While the US Securities and Exchange Commission seeks to modernize electronic recordkeeping requirements in a technology-neutral manner, its proposed amendments are unclear as to the permissible use of the “cloud” or distributed ledger technology.
On November 18, 2021, the Securities and Exchange Commission (SEC) proposed amendments (Proposal) to the electronic recordkeeping requirements applicable to broker-dealers, security‑based swap dealers (SBSDs), and major security-based swap participants (MSBSPs).[1] Comments on the Proposal should be received on or before January 3, 2022.
The Proposal would amend the electronic record preservation and prompt production of records requirements under the Securities Exchange Act of 1934 (Exchange Act) as follows:
|
Rule 17a-4 (Broker-Dealers[2]) |
Rule 18a-6 (SBSDs and MSBSPs) |
|
|
New “Electronic Recordkeeping System” Definition |
Replacing the phrase “electronic storage media” with “electronic recordkeeping system” (and making conforming amendments throughout the rule)[3] |
Replacing the phrase “electronic storage system” with “electronic recordkeeping system” (and making conforming amendments throughout the rule) |
|
Elimination of Notice and Representation Requirements |
Eliminating the requirements that a broker-dealer (1) notify its designated examining authority (DEA) before employing an electronic recordkeeping system and (2) provide a representation, or a representation from the storage medium vendor or other appropriate third party, that the selected electronic storage medium meets specified conditions |
No current analogous requirement in Rule 18a-6(e) |
|
New “Audit-Trail Alternative” to WORM |
Adding an audit-trail alternative to the current requirement that electronic records be preserved exclusively in a non-rewriteable, non-erasable—also known as a “write once, read many” (WORM)—format. The audit-trail alternative would require that firms preserve electronic records in a manner that permits the recreation of an original record if it is altered, overwritten, or erased. |
Providing that electronic records can be preserved (1) exclusively in a WORM format or (2) in a manner that permits the recreation of an original record if it is altered, overwritten, or erased Would only apply to SBSDs and MSBSPs without a prudential regulator (non-bank SBS entities)[4] |
|
Modified Automatic Verification Requirement |
Modifying the requirement that electronic storage media verify automatically the quality and accuracy of the recording process to require that an electronic recordkeeping system verify automatically the completeness and accuracy of the process for storing and retaining records electronically |
Same Would only apply to non-bank SBS entities |
|
Serializing and Time-Dating Only Required for WORM Media |
Applying the requirement to (1) serialize the original and, if applicable, duplicate units of storage media and (2) time-date for the required period of retention the information placed on such electronic storage media, only if a broker-dealer uses optical disks as the storage media to meet the WORM requirement |
Requirement already exists under Rule 18a-6(e)(2) Would only apply to non-bank SBS entities |
|
Elimination of the Indexing Capacity Requirement; New “Human Readable Format” and “Reasonably Usable Electronic Format” |
Eliminating the requirement that electronic storage media have the capacity to readily download indexes and records preserved on the media to any medium acceptable under Rule 17a-4, and instead requiring an electronic recordkeeping system to have the capacity to (1) readily download and transfer copies of a record and its audit trail (if applicable) in both a human readable format and in a reasonably usable electronic format, and (2) download and transfer the information needed to locate electronic records. This furnishing requirement means the record would need to be produced in an electronic format that is compatible with commonly used systems for accessing and reading electronic records and in a form that an individual can naturally read. |
Same Would only apply to non-bank SBS entities |
|
Modified Production “Facilities” Language |
Replacing terms that are tied to micrographic media and optical disks (defined below) |
Replacing terms that are tied to optical disks |
|
Elimination of the “Facsimile Enlargement” Requirement |
Replacing the facsimile enlargement production requirement to require a broker-dealer to be ready at all times to provide immediately any record or information needed to locate records stored by means of the electronic recordkeeping system that the staffs of the SEC, SROs, and state securities regulators, as applicable, may request |
Same, although Rule 18a-6(e)(3)(ii) does not currently have a “facsimile enlargement” requirement |
|
Modified Duplicate Record Requirement |
Replacing the current requirement that a broker-dealer store separately from the original a duplicate copy of a record for the requisite time period, with a requirement to have a second electronic recordkeeping system that preserves a second set of records that can be accessed and examined if the primary electronic recordkeeping system storing the primary set of records is disrupted, malfunctions, or otherwise becomes inaccessible |
Same |
|
Elimination of the Indexing Requirement |
Eliminating the mandate to use indexes to organize and locate records stored on the systems, and instead requiring a broker-dealer to organize and maintain information necessary to locate records stored on its electronic recordkeeping systems |
Same |
|
Modified “Audit System” Requirement |
Eliminating the requirement that a broker-dealer have an audit system in place providing for accountability regarding the inputting of records, and replacing it with a requirement that the broker-dealer have in place an auditable system of controls that records, among other things, (1) each input, alteration, or deletion of a record; (2) the names of individuals inputting, altering, or deleting a record; and (3) the date and time such individuals input, altered, or deleted the record[5] |
Same |
|
Elimination of the Escrow Account Option Relating to Recordkeeping Files and Formats |
Eliminating the option for a broker-dealer to place in escrow and keep current a copy of the physical and logical file format of its electronic storage media, the field format of all different information types written on the electronic storage media and the source code, together with the appropriate documentation and information necessary to access records and indexes |
Same |
|
Elimination of Third-Party Access and Undertakings Requirements |
Eliminating the third-party access and undertakings requirements, and replacing them with a requirement that a senior officer of the broker-dealer, who has independent access to and the ability to provide the records, execute the undertakings and provide the access[6] |
Adding a requirement that a senior officer of the SBSD or MSBSP, who has independent access to and the ability to provide the records, execute the undertakings and provide the access[7] |
|
Preserving the Option to Use Micrographic Media |
The Proposal would retain the option for broker-dealers to use micrographic media. |
No current analogous language in Rule 18a-6(e) |
The current electronic record preservation requirements for broker-dealers under Rule 17a-4(f) under the Exchange Act date back to 1997, and, although intended to be technology neutral, were then guided by the predominant electronic storage method at the time—using optical platters, CD-ROMs, or DVDs (collectively, optical disks) (i.e., hardware solutions that permanently “burned” records onto optical disks).[8] The original requirements, and the WORM format requirement, in particular, have thus been subject to SEC interpretation over the years to account for changing systems norms.
For example, in 2003, an SEC interpretation announced that broker-dealers were not required to use optical disks to meet the WORM requirement. Instead, broker-dealers could use a system of “integrated hardware and software codes” that prevents the overwriting, erasing, or altering of a record during its required retention period, so long as the system did not solely mitigate the risk that records could be altered, overwritten, or erased.[9] Then, in 2019, in the release adopting Rule 18a-6 for SBSDs and MSBSPs, the SEC further refined its interpretation of the Rule 17a-4(f) WORM requirement, clarifying that relying solely on “a software solution that prevents the overwriting, erasing, or otherwise altering of a record during its required retention period would meet the requirements of the rule.”[10]
The SEC opted not to adopt a WORM requirement under Rule 18a-6 for SBSDs and MSBSPs in 2019, although it had proposed one. Instead, yielding to commenters, the SEC acknowledged that SBSDs and MSBSPs may already have electronic recordkeeping systems that would not meet the WORM requirement, and further stated that addressing any modifications to the WORM requirement under Rule 17a-4(f) would be more appropriately addressed in separate rulemaking.[11] The SEC also clarified that the final Rule 18a-6(e) would not require the use of a particular electronic storage “medium,” such as optical disks, instead opting to use the phrase “electronic storage system” because the latter phrase better characterizes a system that produces and preserves records electronically without being unduly prescriptive.
Industry efforts to persuade the SEC to liberalize what have long been viewed as technology-specific rules that are obsolete and measurably slowing the pace of firms’ adoption of innovative and dynamic communication technologies, in favor a “principles-based” requirement similar to what has been adopted by the Commodity Futures Trading Commission, have been ongoing. With the recent Proposal, the SEC is taking a step toward addressing some of these concerns about the WORM requirement, albeit stopping short of a principles-based approach.
Cloud-Based Storage:[12] Even though cloud-based storage solutions have proliferated over the years, the Proposal gives little shelf space to this innovation. The SEC does include in the Proposal a discussion regarding the permissible use of solely software-based systems that are designed to comply with Rule 17a-4(f), and in doing so cites to specific cloud-based solutions (which implicitly would appear to support cloud-based storage); however, the Proposal does not explicitly affirm the permissibility of using cloud-based storage to comply with firms’ recordkeeping and retention obligations. This may be a missed opportunity on the part of the SEC to provide clarity on an issue with which many firms may continue to struggle.
Distributed Ledger Technology: The Proposal is silent on whether blockchain or other distributed ledger technology could be used in furtherance of firms’ compliance under the proposed amendments. Rather than provide firms with clarity, if adopted as proposed, the amendments will likely result in firms seeking guidance from FINRA and the SEC on whether a particular type of technology or provider is acceptable.
Of course, firms would be obligated to determine for themselves whether a particular technology complies, but it would help the industry for the SEC to provide more specific guidance regarding whether—and the specific circumstances under which—distributed ledger technology can comply with any proposed amendments. Given the growing importance and focus on distributed ledger technology across the financial services industry,[13] it would be appropriate for the SEC to acknowledge the technology in order to give the industry comfort that its use could be compliant as it matures.
Redundancy: The Proposal’s requirement that firms have a second electronic recordkeeping “system” that preserves a second set of records that can be accessed and examined if the primary electronic recordkeeping system storing the primary set of records is disrupted, malfunctions, or otherwise becomes inaccessible may be pragmatic from the perspective of ensuring that books and records are not entirely lost; however, the SEC has provided little justification for prescribing that a second “system” be deployed. The industry may benefit from additional guidance as to what exactly might constitute a separate “system” and whether there are particular configurations of the primary and back-up systems that would render the back-up system not sufficiently separate. Moreover, while the Proposal refers to business continuity concerns, the Proposal does not discuss in any depth how the current duplicate record requirement under the rules has proven insufficient, particularly given FINRA’s requirements relating to business continuity plans.
The SEC should be commended for its effort to seek to modernize the electronic recordkeeping requirements under Exchange Act Rules 17a-4 and 18a-6. While the Proposal seeks to implement a number of important advancements, there are some additional considerations that the SEC might seek to address before finalizing the Proposal.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Boston
David C. Boch
New York
Ariel Gursky
Ben A. Indek
Philadelphia
Christine M. Lombardo
Washington DC
Amy Natterson Kroll
Ignacio A. Sandoval
Steven W. Stone
Karin Khominsky
Kyle D. Whitehead
[1] See Electronic Recordkeeping Requirements for Broker-Dealers, Security-Based Swap Dealers, and Major Security-Based Swap Participants, Exchange Act Release No. 93614 (Nov. 18, 2021), 86 FR 68300 (Dec. 1, 2021).
[2] As used in the SEC’s proposal and this LawFlash, the term “broker-dealer” includes broker-dealers that are also registered as SBSDs or MSBSPs.
[3] “Electronic recordkeeping system” would be defined in both Rule 17a-4(f) and Rule 18a-6(e) as “a system that preserves records in a digital format and that requires a computer to access the records.”
[4] Unlike nonbank SBS entities, bank SBS entities are subject to oversight and supervision by the banking agencies with respect to record preservation. The SEC explained that this oversight and supervision may now or in the future include regulations or guidance with respect to requirements for electronic recordkeeping systems that differ from the proposed requirements for electronic recordkeeping systems discussed in the Proposal.
[5] The phrase “auditable system of controls” would mean a system of controls that is documented and can be audited by internal or external examiners to determine whether the controls are operating as would be required by the rule.
[6] Independent access would mean the senior officer has the knowledge, credentials, and information necessary to access and provide the records without having to rely on other individuals at the firm.
[7] When adopting Rule 18a-6(e), the SEC did not include third-party access and undertakings requirements because commenters had noted that the requirement “was outdated in light of the changed technological environment” and that providing a third-party access to electronic recordkeeping systems and client information “needlessly exposes firms to data leakage and cybersecurity threats.”
[8] See Reporting Requirements for Brokers or Dealers under the Securities Exchange Act of 1934, Exchange Act Release No. 38245 (Jan. 31, 1997), 62 FR 6469 (Feb. 12, 1997) (“Rule 17a-4(f) Adopting Release”).
[9] See Electronic Storage of Broker-Dealer Records, Exchange Act Release No. 47806 (May 7, 2003), 68 FR 25281, 25282 (May 12, 2003).
[10] See Recordkeeping and Reporting Requirements for Security-Based Swap Dealers, Major Security-Based Swap Participants, and Broker-Dealers, Exchange Act Release No. 87005 (Sept. 19, 2019), 84 FR 68550 (Dec. 16, 2019) (“SBSD/MSBSP Recordkeeping Adopting Release”).
[11] See id.
[12] According to the SEC staff, “cloud storage” refers to the electronic storage of information on infrastructure owned and operated by a hosting company or service provider. See, e.g., Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features, Risk Alert, OCIE (May 23, 2019) (citing to The NIST Definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-145 (Sept. 2011)).
[13] See, e.g., DTCC Drives Advancement of Distributed Ledgers, Blockchain, DTCC, at https://www.dtcc.com/blockchain (last visited Dec. 6, 2021).