This blog entry addresses a specific instance of what many have experienced: differing expectations from FINRA on meeting SEC rules. With regard to electronic storage, this is typical. On the one hand, we are informed that there are no interpretations: the rule is the rule and must be followed. On the other hand, we're expected to accept different degrees of testing during exams and differing exam findings--some tolerant and seemingly 'principle-based' and some strictly by the book. FINRA staff do not apologize for this. Exam methodologies are 'risk-based' and therefore can vary greatly--even for firms with identical business niches. While that seems reasonable, it also seems unfair.
17a-4(f) rules relating to electronic storage are hard to live by. Most small firms do not meet those standards. But then again, most small firms are forgiven by FINRA examiners (not officially, of course) who witness the firms making good faith efforts towards compliance. A firm that backs up its server daily and takes the tapes home is generally not penalized for not having WORM compliant media and not evidencing instantaneous compliance with the rules (that is, there is a gap between record creation and compliant-format storage). And that's good.
But how to plan for this sort of non-uniform enforcement? I mean, a compliance consultant like moi can't just say, "Awe, don't worry about it--your system is close enough!" Our job--I should say my job--is to help firms understand what is expected of them (i.e., rules) and help them put in place procedures that meet those expectations (i.e., compliance). It's not up to me to exempt firms from certain aspects of certain rules, where there is no official regulatory exemption. I have to promote compliance to the highest degree. But in cases like electronic storage, my job is hard.
Here is an example: SEC 240.17a-4(f)(3)(v) says, "The member, broker, or dealer, must have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved pursuant to Rules 17a-3 and 17a-4 to electronic storage media and inputting of any changes made to every original and duplicate record maintained and preserved thereby."
This little (v) is down deep in the electronic storage rules and not typically seen in exam findings. In fact, many compliance personnel and FINRA staff don't even know about this rule. Lately some firms were written up in exit conferences for lack of compliance. I did some research and had some conversations in an attempt to understand what, exactly, is expected under this rule. Here's what I can report:
- There is no published guidance on this specific paragraph under 17a-4(f)--the audit system; that is, there is no Notice or other such wonderful distillation of FINRA or SEC expectations for compliance.
- There is no conspiracy, in my judgment, by FINRA examiners to suddenly pick on small firms in examinations; no master plan to increase awareness of this subject by including it in every LOC henceforth. There is however--dare I say the word--inconsistency among Districts and examiners, so that you may or may not be tested for compliance with this little paragraph (v).
- 'Audit system' appears to imply a system that keeps records of every record saved on the firm's ESM (electronic storage media). The records show the creation time and date of each record created, as well as every change made to those records. The system also must keep information on every duplicate record created/changed. This might be easy for some IT folks to understand and implement; it may be insanely impossible for non-IT minded small firms attempting to understand and implement.
- The only thing close to an explanation of SEC's expectations for an audit system are included in their release of the final rule from 1997 (SEC Release No. 34-38245--http://sec.gov/rules/final/34-38245.txt ). Here's the paragraph:
'The Proposing Release would have required a broker-dealer to "have in place an audit system providing for accountability regarding all access to records maintained and preserved using optical storage technology and any changes made to every original and duplicate optical disk." Commenters sought clarification as to whether this provision requires maintenance of a log of all persons who have the capability or authority to access optical disks, or maintenance of a log indicating each instance where data is added to a disk. The rule adopted by the Commission today requires an audit system to be utilized only when records required to be maintained under Rule 17a-4 are being entered or when any additions to existing records are made. Therefore, an audit record is not required when a record is accessed but cannot be altered by the reader.'
So this can be interpreted--or can it?--to mean firms that have their records in truly WORM compliant format do not have to have an audit system for tracking changes to the records--duh, they can't be changed. But they do have to have a system that tracks inputting of records; some way to track at what date and time a record was created in the WORM format. And of course, the duplicate records also have to have such a tracking system.
But here's a possible contradiction... in FINRA's release of amendments to the SEC Rule, they state this: "Audit Systems: Requires the implementation and use of an audit system where required records pursuant to Rule 17a-4 are being entered or when any additions to existing records are made. No audit records will be required for records that can be accessed but not altered by the reader." That would imply that firms do not have to have audit records at all if their data is non-rewriteable. Perhaps firms should think about quoting this in their next exam, if tested. Here's the link to this text: http://www.finra.org/RulesRegulation/NoticestoMembers/1997NoticestoMembers/P004673
- Explanations from two District staff members treat the subject this way: audit system means firms have to periodically check to see that their electronically stored records are indeed still there; that is, they should access their records once in a while to see if the records are intact. That seems simplistic to me and not in-line with the SEC's language, above. But then again, if the District staff will examine for compliance under this interpretation, it's not a difficult standard to meet.
- On the subject of third-party ESM providers... who knows? The rule itself speaks to the member having an audit system in place: does that mean the third party provided can't run the audit system? My helpful FINRA contacts did not have an answer for this. The question must be directed to the SEC.
- In talking to EMC squared, their systems are most likely to include such a tool, but it's not necessarily called that, which makes the subject hard to sort out.
- On the broader topic of ESM, here's some good news (old news, but still good): SIFMA has requested that SEC amend 17a-4(f) to create a reasonableness standard for ESM compliance. Ahhhh, wouldn't that be nice? It is also pursuing changes to 17a-4(b)(4)--retention of communications. See http://www.sifma.org/regulatory/erecords/index.html for reading on the subject.
More power to you.
No comments:
Post a Comment