. 12, 2022), (the “Adopting Release”).

[2] Although the SEC recordkeeping rules were updated in 1997 to allow for electronic storage, the 1997 amendments were still linked to specific, now outdated, technologies, namely “microfilm or microfiche” and “optical storage technology” (including certain forms of CD-ROM and optical tape). While the SEC released interpretive guidance in 2003 clarifying that other electronic storage systems such as magnetic disk could satisfy the requirement to preserve records “in a non-rewritable, non-erasable format,” (commonly referred to as “Write Once Read Many” (“WORM”)) “using integrated hardware and software codes,” the rules still required notifying an examining authority when using an electronic storage system “other than optical disk technology.” See Fried Frank Regulatory Intelligence, SEC Adopts Recordkeeping and Reporting Requirements for Security-Based Swaps Dealers (Sept. 19, 2019). The practical effect of the requirement was that many BDs used optical storage technology to satisfy regulatory requirements, despite such systems having “little or no business use” and which “regulators almost never use.” SEC Commissioner Hester M. Peirce, Speech, Burying the Technologically Primitive WORM: Open Meeting on Broker-Dealer Electronic Recordkeeping Requirements (Oct. 12, 2022) (“Commissioner Peirce’s Statement”). The SEC has acknowledged that during the ordinary course of an examination, “firms generally retrieve and produce records from their business-based electronic recordkeeping systems rather than from their WORM-compliant electronic recordkeeping systems” and that SEC staff rarely requests that records be produced from WORM-compliant systems, except for when alteration of records is suspected. Adopting Release at 20.

[3] See Commodity Futures Trading Commission (“CFTC”), Recordkeeping, 82 FR 24479 (May 30, 2017), which eliminated the CFTC requirement that files be kept in WORM format and instead required that documents be retained “in a form and manner that ensures the authenticity and reliability” of such records. SEC Commissioner Peirce supported the more principles-based approach taken by the CFTC, expressing the concern that the Amendments are overly prescriptive to address future technological changes and that the “audit trail [requirement] is to 2022 what WORM was to 1997.” See Commissioner Peirce’s Statement.

[4] Securities Exchange Act (“SEA”) Rule 17a-4(f)(2)(ii)(A).

[5] Adopting Release at 131. The Adopting Release notes that the requirement to include the date and time of actions that create, modify, or delete the record, “is intended to encompass both human-initiated and automated actions that create, modify, or delete the record.” As to the requirement that the audit trail include, if applicable, the identity of the individual creating, modifying, or deleting the record, “[t]he identity of the individual can be reflected in the audit trail as a unique identifier for the individual.” Adopting Release at 23.

[6] Adopting Release at 24. For example, in the case of blotters containing an itemized daily record of purchases and sales, the audit-trail requirement would apply to the daily record that is produced, not each iteration of the data flowing in throughout the day before the record is created. Adopting Release at 25.

[7] The Amendments to these requirements are primarily clarifications and practical updates; it is likely that Firms’ existing recordkeeping systems satisfy these requirements as amended.

[8] SEA Rule 17a-4(f)(2)(ii)(B).

[9] Adopting Release at 28.

[10] SEA Rule 17a-4(f)(2)(ii)(C).

[11] Adopting Release at 28. The Adopting Release states that “[t]he serialization and time-date requirements remain necessary to the extent that optical disks are used to store records electronically as the serial number and time-date stamp are used to distinguish one disk from another and to associate the records stored on the disk with that specific storage unit.” Adopting Release at 29.

[12] SEA Rule 17a-4(f)(2)(ii)(D).

[13] The Adopting Release provides that a human readable format is one that “can be naturally read by an individual” and that a “reasonably usable” electronic format is one that is commonplace and “compatible with commonly used systems[.]” Adopting Release at 29. While this seems to be an update focusing on technological neutrality, it is worth noting that the Adopting Release emphasizes the importance of producing machine-readable electronic records in a format that “will permit the records to be searched and sorted using a computer.” The Adopting Release gives the example of producing a pdf of a voluminous spreadsheet as not appropriate. Adopting Release at 30-31.

[14] SEA Rule 17a-4(f)(3)(iii).

[15] The Adopting Release notes that the SEC declined to impose specific redundancy requirements, such as having the records be stored in a geographically removed location. Adopting Release at 35. While the Adopting Release notes that geographic separation of hardware components may be an aspect of achieving redundancy, the Adopting Release gives the example of satisfying the redundancy requirement by simply creating two copies on optical disk, with each disk containing the same set of records, with no mention of other factors. Adopting Release at 33.

[16] SEA Rule 17a-4(f)(3)(vii).

[17] Adopting Release at 50. The SEC provided the option to utilize a DEO to address the concern that having a third party perform such download function may expose “firms to data leakage and cybersecurity threats.” However, in order to accommodate Firms that prefer to outsource this function and do not have cybersecurity risk concerns, the Amendments retain the option to utilize a Designated Third Party. Adopting Release at 48-51.

[18] Adopting Release at 51. The Designated Executive Officer may appoint in writing up to three designated specialists. A designated specialist must be an employee of the Firm who has access to and the ability to provide records maintained and preserved on the electronic recordkeeping system. The Adopting Release emphasizes that the designated officer will not need to personally have every password as well as personal knowledge of every records repository, but rather every Firm should have documentation identifying the locations where records are stored, and the officer should have and be able to rely on such information, as well as be able to rely on designated officers or specialists to provide details like passwords needed to access records. Adopting Release at 53-54.

[19] Adopting Release at 52. A designated officer must be an employee of the BD or SBSD who reports directly or indirectly to the DEO and who has access to and the ability to provide records maintained and preserved on the electronic recordkeeping system either directly or through a designated specialist who reports directly or indirectly to the designated officer.

[20] Adopting Release at 134-135.

[21] Adopting Release at 54. Among other things, the revised undertaking addresses audit trails for records and providing records in both human readable and reasonably usable electronic formats.

[22] SEA Rule 17a-4(i) The Adopting Release noted that commenters emphasized that cloud service providers were unable to make the Traditional Undertaking, as cloud storage is similar to storing records in-house and it is generally not possible for the service provider to produce records, as such files are often encrypted and only accessible by the Firm, in direct contrast with traditional records custodians, who would control access to the records they maintain. Adopting Release at 57.

[23] The Traditional Undertaking included “a provision whereby the third party agrees, among other things, to permit examination of the records by representatives or designees of the Commission as well as to promptly furnish to the Commission or its designee true, correct, complete, and current hard copies of any or all or any part of such books and records.” Adopting Release at 56.

[24] The Alternative Undertaking is not relevant for records maintained in paper format or on micrographic media.

[25] Independent access is defined as the Firm being able to regularly access the records without the need of any intervention by the third party and being able to unilaterally take actions with respect to the records held by the third party. Adopting Release at 61.

[26] Adopting Release at 57.

[27] The Adopting Release notes that, functionally, the BD “must have the same access to the records and capability to produce the records that would be the case if the [BD or SBSD] held the records itself and not at a third party.” Adopting Release at 62.

[28] Adopting Release at 138.

[29] SEA Rule 17a-4(f)(3)(i). The corresponding SBSD recordkeeping requirement in SEA Rule 18a-6(e)(3)(i) is that SBSDs have “facilities for immediate, easily readable projection or production of records or images maintained on the electronic storage system and for producing easily readable representations of those records or images.”

[30] The Adopting Release notes that this change is not intended to alter how the regulators conduct examinations, but rather to make the rule technology neutral. Adopting Release at 38-39. 

[31] SEA Rule 17a-4(f)(3)(ii). The corresponding SBSD recordkeeping requirement in SEA Rule 18a-6(e)(3)(ii) is that SBSDs “be ready at all times to immediately provide in a readable format any record or index” the regulators request.

[32] Adopting Release at 40.

[33] SEA Rule 17a-4(f)(3)(iv) and SEA Rule 18a-6(e)(3)(iv).

[34] SEA Rule 17a-4(f)(3)(vi) and 18a-6(e)(3)(vi).

[35] Adopting Release at 45-47. The Adopting Release notes that the information needed to locate the record is intended to address whatever means a particular system utilizes to organize records (e.g., indexes or data fields) and is not intended to alter the existing examination process. Adopting Release at 46-47.

[36] Adopting Release at 15.

[37] Adopting Release at 14. The important part of this requirement is that the records be kept in a digital format in a manner that permits both viewing and downloading of the records, regardless of whether the records are kept on a computer or some other technology.

[38] Adopting Release at 13.

[39] Adopting Release at 15-16.

[40] Adopting Release at 36.

[41] Adopting Release at 80-81. While this would seem to be a very substantial change, the Adopting Release notes that there are currently only two SBSDs that are not prudentially regulated and do not apply substituted compliance. Adopting Release at 81.

[42] Adopting Release at 9.


This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm’s data policy page for further information.