In a recent update to Rule 17a-4, the Securities Exchange Commission (SEC) stepped fully into the 21st century by dropping the requirement that electronic records be stored in a “write once, read many” or WORM format. Instead, broker-dealers can opt to continue using WORM format systems or use dynamic recordkeeping technology that provides an audit trail.
What is WORM?
“Write once, read many” is just as the name implies. It’s a way of storing data and preserving records in a non-rewriteable, non-erasable format. Remember the days of burning CDs? The CD-R was a WORM format. You could store data on it once, and access it as much as you’d like, but it couldn’t be changed or overwritten.
Most broker-dealers use dynamic recordkeeping systems for practical business purposes which capture data that is constantly in flux and being updated and are set up for practical day-to-day needs. A separate WORM system is also needed to meet SEC compliance requirements.
Because of the inefficiency and impracticality of legacy systems (which could lead companies to forgo compliance for convenience), the SEC revised the rule to require broker-dealers using electronic recordkeeping systems to preserve its records in a manner “that permits original records to be re-created if altered, over-written or erased, or that prevents original records from being altered, over-written or erased.” The rule change now allows broker-dealers to meet compliance by using either WORM format or an audit trail alternative.
What are the New Requirements for the “Audit Trail Alternative?”
The audit trail requirements set forth under the new rule update state that broker-dealers need to preserve and maintain records in a manner that “maintains a complete time-stamped audit trail that includes: all modifications to and deletions of a record or any part thereof; the date and time of operator entries and actions that create, modify, or delete the record; the individual(s) creating, modifying, or deleting the record; and any other information needed to maintain an audit trail of each distinct record in a way that maintains security, signatures, and data to ensure the authenticity and reliability of the record and will permit re-creation of the original record and interim iterations of the record.”
The new audit trail guidelines shouldn’t be anything new for compliance teams, and in fact, are more in line with what legal teams are used to when it comes to preserving data for ediscovery. It also allows compliance teams to streamline operations and move away from legacy systems, which can create extra cost and risk.
Finally, with the dynamic and personalized nature of today’s websites, social media platforms, and communications channels, archival recordkeeping should be able to capture all of the variations those data sources create. To properly prove compliance, recordkeepers often need to access archives that show things as they were on a given date, including drop-down menus, toggles, links, and personalized user journeys.
This seemingly small update from the SEC, which allows compliance teams to move away from WORM storage toward a more usable audit trail alternative, brings enterprise recordkeeping out of the digital stone age and into a new, more functional era.