Electronic storage rule amendments
C. Wallace DeWitt
Hilary Sunghee Seo
17 October 2022
The Securities and Exchange Commission, on October 12, 2022, adopted amendments to its books and records electronic storage requirements for broker-dealers and certain security-based swap entities (“SBSEs”). The final rule release can be found here. In general, the amendments are intended to modernize those requirements, make them technology neutral, and address the outdated write-once-read-many or “WORM” requirement that has plagued the industry for almost 25 years. While the rule amendments are in many respects a step in the right direction, they are far from ideal. Most notably on this point is the imposition of new electronic storage requirements on certain SBSEs.
- Provides an “audit trail” alternative to the historical WORM requirement – importantly this requires, among other things, that “the audit trail will permit re-creation of the original record if it is modified or deleted”
- Retains WORM as an option for firms to use either in whole or in part
- Requires both WORM and audit trail solutions to be in a human readable and reasonably usable electronic format – the application of this requirement to certain records may present difficulties for firms (for example, firms that have taken snapshots of their systems if such snapshots are not machine readable)
- Provides optionality with respect to the requirement to have a separate backup copy of required records by providing as an alternative the requirement to have “other redundancy capabilities that are designed to ensure access to the records required to be maintained and preserved pursuant to §§ 240.17a-3 and 240.17a-4”
- Provides optionality with respect to the undertakings that must be filed with a firm’s designated examining authority – importantly, while this provides an option to designate an internal officer to provide the undertakings instead of a third party, the internal officer option may be seen by some firms as complicated and difficult to implement
- Provides optionality with respect to the undertakings that are required to be provided by third-part storage providers that are intended to address challenges faced by some providers such as cloud storage providers that don’t have access to or the ability to provide records to regulators
- Reiterates the SEC’s position that contracts that include provisions permitting the service provider to withhold, delete, or discard a firm’s records required to be preserved (e.g., for non-payment) are in violation of the securities laws, as well as indicates that cloud service provider contracts may need to be amended to comply with the new undertaking requirements.
- SBSEs without a prudential regulator will, for the first time, be required to comply with the WORM requirement, the audit trail requirement, or selectively apply one of those requirements to required records
- The compliance period for broker-dealers is six months from publication in the Federal Register and twelve months for impacted SBSEs
What firms should do now:
Historically, many firms have struggled to comply with the WORM requirement for at least a portion of their required books and records. As a result, broker-dealers should begin reviewing how they currently store required books and records to determine compliance with the electronic storage requirements (including the requirement that WORM records be in a human readable and reasonably usable electronic format). For those records that they believe are in compliance with the historical requirements, assess whether any additional steps are required, including filing any updated undertakings that reflect the amended language in the rule and amending any contracts that require updating. For those records that are not stored correctly, firms should assess which option is preferable and then take steps to come into compliance. For example, if a firm’s accounting records have not been stored in WORM the firm should consider whether it is now preferable to implement the audit trail option to ensure compliance.
Impacted SBSEs likely face a more significant undertaking to comply with the new electronic storage requirements applicable to them. As a starting point, impacted SBSEs should inventory all required books and records that they make and maintain and how they are currently stored. Once the inventory is completed, they should develop an implementation plan or similar plan for addressing any required book and record that is not in compliance with the new electronic storage requirements.
All firms should move quickly to address any potential issues they may have with respect to how they store required books and records as the compliance periods are relatively short and there is no guarantee of an extension. In addition, the changes that firms may need to make to ensure compliance may be complex and time consuming to implement.