SEC Offers Alternative to Keeping WORM Books and Records for Brokers and Securities Exchange Entities | Goodwin

On November 18, 2021, the United States Securities and Exchange Commission (“SEC”) proposed changes to Rules 17a-4 and 18a-6 under the Securities Exchange Act of 1934 regarding record keeping requirements for dealers and certain securities exchange entities (“SBS”).^[1] The industry could see a quick 2022 timeline for the SEC to adopt the proposed changes. In the meantime, brokers, SBS entities and record keeping providers should consider how this proposal could affect their record keeping systems and related practices, including internal and external data and information security.

PROPOSED CHANGES ^[2]

The proposal would modify the electronic document retention and rapid filing requirements of Rules 17a-4 and 18a-6, including by:

1. Provide an alternative audit trail to the current requirement that electronic brokerage records be kept exclusively in a non-rewritable, non-erasable format (also referred to as write-once, read-multiple, or “WORM” format).
2. Eliminate third party access and engagement requirements for brokers and replace them with a requirement that at least one senior officer of the broker (or SBS entity) – with independent access and the ability to provide records – fulfill a commitment to provide, at the SEC’s request, a record and its audit trail (if applicable), which is to be maintained on an electronic record-keeping system in a “reasonably usable” electronic format.
3. Eliminate the requirement for brokers to notify their designated review authority before using an electronic record keeping system.
4. Require brokers and SBS entities to be ready at all times to deliver records stored on an electronic record keeping system. The changes would also replace current rules that require brokers and SBS entities to organize and index all information maintained on original storage media and any duplicate storage media, only requiring the electronic record keeping system to organize and retains the information necessary to locate the records.
5. Require brokers and SBS entities to have a backup set of records when records are kept on an electronic record keeping system, which is similar to the current requirement for businesses to keep and store separately from copies of recordings. This suggests that the SEC will expect the broker or SBS entity to have a second electronic record keeping system that serves as a redundant source from which to retrieve records. Records stored on the electronic records backup system should be retained in accordance with the record retention requirements of Rules 17a-4 or 18a-6, as applicable.^[3]

Under the proposed new audit trail alternative to WORM, a firm’s electronic record keeping system should retain records for the duration of their applicable retention periods so as to maintain a complete audit trail. and time stamped. The electronic record keeping system should have the ability to easily upload and transfer copies of a record and its audit trail (if applicable) in “human readable format” (i.e. (say a format that can be read naturally by an individual) or a “reasonably usable electronic format.” The audit trail should include the following information:

1. All modifications and deletions of a recording or any part of it;
2. The date and time of entries and operator actions that create, modify or delete the record;
3. The identity of the person (s) creating, modifying or deleting the record; and
4. Any other information necessary to maintain an audit trail of each separate record in a manner that preserves security, signatures, and data to ensure the authenticity and reliability of the record and allows for the re-creation of the record original and intermediate iterations of the record.

OBSERVATIONS

Industry should generally view the proposal as a welcome attempt by the SEC to modernize record keeping requirements and address legacy constraints in this area. Nevertheless, the proposal seems to raise as many questions as it does solutions.

1. The proposal states that a “reasonably usable” electronic format is one that is common and compatible with systems commonly used to access and read electronic documents. In other words, a proprietary file format that is difficult to access or read by common systems would not be allowed. The SEC is seeking comment on the types of electronic record formats that should be considered reasonably usable, and any final rule would benefit from additional guidance as to what the SEC considers a reasonably usable electronic format.
2. Eliminating third-party access and engagement requirements would mean that at all times, a broker or SBS entity must have at least one senior manager with independent access – and the ability to provide – the records of the company to the SEC. The senior manager would also be required to fulfill the required commitments, similar to what is required of third party electronic document custodians under the current rules. Independent access would mean that “the senior manager has the knowledge, credentials and information necessary to access and provide the records” on his own, without having to rely on another person in the firm. If enacted, and given the widespread access that this requirement would require from a senior executive, firms may consider developing and implementing senior management access policies to ensure that such access is only used in response to a regulatory request or for other valid firms. or for regulatory purposes. This is especially true for companies that separate business and regulatory decisions and access to information. It may also be difficult (if not impossible) for one person in a company to meet these commitments individually. In other words, businesses don’t work that way. This element of the proposal also raises data and information security considerations, including apparently ignoring the long-established principle of ‘least privilege’ (i.e. the concept of security in which a user is granted the minimum level of access or authorization necessary to perform the user’s function).
3. Currently, some companies use a WORM record keeping system almost exclusively for the purpose of meeting the requirements of Rule 17a-4 and maintain separate working copies of records for use in day-to-day business operations. In the SEC’s view, the proposed changes are designed to facilitate the use of a single electronic record-keeping system for business and regulatory purposes. However, requiring companies to maintain backup “systems” and the ability to have WORM and audit trail systems in parallel could add confusion to an area that the SEC is arguably trying to streamline and streamline. modernize. We expect the SEC to clarify what is sufficient as an “electronic document backup system.” In other words, will redundant records stored in separate locations on a company’s record keeping system be enough, or does the SEC really intend companies to keep backup records? on entirely separate “systems”?
4. The proposal aims to give businesses the option of (possibly) phasing out WORM once and for all. In addition, brokers and SBS entities will have the option of continuing to keep certain records in WORM format, while using the audit trail for other types of records. It may be easier, for example, to store certain types of static records, such as emails, in WORM format, while still using an audit trail for regularly updated records. In particular, the proposed audit trail method would only apply to records created after the possible effective date of the rule change. Firms that choose to adopt an audit trail record keeping system would be allowed to keep new records on a system that would meet audit trail requirements, but would be required to keep existing records on a system. WORM compliant (although, since the audit trail method only applies to records created after adoption, it’s unclear what the SEC considers the alternative). This implies that businesses would face the burden of keeping old and new systems in parallel at least until the retention periods for old WORM records expire.

the public comments file closed on January 3, 2022 and is surprisingly skinny. This may be due to the proposal’s timeline (one week before Thanksgiving) and the brief comment window (which spanned the December 2021 holiday season and the end of the calendar year). SEC Commissioner Peirce has previously argued for extended comment periods on rule-making, in general. We will be watching closely for updates in this area, including a potential extension of the comments window and, of course, any future adoption by the SEC.^[4]

^[1] In 2019, the SEC signaled its intention to proceed with this modernization when it chose not to extend the WORM requirement or the requirement of a designated third-party registrar to the rules applicable to SBS entities, noting that “the Commission considers that any changes to the broker – electronic storage arrangements for dealers should be addressed in a separate regulatory initiative in which the Commission intends to look at issues relating to electronic storage media in a broader context, including with regard to concerns other market players. “

^[2] This regulatory proposal was quite substantial. This customer alert deals with the changes that we consider to be the most important.

^[3] While similar to the current requirement that a broker or SBS entity store separately from the original, in any medium acceptable under Rule 17a-4, a duplicate of a recording for the required period, the proposal would modernize the duplicate requirement slightly eliminating the WORM requirement. The SEC believes that this backup electronic filing system will facilitate reviews and promote business continuity for the broker or SBS entity in the event of a disruption to the primary filing system.

^[4] The Commission often takes into consideration letters of comment received after the deadline, even without an extension, particularly when seeking industry advice and having received fewer comments than expected.