Regulatory Circular RG Members and Member Firm Organizations. Division of Member and Regulatory Services. Date: October 28, 2009

Similar documents
WHITE PAPER PAPERWISE DOCUMENT MANAGEMENT COMPLIANCE WITH SEC 17A-4

Financial Services Compliance

Financial Services Compliance

Yours truly, Shannon Rogers President & General Counsel

Policy Summary: This guidance outlines ACAOM s policy and procedures for managing documents. Table of Contents

Regulatory Notice 14-39

Proofpoint Enterprise Archive for SEC and FINRA Compliance

CHIEF EXECUTIVE OFFICER/MANAGING PARTNER AND COMPLIANCE, REGULATORY, AND LEGAL DEPARTMENTS

NYSE and NYSE MKT MEMBERS AND MEMBER ORGANIZATIONS. NYSE Rule 36 - Use of Non-NYSE Provided Cellular Phones on the Floor of the Exchange

POLICY TITLE: Record Retention and Destruction POLICY NO: 277 PAGE 1 of 6

Records Retention Policy

CBOE Regulatory Circular RG C2 Regulatory Circular RG15-007

Southington Public Schools

Regulatory Notice 11-26

Ashford Board of Education Ashford, Connecticut POLICY REGARDING RETENTION OF ELECTRONIC RECORDS AND INFORMATION

Executive Summary. The amendments become effective on September 10, The text of the amendments is attached (see Attachment A).

File No. SR-NASD-00-70

Broker-Dealer Concepts

ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017

CTAS e-li. Published on e-li ( April 28, 2018 Electronic Records

Management: A Guide For Harvard Administrators

FSC STANDARD. Standard for Multi-site Certification of Chain of Custody Operations. FSC-STD (Version 1-0) EN

All other forms of social media are prohibited unless reviewed and approved prior to use by designated SFA Compliance Principal.

NASD NOTICE TO MEMBERS 97-58

Notice to Members. Customer Account Statements. Executive Summary. Questions/Further Information. Background and Discussion

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

SEC Revises Broker-Dealer Recordkeeping Requirements

WHITE PAPER. Iron Mountain Delivers File Archiving Service. By Brian Babineau With Lauren Whitehouse. February, 2009

June 17, SR-NASD Policy to Conduct Fingerprint-based Background Checks of NASD Employees and Independent Contractors

Regulatory Notice 09-33

Records Information Management

Timber Products Inspection, Inc.

Identity Theft Prevention Policy

The Office Procedures and Technology

Employee Security Awareness Training Program

Notice to Members. Branch Office Definition. Executive Summary. Questions/Further Information AUGUST 2002

Checklist: Credit Union Information Security and Privacy Policies

Audit Considerations Relating to an Entity Using a Service Organization

SPRING-FORD AREA SCHOOL DISTRICT

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

This Advisory Circular relates specifically to Civil Aviation Rules Part 147. Published by Civil Aviation Authority PO Box 3555 Wellington 6140

Re: File No. SR-NASD Amendments to NASD Rules 1013 and 1140

Regulatory Notice 18-27

Management Case Study. Kapil Lohia

Business Continuity Plan

CARROLL COUNTY PUBLIC SCHOOLS ADMINISTRATIVE REGULATIONS BOARD POLICY EHB: DATA/RECORDS RETENTION. I. Purpose

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Regulatory Notice 10-21

Element Finance Solutions Ltd Data Protection Policy

Creative Funding Solutions Limited Data Protection Policy

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

New Spanish Regulation Tightens Up Data Protection Requirements RAFI AZIM-KHAN, JOHN NICHOLSON, ALESSANDRO LIOTTA, AND DOMINIC HODGKINSON

This procedure sets out the usage of mobile CCTV units within Arhag.

FINANCIAL INDUSTRY REGULATORY AUTHORITY LETTER OF ACCEPTANCE, WAIVER AND CONSENT NO

SECURITY & PRIVACY DOCUMENTATION

Farmingdale State College Records Management Training PRESENTED BY DOROTHY HUGHES INTERNAL CONTROL OFFICER AND RECORDS MANAGEMENT OFFICER

Introduction to SURE

Regulatory Notice 13-08

Data Protection Policy

Retain, search, review and produce business mobile text messages

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Category: Data/Information Keywords: Records Management, Digitization, Imaging, Image capture, Scanning, Process

ISO INTERNATIONAL STANDARD. Information and documentation Records management Part 1: General

Motorola Mobility Binding Corporate Rules (BCRs)

ISACA Cincinnati Chapter March Meeting

Web CRD and IARD TM Training

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

Supersedes Policy previously approved by TBM

Regulatory Notice 09-64

Automation Change Management for Regulated Industries

HPE DATA PRIVACY AND SECURITY

Good Laboratory Practice GUIDELINES FOR THE ARCHIVING OF ELECTRONIC RAW DATA IN A GLP ENVIRONMENT. Release Date:

Managing Records in Electronic Formats. An Introduction

Customer Proprietary Network Information

Sparta Systems TrackWise Solution

ABB Limited. Table of Content. Executive Summary

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Part 11 Compliance SOP

Chapter 1B-26, Florida Administrative Code RECORDS MANAGEMENT - STANDARDS AND REQUIREMENTS Electronic Recordkeeping

Notice to Members. Forms U4. Executive Summary. Questions/Further Information

DarkoKravos, PMP. Dodd Frank Title VII Recordkeeping. Record keeping changes impacting business and technology

RECORDS WWU: . WWU Archives & Records Management Tony Kurtz x3124 Rachel Thompson x6654

RECORDS AND INFORMATION MANAGEMENT AND RETENTION

IBM Compliance Offerings For Verse and S1 Cloud. 01 June 2017 Presented by: Chuck Stauber

Information Security Management Criteria for Our Business Partners

EXAM PREPARATION GUIDE

Version 1/2018. GDPR Processor Security Controls

Clearing Out Legacy Electronic Records

Continuing Professional Development Verification and Recognition Policy

Privacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")

INTEGRATING EMC XTENDER AND DISKXTENDER FOR ELECTRONIC MESSAGING ARCHIVAL WITH NETAPP NEARSTORE

Notice to Members. Uniform Branch Office Definition. Executive Summary

INTERNAL AUDIT. Chapter 16 9 KATHMANDU, NEPAL, THE HIMALAYA S IN THE BACKGROUND

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

POLICY AND GUIDELINES FOR THE RETENTION AND DISPOSITION OF ORIGINAL COUNTY RECORDS COPIED ONTO OPTICAL IMAGING AND DATA STORAGE SYSTEMS

Renewal Registration & CPE for CPAs in Iowa

TELECOMMUNICATIONS AND DATA CABLING BUSINESSES

Business Banking Online application

DEPARTMENT OF HOMELAND SECURITY RECORDS MANAGEMENT HANDBOOK

FINRA to Issue More Guidance on Social Media

Transcription:

Regulatory Circular RG09-122 To: From: Members and Member Firm Organizations Division of Member and Regulatory Services Date: October 28, 2009 RE: Supervision of Electronic Communications and Electronic Storage of Records The purpose of this Regulatory Circular is to outline and reiterate, particularly to those members who are not members of the Financial Industry Regulatory Authority ( FINRA ), the requirements of Securities Exchange Commission Rule (SEC) 17a-4 regarding Electronic Storage of Broker-Dealer Records and also specifically regarding the supervision and storage of electronic communications. The SEC Books and Records Rules provide members the flexibility to maintain their records electronically or in hard copy form. Members who choose to store records electronically can also elect to utilize the services of an independent third-party to do this work. There are numerous service providers that offer assistance to members with the capture of records at the network level, such as emails and instant messages (IM), and with retention of those records. The systems of some service providers also facilitate electronic-based supervisory reviews. Members utilizing the services of an independent party to assist with the supervision of electronic communications and retention of records, must be aware of and comply with the requirement to provide notice to their Designated Examining Authority of their intention to maintain records electronically and to provide a written third-party undertaking requirement from the third party that meets the requirements of SEC Rule 17a-4. Members who determine to maintain their records via hard copy should review the requirements of SEC Rule 17a-3 and 17a-4 regarding what records they are required to have and the time period that those records are required to be maintained. Members may be required to produce copies of electronic communication or other books and records in connection with an Exchange investigation or examination. The Use of Electronic Storage Media (SEC Rule 17a-4) Members that use electronic storage media for any part of their books and records, must comply with the specifications for storage media and other rule requirements as set forth in SEC Rule 17a-4. The SEC has not endorsed any particular recordkeeping method or medium. However, with respect to books and records that are maintained electronically, guidance can be inferred from the rule's requirement that records be maintained on micrographic media or other electronic storage medium. Examples include microfilm, microfiche, tape backup, write-once compact disc (CD) or digital versatile disc (DVD).

The rule states, among other things, that electronic storage media must; Preserve the records exclusively in a Write Once Read Many (WORM) format. Verify automatically the quality and accuracy of the storage media recording process; the intent is to ensure that the media recording process is accurate and to ensure the recorded information is of the highest quality. The software utilized to conduct the recording of the data should have the capability to perform an automatic check of the quality and accuracy of the data recorded. Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media. When a record is serialized, the date and time of the recording, as well as the integrity and completeness of the data and file structure is written to the media. This helps ensure that a copy created is an exact duplicate of the original record. Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under the Rule, as required by the SEC or the self-regulatory organizations (SRO) of which the member, broker, or dealer is a member. The purpose of an index is to identify a record so that it can be retrieved when necessary (i.e. date, time, keyword). The system or software also maintains a locator data base that identifies the exact position (such as optical disk volume, track number and file number) where the record is stored and from which it can be accessed. Being able to identify, locate and retrieve a record is a requirement for the index component of the rule. A step in ensuring data quality and integrity requires the member have in place an audit system providing for accountability regarding all access to records maintained and preserved using electronic storage media and any changes made to every original and duplicate optical disk. In addition, the audit system must be available for examination by the staffs of the SEC and SRO. An audit system verifies each step of the archival process and tracks, records and reports each phase of the archival process. This includes data transfer, production logs, quality assurance, and ongoing tracking of the archived data. The audit trail information may need to be provided to the examiner as a means of documenting and supporting the quality of the archival process. Store separately from the original, a duplicate copy of the record stored on any medium acceptable under Rule 17a-4 for the time required. Stored separately requires that the duplicate copy be located in a different geographic location from the original record. Members can meet this requirement by storing one copy in the office and another in its residence as long as the locations are not in the same geographical area. Additionally, a member will need to consider the following; If a member intends to utilize non-optical disk technology (including CD/DVD-ROM) to maintain records, then 90-day prior notice must be provided to their designated examining authority (DEA).(attached is a sample notification). SEC Rule 17a-4(b)(4) requires broker-dealers to maintain all communications (including interoffice memoranda and faxes) relating to its business. All correspondences created and received concerning its business are required to be maintained

For examination purposes, the member shall at all times have facilities available for immediate, easily readable projection or production of micrographic media or electronic storage media images and for producing easily readable images. The records are typically expected to be "readily" accessible (within hours or at least on the same day) during the first two to three years of their required retention period, the period when the potential for a regulatory investigation or audit is highest. Thereafter, records should be retrievable within a reasonable period of time (typically 2-3 days). All records which the member is required to maintain would fall under this requirement. With respect to the location of the data to be stored electronically, the member must take precautions to ensure that the storage location is in a secured, location prior to being backed-up onto a WORM format. A location that could be accessed only by, and limited to key personnel (i.e. administrator or IT Officer) could be considered secured. Additionally, a log to track access to this location as well as any modifications made to the data in this location should be available. The member must be able to demonstrate this during the course of an examination. With respect to the frequency that the back-ups must be performed, the member should perform an analysis of its business and consider the following criteria; the type of business the member conducts (i.e. proprietary, sole proprietary, retail customer), the amount of data that changes day to day or the amount of new data generated to determine the frequency of its back-ups. During the course of an examination, the member firm must be able to demonstrate the frequency is sufficient given its analysis. Supervision of Electronic Communication and Record Retention Each member should develop and implement written supervisory procedures that are reasonable given the nature of the member s business. Members should provide their employees with: - Clear policies and procedures for the use of electronic communications, both internal and external; - Identification of the types of electronic devices that the member allows its employees to utilize, which includes but is not limited to, laptops, home computers, cell phones and blackberry devices. - Identification of the types of electronic communications that members or its employees are allowed to utilize. These would include, but not be limited to instant messaging, text messaging, e-mail, or participation in chat rooms, and social or business networking tools. - The procedures should also detail; the frequency that the electronic records are backed-up; the hardware and software utilized to perform the back-ups; personnel or department that performs the back-ups and the media on which the back-ups are stored. To merely state that the member complies with SEC 17a-4 is not sufficient. Since members are required to supervise and retain electronic communications, as discussed above, including those that emanate from a platform such as Bloomberg, AOL or Yahoo, the member may consider prohibiting the use of such platforms. If a member allows IM, the member should make sure the technology is in place to capture and archive it, and that the associated persons know when they can and cannot use the systems. If a member allows its associated persons to conduct business using several different screen names, they must be able to identify the user and capture all communications transmitted under the different screen names. If a member allows its associated persons to participate in online chat rooms, they must supervise the activity to prevent exaggerated, unwarranted, or misleading statements or

claims, including promises involving the member s business. Finally, unless a member is capable of supervising and retaining communications that emanate from personal devices (cell phones, blackberry devices, personal computers) a member should consider prohibiting their use. Failure by a firm to implement adequate supervisory procedures or an associated person to follow supervisory procedures can result in disciplinary action. Recent Examination Findings The following, include but are not limited to, examples of conduct that may subject members to regulatory action: - Failure of a member to retain electronic records, including e-mails and instant messages, in the proper format they were not in WORM format. - Failure of a member to retain electronic records of contract employees. For members that utilize the services of a contract employee (i.e. FINOP, Compliance Officer), the simplest solution is to assign the contract employee an e-mail address on the members domain to ensure all business related correspondences are captured by the member. For those contract employees that may provide services to multiple members, the CBOE will consider each situation on a case by case basis to ensure that the retention requirements are met. - The frequency of the backing-up of data was insufficient and the member could not substantiate the frequency of the back-ups with a needs analysis. Additional information on SEC 17a-4 can be found at: http://www.sec.gov/rules/interp/34-47806.htm Questions regarding this Regulatory Circular or the use of electronic means of communication or the retention of electronic communications or records may be directed to David Carlson (312-786-7052) or Milan Markovic (312-786-8192).

Sample - 90-Day Electronic Storage Notification (Date) Name Title Address City, State, Zip RE: (Firm Name), CRD# (XXXXX) The undersigned hereby undertakes to furnish promptly to the Chicago Board Options Exchange ( CBOE ) and its designees or representatives upon reasonable request, such information as is deemed necessary by the CBOE to download information kept on the broker's or dealer's electronic storage media to any medium acceptable under SEC Rule 17a-4. In addition, the undersigned asserts that the proposed (name of vendor or software) solution archives data in non-proprietary file formats and allows for digital data recording in a non-rewriteable, nonerasable format such as Write Once, Read Many (WORM). Furthermore, the undersigned hereby undertakes to take reasonable steps to provide access to information contained on the broker's or dealer's electronic storage media, including, as appropriate, arrangements for the downloading of any record required to be maintained and preserved by the broker or dealer pursuant to SEC Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 in a format acceptable to the CBOE. Such arrangements will provide specifically that in the event of a failure on the part of a broker or dealer to download the record into a readable format and after reasonable notice to the broker or dealer, upon being provided with the appropriate electronic storage medium, the undersigned will undertake to do so, as the CBOE may request. Sincerely, (Principal Name) (Title)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback