What are the SEC’s Electronic Recordkeeping Rule Changes?
In the first change to its recordkeeping requirements in 25 years, the Securities and Exchange Commission (SEC), has updated its Electronic Recordkeeping Requirements, including SEC Rule 17a-4.
As summarized in the SEC fact sheet on Final Amendments to Electronic Recordkeeping Requirements, “The Securities and Exchange Commission adopted amendments to the electronic recordkeeping requirements for broker-dealers, security-based swap dealers (“SBSDs”), and major security-based swap participants (“MSBSPs”) to modernize recordkeeping requirements and make the requirements adaptable to new technologies in electronic recordkeeping. The amendments will also facilitate examinations of broker-dealers, SBSDs, and MSBSPs.” (Here’s the complete final rule.)
The update was issued on October 12, 2022 and will go into effect 60 days later.
Here are highlights of some of the changes:
-
WORM requirement eliminated – A major reason for the rule change was to keep up with technology. The prior recordkeeping rule, written in 1997, required firms to preserve electronic records exclusively in a non-rewriteable, and non-erasable format, such as a CD-ROM. This write-once/read-many (WORM) format will no longer be required, so firms can store information on their own servers – or those of a third party – as long as the SEC has a way to access the data and the system preserves electronic records in a manner that permits recreation of the original. This includes the ability to save their records to the cloud along with an audit trail to record changes.
-
A Designated Executive Officer (DEO) of the firm can be an alternative to a Designated Third Party (D3P) to provide access to the firm’s electronic records – In lieu of outsourcing this requirement to a third party, the firm may elect to have a designated executive officer of the firm as an alternative in this role and insource this function. The goal is that either the DEO or D3P, pending who has filed the Letter of Undertaking and provides representation, has the ability to access the firm’s electronic records and provide the records to securities regulators if the firm fails or is unable to do so.
-
SBSDs and MSBSPs need to take notice – For the first time, these requirements will apply to nonbank security-based swap dealers and major security-based swap participants.
How will this Affect My Firm?
The new rule requires a revised undertaking that may be prepared by either a Designated Third Party (D3P) or a Designated Executive Officer (DEO) who is in senior management. The requirements of the undertaking are demanding and require access and the ability to provide records maintained and preserved on the electronic recordkeeping system. This includes knowledge not only of all repositories containing covered records but also passwords, credentials, and other information required to access such records and, if applicable, audit trails for such records.
The requirements of the rule will need to be actively managed in terms of monitoring the technical requirements to access records and key personnel on the DEO’s team. Accordingly, insourcing the D3P function and being responsible for compliance is no small matter, especially since senior officers of the firm must focus on pressing business requirements.
Firms must seriously consider if this is a recordkeeping requirement they want to manage. Does it make sense to insource this function, or to continue to keep it in the hands of the experts?
How could this Affect Me Personally?
If you are the person who is called upon to be the Designated Executive Officer (DEO) for your firm, you are taking on the burden of actively managing and monitoring the technical requirements to access records, as well as ensuring there are backup specialists on your team if you are out. In short, you are on the hook for compliance.
The challenge for the DEO is creating their own version of an internal D3P service. Importantly, mechanisms with the new rule point to a high expectation from the SEC that such a team has robust technical capabilities to provide timely access to records and employ redundancy with multiple technical resources if needed. For instance, due to the scope of the new rules’ access requirements, the DEO may rely on up to three designated specialists with the requisite knowledge to access records. Such specialists must report directly or indirectly to the DEO.
Despite the option to rely on these specialists, the DEO is nevertheless “at all times responsible for fulfilling the obligations set forth in the undertakings” which means the DEO is responsible for the success of their team. In addition, the DEO may appoint up to two designated officers to stand in for the DEO if the DEO is unavailable to fulfill their obligations. Such designated officers must also report directly or indirectly to the DEO.
Letters of Undertaking are Still a Requirement
One thing that has not changed is the requirement for a Letter of Undertaking. The Letter of Undertaking is filed by the broker-dealer with the regulators through the EDGAR upload and details the system and entity covered.
If you handle compliance with SEC Rule 17a-4 internally (which is called 18a-6 for in-house), you’ll be responsible for the Letter of Undertaking. If you outsource this function to a Designated Third Party, the D3P will provide and sign this letter in which it represents that it will access the records at the request of the Commission.
When Do the Rule Amendments Go into Effect?
The final amendments will become effective 60 days after they are published in the Federal Register. The compliance dates for the new requirements will be six months after publication in the Federal Register for broker-dealers and 12 months after publication in the Federal Register for SBSDs and MSBSPs.
Summary
In our view, this is a vote of confidence for the Designated Third Party (D3P) requirement. Instead of eliminating it as proposed, the role of the D3P has been expanded to serve regulatory requirements for SBS entities as well as broker-dealers.
Historically, even with the help of Designated Third Parties under the existing rule, a surprising number of firms have struggled with the comparatively minimal internal requirements for compliance. Firms choosing the Designated Executive Officer option will have even more responsibility, which risks noncompliance with the requirements of the new rules.
Fortunately, the D3P option provides a means to definitively address these requirements through a team of specialists with the knowledge and expertise required to meet the obligations of the new rule without creating additional internal burdens.
