Asset management, investment banking, and other financial services firms subject to SEC Rule 17a-4, a 2022 amendment governing the monitoring and retention of electronic communications, today still have insufficient or adolescent message archival programs established for compliance.
Earlier this year, regulators cited more than 15 Wall Street broker-dealers for failure to maintain and preserve electronic communications, amounting to $1.1 billion in total fines. SEC enforcement actions are expected to continue as firms grapple with building compliant recordkeeping programs.
Planning for a more robust and effective controls program for 2024 implementation should ideally be well underway, but a number of challenges persist, putting thousands of firms in the hot seat.
What Is the Electronic Recordkeeping Amendment?
The rule is officially referred to as the “Electronic Recordkeeping Requirements for Broker-Dealers, Security-Based Swap Dealers, and Major Security-Based Swap Participants” or “Electronic Recordkeeping Requirements” for short.
Other common references often include “Mobile Device Communication Monitoring and Retention,” “Mobile Comms,” “eComms” or “Electronic Message Archival.”
In essence, the rule requires firms to maintain and preserve electronic communications for proper recordkeeping and compliance with federal securities laws. In the last decade, and especially since the pandemic, firms have made greater use of “off-channel communications,” meaning business matters are conducted and communicated over personal devices like employee cellphones through text messages or private email.
When personal devices are used without procedures for archiving communications, firms deprive regulators of critical information on conduct, finances, and data security in addition to putting client and organizational information at risk.
What Does an Effective Message Archival Program Entail?
Successful message archival programs should be a cross-functional initiative designed with key strategic business, technology, and functional goals in mind. Due to the pervasiveness of mobile communications channels, such as iMessage, SMS, WhatsApp, and WeChat inside and outside the workplace, firms must re-evaluate their existing policies and technical solutioning around mobile device audit and surveillance.
Explore expert Risk Management solutions that solve real-world problems
Understand emerging threats, changing regulations, and evolving technologies – then formulate actionable, pragmatic strategies to reduce risk across the enterprise.
There are four overarching pillars that guide the direction and successful execution of a message archival program:
- Meet SEC requirements for electronic communications monitoring and capture from mobile devices.
- Implement secure, streamlined, scalable, and firm-controlled technical solutions for in-scope mobile communication channels.
- Provide staff with the best possible user experience within acceptable security and risk requirements.
- Establish an agile, forward-looking program capable of adapting to future market changes and regulatory requirements.
More tactically and immediately, this means firms subject to the rule should:
- Identify the types of electronic communications that need to be archived. This includes communications with customers and clients, as well as business records such as order tickets, trade confirmations, and account statements.
- Select a message archival solution that meets the organization’s needs. There are a number of different message archival solutions available; however, the software market in this space is still in its infancy and organizations might find their options limiting. Generally, it’s important to select a solution that’s scalable, secure, and easy to use.
- Develop message archival policies and procedures. The policy should document how electronic communications will be archived, retrieved, and retained.
- Train employees on the message archival policy and procedures. Employees need to understand why properly archived electronic communications are critical to regulatory compliance and minimizing financial and reputational risk. Additionally, employees must understand how to leverage different communication channels as part of their job function and how improper communications can open areas of risk for the firm. Again, user experience is critical to program adoption and success.
- Monitor and review the message archival program on a regular basis. This will help to ensure the program is working effectively and meeting the needs of clients, employees, regulators, and the organization itself.
Best Practices for Message Archiving
When implementing a message archival program, financial services organizations should follow these best practices as a baseline:
- Archive all electronic communications. This includes emails, instant messages, text messages, and voicemails.
- Use a tamper-proof archive format. This will help to ensure that records cannot be altered or deleted.
- Index and search records. This will make it easier to find the records when needed.
- Implement audit and reporting capabilities. This will enable internal and external auditors to track who is accessing the records and when.
- Retain records for the required period of time. SEC Rule 17a-4 requires that certain records be retained for two to six years.
Key Challenges to Message Archival Program Implementation
Building a message archival program from scratch or enhancing an established program is not without its obstacles. As evidenced by increasing regulatory scrutiny and the number of fines levied, even some of the world’s largest institutions are falling short of compliance.
Understanding these common challenges, both internal and external, is necessary to avoiding the pitfalls of peers and enacting a future-ready program.
- Lacking resource capacity to support large-scale changes.
- Insufficiently assessing the change impact of mobile device management for end users.
- Balancing regulatory compliance with user experience.
- Educating employees on required changes and resulting impact on day-to-day operations.
- Ambiguous SEC requirements.
- Regulatory misalignment or conflict with specific messaging platforms.
- Few highly mature software solutions on the market that can meet comprehensive compliance needs.
Cross-Functional Expertise Needed
While firms may have effective controls and capabilities over some functions and processes germane to SEC rule 17a-4, most need additional bandwidth and experience across multiple functional areas to ensure message archival program excellence.
Six core capabilities are needed:
- Change management: To develop effective and purpose-built training and communications programs for employees with the goal of facilitating quick adoption of new policies and reinforcing policies continuously over time.
- Program management: To align stakeholders, measure progress, and oversee the end-to-end message archival program to ensure the firm’s goals are met and regulatory requirements are achieved.
- Technology architecture and strategy: To assess the current-state technology ecosystem and integrate new technology solutions for optimal integration, compliance, and effectiveness.
- Vendor selection: To understand the requirements for third-party technology or program support and negotiate vendor contracts for long-term savings.
- Risk strategy and management: To understand current and future technology, regulatory, and financial risks and implement effective monitoring and remediation programs.
- Governance and operating model architecture: To create and implement a structure for ongoing controls and decision rights and to design a future-state program that meets the needs of today and tomorrow.
CrossCountry Consulting’s integrated approach to SEC rule 17a-4 compliance empowers asset managers, investment bankers, and other financial institutions to adopt effective message archival programs and adapt to the regulatory landscape.
For expert support navigating your program build, contact CrossCountry Consulting.