SEC Rule 17a-4 & FINRA Rules and Regulations

FINRA Regulatory Notice 12-29, SEC Approves New Rules Governing Communications With the Public, includes details on the new SEC-approved FINRA rules governing broker-dealers’ communication with the public. The rules went into effect on February 4, 2013.

Included in the changes is a reduced number of communication categories from six down to three: retail communication, institutional communication and correspondence.

• Retail Communication: Any written (including electronic) communication that is distributed or made available to more than 25 retail investors within any 30 calendar-day period.
• Institutional Communication: Any written (including electronic) communication that is distributed or made available only to institutional investors, but does not include a member’s internal communications.
• Correspondence: Any written (including electronic) communication that is distributed or made available to 25 or fewer retail investors within any 30 calendar-day period.

Helpful Links:
An executive summary of Regulatory Notice 12-29 from FINRA
PDF of FINRA 12-29

FINRA Regulatory Notice 11-39 (guidance on social networking websites and business communications) is a response to January 2010’s FINRA Regulatory Notice 10-06, addressing questions regarding the application of the rules since 10-06’s publication. The notice is presented in Q&A format and covers four sections: recordkeeping, supervision, third-party posts, third-party links and websites, and accessing social media sites from personal devices.

Highlights include:

• Content is determinative – whether a particular communication is related to the business of the firm (and subsequently if it should be archived or not) depends upon the facts and circumstances. It does not depend on the type of device or technology used to transmit the communication.
• Firms are required to retain, retrieve and supervise business communications regardless of whether they are conducted from a work-issued device or personal device.
• Business-related content on personal sites should be addressed via policy.
• Interactive content may also become static content.

Helpful Links:
Regulatory Notice 11-39 – Guidance on Social Networking Websites and Business Communications from FINRA

Regulatory Notice 11-32 provides questions and answers from FINRA regarding the application of the new rule to assist member firms in the implementation of new FINRA Rule 4530 requirements (as explained in FINRA Regulatory Notice 11-06). In addition, FINRA Regulatory Notice 11-32 provides the definition of tweets and text messages being “written” material.

Helpful Links:

Summary of the Notice 11-32 from FINRA
The Full PDF of Notice 11-32

FINRA Regulatory Notice 10-59 includes amendments to FINRA rule 8210 which requires broker-dealers to:

• Encrypt electronic data on physical media (CD-ROMs, portable hard drives, flash drives) sent to the self-regulatory organization.
• Provide FINRA staff with the confidential decryption process or key in a separate communication.

The effective date of these amendments was December 29, 2010. FINRA views industry standards for strong encryption to be 256-bit or higher.

Helpful Links:
FINRA Regulatory Notice 10-59
Full Notice in .pdf format
FINRA Rule 8210

Using social media Web sites, such as blogs and social networking sites, for business and personal communications is becoming more frequent. Firms have asked FINRA staff how the FINRA rules governing communications with the public apply to social media sites that are sponsored by a firm or its registered representatives. This Notice provides guidance on blogs and social networking websites to firms regarding these issues.

Helpful Links:
Documentation from FINRA for Regulatory Notice 10-06

Similar to FINRA Regulatory Notice 10-06, FINRA Regulatory Notice 07-59 is titled “Supervision of Electronic Communications.” This regulatory notice provides guidance regarding the review and supervision of electronic communications.

Key observations:

“…a member firm’s obligations to supervise electronic communications are based on the content and audience of the message, rather than the electronic form of the communication.”

“FINRA expects a firm to have supervisory policies and procedures to monitor all electronic communications technology used by the firm and its associated persons to conduct the firm’s business.”

Helpful Links:

An executive summary on FINRA.org

A party must, without awaiting a discovery request, provide to the other parties – the name and address of each individual likely to have discoverable information. a copy – or a description by category and location – of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses, unless the use would be solely for impeachment; a computation of each category of damages claimed by the disclosing party – who must also make available for inspection and copying as under Rule 34 the documents or other evidentiary material, unless privileged or protected from disclosure, on which each computation is based, including materials bearing on the nature and extent of injuries suffered; and for inspection and copying as under Rule 34, any insurance agreement under which an insurance business may be liable to satisfy all or part of a possible judgment in the action or to indemnify or reimburse for payments made to satisfy the judgment.

Helpful Links:
FRCP Rule 26 text

FDA Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures in the United States. Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data that are:
(1) required to be maintained by the FDA predicate rules or;
(2) used to demonstrate compliance to a predicate rule.

People using closed systems to modify, create, maintain, or transmit electronic records must employ, at a minimum, procedures and controls designed to conduct the following:
(1) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records;
(2) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency;
(3) Record protection enabling accurate and ready retrieval throughout the retention period;
(4) Limiting system access to authorized individuals;
(5) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. This documentation must be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
(6) Use of operational system checks enforcing permitted sequencing of steps and events, as appropriate;
(7) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand;
(8) Use of device checks to determine, as appropriate, the validity of the source of data input or operational instruction;
(9) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks;
(10) Establishing and adhering to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification;
(11) Use of appropriate controls over systems documentation

Link to Regulation: https://www.ecfr.gov/cgi-bin/text-idx?SID=a1b54a9b011485769b05296e648addd1&mc=true&node=pt21.1.11&rgn=div5

The Fair & Accurate Credit Transactions Act of 2002 (FACTA) amended the Fair Credit Reporting Act. FACTA allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies (Equifax, Experian and Trans Union). In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the website, annualcreditreport.com, to provide free access to annual credit reports. The act also contains provisions to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected, or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult. Further, it requires secure disposal of consumer information.

Link to Act: https://www.ftc.gov/enforcement/statutes/fair-accurate-credit-transactions-act-2003

Markets in Financial Instruments Directive (MiFID) article 51(3) is a European Union law that provides harmonised regulation for investment services across the 31 member states of the European Economic Area. The main objectives of the Directive are to increase competition and consumer protection in investment services.

If a firm performs investment services and activities, it is subject to MiFID in respect both of these and also of ancillary services (and it can use the MiFID passport to provide them to member states other than its home state). However if a firm only performs ancillary services, it is not subject to MiFID (but nor can it benefit from the MiFID passport).

MiFID covers almost all tradable financial products with the exception of certain foreign exchange trades. This includes commodity and other derivatives such as freight, climate and carbon derivatives, which were not covered by ISD.

MiFID article 51(3) establishes that competent authorities shall draw up and maintain a list of the minimum records investment firms are required to keep under MiFID and its implementing measures. The list of minimum records to be kept includes the following communications items:

• Marketing communications (except in oral forms)
• The firm’s business internal communications — includes Records provided for under Art. 5 (1)f of On the business and organization
• Firm’s Compliance procedures
• Complaints records
• Complaints handling
• Records of prices quoted by systematic internalisers
• Records of personal transactions
• Record of the information disclosed to clients regarding inducements
• Investment advice to retail clients

For more information:  https://www.esma.europa.eu/databases-library/interactive-single-rulebook/mifid-ii

The Government in the Sunshine Act is a 1976 U.S. law intended to create greater transparency in government. It requires all meetings that are conducted by federal agencies be open to the public unless it falls into one of the Sunshine Act’s ten exemptions.

Sunshine Act § 1612.10 outlines the recordkeeping requirements for federal agencies under the Act.

• 1612.10(a) states that in the case of a meeting or portion of a meeting that is closed to the public, the Executive Secretary of the agency must maintain the following records:
  (1) The certification of the Legal Counsel pursuant to § 1612.9 of the Sunshine Act;
  (2) Statement from the presiding officer of the meeting setting forth the time and place of the meeting, and the people present;
  (3) Complete electronic recording adequate to record fully the proceedings of each meeting closed to the public, except a meeting that falls under one of the exceptions, the agency may maintain minutes in lieu of a recording. Minutes must fully and clearly describe all matters discussed and must provide a full and accurate summary of any actions taken, and the reasons, including a description of each of the views expressed on any item and the record of any roll call vote. All documents considered in connection with any item shall be identified in the minutes.
• 1612.10(b) states that if the agency has determined that the meeting or meeting portion(s) may properly be closed to the public, the electronic recording or minutes may not be made available to the public until a time, if any, when it is determined by the Commission that the reasons for closing the meeting no longer pertain.
• 1612.10(c) states that the agency must maintain a copy of electronic recordings or minutes for 2 years after the meeting or until one year after conclusion of the proceeding related to the meeting, whichever is later.

State sunshine laws are the laws in each state that govern public access to governmental records. These laws are sometimes known as open records laws or public records laws, and are also collectively referred to as FOIA laws, after the federal Freedom of Information Act.

Link to Regulation: https://www.law.cornell.edu/cfr/text/29/1612.10

The Freedom of Information Act (FOIA), 5 U.S.C. § 552, is a federal law allowing for the full or partial disclosure of previously unreleased information and documents controlled by the United States government. The Act defines agency records subject to disclosure, outlines mandatory disclosure procedures and grants nine exemptions to the statute.

FOIA applies to any information in an agency record, excluding information encompassed by the nine exemptions, regardless of format.

Agencies must make available for public inspection in an electronic format:
(1) Final judicial opinions, including any dissent and concurrences, and orders made in the adjudication of cases;
(2) Statements of policy and interpretations adopted by the agency and not published in the Federal Register;
(3) Administrative staff manuals and instructions to staff that affect members of the public;
(4) Copies of all records, regardless of format that (a) have been released to someone pursuant to a FOIA records request; (b) because of the subject matter’s nature, the agency has determined the record will likely be requested frequently; or (c) has been requested 3 or more times; and
(5) A general index of all records referred to in point 4 above.

Link to Regulation: https://www.law.cornell.edu/uscode/text/5/552

The Federal Financial Institutions Examination Council (FFIEC) final guidance (attached and excerpted below) on social media was published on Dec. 11, 2013. The FFIEC is comprised of six supervisory agencies, and guidance applies to all of them. They are:

• Office of the Comptroller of the Currency (OCC)
• Board of Governors of the Federal Reserve System (Board)
• Federal Deposit Insurance Corporation (FDIC)
• National Credit Union Administration (NCUA)
• Consumer Financial Protection Bureau (CFPB)
• State Liaison Committee (SLC)

Banks, credit unions, and mortgage lenders are all required to comply with FFIEC guidelines.

According the guidelines, a financial Institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. An overview of the specific

• A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities;
• Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
• A risk management process for selecting and managing third-party relationships in connection with social media;
• An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
• An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
• Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and
• Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

For more information:  https://www.ffiec.gov/

The Federal Energy Regulatory Commission (FERC) Compliance Order No. 717, codified in 18 CFR Part 358, requires that all emails, voicemail, text messages and other communication between transmission providers’ transmission function employees and marketing function employees must be retained for five years.

FERC Regulations 18 CFR Part 35 & Part 284. An electronic data retention policy is required by these regulations for each entity under its jurisdiction. Data must be archived encrypted to WORM (write once read many) media. Based on wholesale vs. retail criteria, this data must be archived and available for a 5 to 6 year time period. Industries affected are Public Utilities, Natural Gas Companies, Electric Producers, Gas & Oil Production and Training.

FERC will put heavy emphasis on whether firms are taking precautionary compliance measures with focuses on:
(1) Senior management’s role in fostering compliance programs
(2) Preventative practices to ensure compliance
(3) Detection and reporting of non-compliant activity
(4) Reactive efforts to remedy compliance violations

Links to CFR Parts:
Part 358: https://www.ecfr.gov/cgi-bin/text-idx?SID=860f3db633b732c52378235e5bd27af6&mc=true&node=pt18.1.358&rgn=div5
Part 35.41: https://www.ecfr.gov/cgi-bin/text-idx?SID=cebb6afb34ef37fb73d3316243f442e9&mc=true&node=pt18.1.35&rgn=div5#sp18.1.35.b

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was adopted to ensure health insurance coverage after leaving an employer and also to provide standards for facilitating health-care–related electronic transactions. To improve the efficiency and effectiveness of the health-care system, HIPAA included administrative simplification provisions that required DHHS to adopt national standards for electronic health-care transactions (2). At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated adoption of federal privacy protections for certain individually identifiable health information. The HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) (3) provides the first national standards for protecting the privacy of health information. The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records.

Helpful Link:
HIPAA Privacy Rule from the HHS website.

FINRA Rule 4514 requires a firm or associated person to get a customer’s express written authorization before obtaining from the customer, or submitting for payment, a negotiable instrument on the customer’s checking, savings, share, or similar account.

Firms must preserve this written authorization, when the customer’s signature is not on the negotiable instrument. This record must be retained for 3 years following the date the authorization expires.

Link to Rule: http://finra.complinet.com/en/display/display.html?rbid=2403&element_id=9960

Helpful Link: http://finra.complinet.com/en/display/display.html?rbid=2403&element_id=10105

FINRA Rule 3170 requires firms to establish, enforce, and maintain written procedures supervising telemarketing activities of all its registered persons, including recordings of the conversations.

Link to Rule: http://finra.complinet.com/en/display/display_main.html?rbid=2403&element_id=11348

Helpful Link: http://finra.complinet.com/en/display/display.html?rbid=2403&element_id=11470

The Securities Exchange Act of 1934 (SEA) created the Securities Exchange Commission (SEC). It empowers the SEC with broad authority over all aspects of the securities industry and to require companies with publicly traded securities to periodically report information.

The SEA requires security-based swap execution facilities, large traders, security-based swap dealers, major security-based swap participants to retain records. These requirements can be found in the following sections:
(1) 3D(d)(9) – Security-Based Swap Execution Facilities;
(2) 13(h)(2) – Large Traders;
(3) 13A – Security-Based Swap Dealers;
(4) 15C(f)(2) – Government Securities Brokers and Dealers; and
(5) 15F – Registration and Regulation of Security-Based Swap Dealers and Major Security-Based Swap Participants

Link to Regulation: http://legcounsel.house.gov/Comps/Securities%20Exchange%20Act%20Of%201934.pdf
Helpful Link: https://www.sec.gov/answers/about-lawsshtml.html

The Securities Act of 1933 has two objectives:
(1) “Require that investors receive financial and other significant information about securities being offered for public sale;” and
(2) “Prohibit deceit, misrepresentations, and other fraud in the sale of securities.”

The Securities Act of 1933 requires the registration of securities to enable disclosure of important financial information. Some securities exempted from the registration requirement include:
(1) Private offerings to a limited number of persons or institutions;
(2) Intrastate offerings;
(3) Offerings of limited size; and
(4) Securities of municipal, state, and federal governments.

Link to the Regulation: http://legcounsel.house.gov/Comps/Securities%20Act%20Of%201933.pdf
Helpful Link: https://www.sec.gov/answers/about-lawsshtml.html

FINRA Rule 7440(a)(4) describes what records must be maintained by FINRA Reporting firms regarding orders received or executed at its trading department. These records must include identification of:
(1) each registered person receiving the order directly from a customer;
(2) each registered person executing the order; and
(3) the department originating the order if it was originated by a member and transmitted manually to another department.

Under FINRA Rule 7440(a)(5) these records must be maintained for the period of time laid out in SEA Rule 17a-4(b).

Link to Rule: http://finra.complinet.com/en/display/display.html?rbid=2403&element_id=4434

Helpful Link: http://finra.complinet.com/en/display/display.html?rbid=2403&element_id=10105

FINRA Rule 4513 requires firms to preservce records of written customer complaints at each office of supervisory jurisdiction. This rule clarifies that the requirement only applies to complaints relating to that specific office or activities supervised from that office. These records must be retained for at least four years.

Firms may maintain these records either at the office of supervisory jurisdiction or make them available promptly to a separate office upon FINRA’s request.

Link to Rule: http://finra.complinet.com/en/display/display.html?rbid=2403&element_id=9959

Helpful Link: http://finra.complinet.com/en/display/display.html?rbid=2403&element_id=10105

In the UK, the Financial Conduct Authority (FCA) has released a guidance consultation paper outlining its supervisory approach to financial promotions in social media. This guidance contains no rules or record keeping requirements but is a useful summary of relevant rules and an indication of FCA’s supervisory expectations. The paper is intended to help firms understand how they can use social media and meet the FCA’s financial promotion and record-keeping rules. The five main tenets of the guidance include:

• Follow the basic rule: Be fair, clear and not misleading.
• Under the FCA definition, any form of communication, including social media, has the potential to be considered a financial promotion—if it includes an invitation or incentive to engage in financial activity.
• Firms should make consumers aware of the potential benefits and risks of a financial product.
• Each tweet, Facebook post, web page or other social communication needs to be considered individually, and must comply with the relevant rules.
• Firms are responsible for their own communication, but not for messages included in a social media share or forward of their communication. If a consumer re-tweets a firm’s tweet, responsibility lies with the communicator, not the firm.

FINRA 2210(b)(4)(A) outlines the recordkeeping requirements for retail and institutional communications. These mirror current recordkeeping requirements and incorporates by reference the medium, retention period, and recordkeeping format included in SEA Rule 17a-4. Such records must include:
– A copy of the communication and the dates of first and (if applicable) last use;
– The name of any registered principal who approved the communication and the date that approval was given;
– In the case of a retail communication or institutional communication that is not approved prior to first use by a registered principal, the name of the person who prepared or distributed the communication;
– Information concerning the source of any statistical table, chart, graph or other illustration used in the communication; and
– For retail communications that rely on the exception under paragraph (b)(1)(C), the name of the firm that filed the retail communication with FINRA and a copy of the Advertising Regulation Department’s review letter.

FINRA Rule 2210(b)(4)(B) with respect to communications recordkeeping requirements cross-references NASD Rule 3010(d)(3) and FINRA Rule 4511.

Link to Rule: http://finra.complinet.com/en/display/display.html?rbid=2403&element_id=10648

The Markets in Financial Instruments Directive (MiFID) is an EU law that harmonizes EU regulation of investment services. MiFID’s objectives are to increase competition and consumer protection in investment services. In April 2014 the EU approved MiFID II, which expands the scope of MiFID and went into effect January 3, 2018.

MiFID II applies to financial services businesses undertaking MiFID business anywhere in the EU, as well as those providing services cross-border. This includes:
(1) Investment firms;
(2) Trading venues;
(3) Data reporting service providers; and
(4) Third country firms providing investment services or performing investment activities into the EU (either on a services basis or via a branch)

MiFID II Article 16 (6) requires an investment firm to arrange for records to be kept of all services, activities and transactions undertaken by the business, which must be sufficient to enable the competent authority to fulfil its supervisory tasks and to perform enforcement actions.

This includes all communications that are intended to result in a trade even if they ultimately do not.

MiFID II Article 16 (7) states that records must include the recording of telephone conversations or electronic communications and minutes from face-to-face meetings related to the reception, transmission and execution of orders on behalf of clients or on one’s own account. Article 16 (7) also requires records to be kept for a period of 5 to 7 years (depending on the jurisdiction) and states that records must be provided to the client involved upon request.

MiFID II para 57, 82, article 4 (62), article 25 (6) – requires records to be stored in a ‘durable medium’ that allows them to be replayed or copied. Records must be retained in a format that does not allow the original record to be altered or deleted. In addition, records should be stored in a searchable medium to ensure they are accessible and readily available upon request.

‘Durable medium’ is akin to WORM and is defined as allowing ‘the unchanged reproduction of the information stored.’ (Article 4(62)).

Requirements are defined further by the European Commission MiFID II explanatory memorandum.

Link to Regulation: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32014L0065
Helpful Link: https://www.hoganlovells.com/en/knowledge/topic-centers/mifid-ii/mifid-ii-texts

The FCA’s Investment Funds Sourcebook (FUND) and Collective Investment Schemes Sourcebook (COLL) set out requirements for managers and depositories of authorized and unauthorized investment funds. Record keeping requirements include those relating to minutes of meetings, records of units held. acquired or disposed of, subscription and redemption orders, issues and cancellations of units and overall general record keeping obligations to evidence compliance with rules and, for alternative investment funds, details of assets that are not custodial assets.

To view the FCA’s table of recordkeeping requirements found in COLL: https://www.handbook.fca.org.uk/handbook/COLL/Sch/1/1.html
Link to Handbook https://www.handbook.fca.org.uk/handbook/COLL/