In the first change to its recordkeeping requirements in 25 years, the Securities and Exchange Commission (SEC), has updated its electronic recordkeeping requirements and published its final rule for SEC 17a-4, under SEC 18a-6.
As summarized in the SEC fact sheet on final amendments to electronic recordkeeping requirements, the Securities and Exchange Commission adopted amendments to the electronic recordkeeping requirements for broker-dealers, security-based swap dealers (“SBSDs”), and major security-based swap participants (“MSBSPs”).
The amendments to SEC rule 17a-4, under SEC 18a-6, modernize recordkeeping requirements and are adaptable to new technologies in electronic recordkeeping. The amendments will also facilitate examinations of broker-dealers, SBSDs, and MSBSPs.
The update, found under SEC 18a-6, was issued on October 12, 2022 and will go into effect 60 days later.
The amendments to SEC rule 17a-4 modify requirements regarding the maintenance and preservation of electronic records, the use of third-party recordkeeping services to hold records, and the prompt production of records. Review the amendments to SEC rule 17a-4 in more detail below:
The new SEC 17a-4 rules require a revised undertaking that may be prepared by either a Designated Third Party (D3P) or a Designated Executive Officer (DEO) who is in senior management. The requirements of the undertaking are demanding and require access and the ability to provide records maintained and preserved on the electronic recordkeeping system. This includes knowledge not only of all repositories containing covered records but also passwords, credentials, and other information required to access such records and, if applicable, audit trails for such records.
The requirements of the rule will need to be actively managed in terms of monitoring the technical requirements to access records and key personnel on the DEO’s team. Accordingly, insourcing the D3P function and being responsible for compliance is no small matter, especially since senior officers of the firm must focus on pressing business requirements.
Firms must seriously consider if this is a recordkeeping requirement they want to manage.
Does it make sense to insource this function, or to continue to keep it in the hands of the experts?
If you are the person who is called upon to be the Designated Executive Officer (DEO) for your firm, you are taking on the burden of actively managing and monitoring the technical requirements to access records, as well as ensuring there are backup specialists on your team if you are out. In short, you are on the hook for compliance.
The challenge for the DEO is creating their own version of an internal D3P service. Importantly, mechanisms with the new rule point to a high expectation from the SEC that such a team has robust technical capabilities to provide timely access to records and employ redundancy with multiple technical resources if needed. For instance, due to the scope of the new rules access requirements, the DEO may rely on up to three designated specialists with the requisite knowledge to access records. Such specialists must report directly or indirectly to the DEO.
Despite the option to rely on these specialists, the DEO is nevertheless “at all times responsible for fulfilling the obligations set forth in the undertakings” which means the DEO is responsible for the success of their team. In addition, the DEO may appoint up to two designated officers to stand in for the DEO if the DEO is unavailable to fulfill their obligations. Such designated officers must also report directly or indirectly to the DEO.
One thing that has not changed in SEC rule 17a-4 is the requirement for a Letter of Undertaking. The Letter of Undertaking is filed by the Broker-Dealer with the regulators through the EDGAR upload and details the system and entity covered.
If you handle compliance with SEC Rule 17a-4 in-house (18a-6 for in-house), you’ll be responsible for the Letter of Undertaking. If you outsource this function to a Designated Third Party, the D3P will provide and sign this letter in which it represents that it will access the records at the request of the Commission.
The final amendments to SEC rule 17a-4 will become effective 60 days after they are published in the Federal Register. The compliance dates for the new requirements will be six months after publication in the Federal Register for broker-dealers and 12 months after publication in the Federal Register for SBSDs and MSBSPs.
In our view, this is a vote of confidence for the Designated Third Party (D3P) requirement. Instead of eliminating it as proposed, the role of the D3P has been expanded to serve regulatory requirements for SBS entities as well as broker-dealers.
Historically, even with the help of Designated Third Parties under the existing rule, a surprising number of firms have struggled with the comparatively minimal internal requirements for compliance. Firms choosing the Designated Executive Officer option will have even more responsibility, which risks noncompliance with the requirements of the new rules.
Fortunately, the D3P option provides a means to definitively address these requirements through a team of specialists with the knowledge and expertise required to meet the obligations of the new rule without creating additional internal burdens.
Our comprehensive 17a-4 D3P Compliance service is available for all types of electronic records. It offers compliance for an extraordinarily broad range of document management applications, including client-server to mainframe systems.