When it comes to making sure financial data is safe and meets compliance regulations, understanding the different regulatory bodies and how they affect your organization is a vital first step.
Two of the most common financial regulatory bodies are FINRA and SOX (both of which fall under the purview of the SEC). Let’s take a look at some of the compliance guidelines for each of them.
The Financial Industry Regulatory Authority (FINRA) is a non-profit self-regulatory organization covering the securities industry and the New York Stock Exchange, and is overseen by the Securities Exchange Commission (SEC), and its objective is to monitor and regulate stockbrokers and brokerage firms, deter misconduct, and ensure fair financial markets.
One of the many aspects of FINRA compliance is regarding Electronic Storage Media (ESM). Under FINRA rules, the selected ESM must:
- Preserve records exclusively in a non-rewriteable, non-erasable format
- Automatically verify the quality and accuracy of the storage media recording process
- Serialize the original and, if applicable, duplicate units of the storage media and also time-dates for the required retention period the information stored on it
- Have the capacity to readily download stored records and indexes
- Include an audit system identifying when original and duplicate records are input, when any changes to existing records are made, and must retain the audit results for examination by SEC staff.
FINRA also has compliance rules regarding electronic communications. Under FINRA rules:
- A broker-dealer must retain originals of all communications received (including all electronic communications) and copies of all communications sent by the broker-dealer relating to its business for at least three years, the first two years in an easily accessible place
- FINRA rules cover both external and internal electronic communications relating to the firm's business and equally apply whether the electronic communication was received or sent through a member’s or a third-party's platform or system
- FINRA and SEC rules do not prohibit the use of non-firm email or messaging systems or accounts to conduct firm business provided the firm captures and retains the communications as it would with emails or other communications emanating from its own system or account
- Firms may not permit the use of any type of electronic communication if they are unable to satisfy the applicable recordkeeping requirements with respect to that particular type of electronic communication
The Sarbanes-Oxley Act of 2002 (SOX) was created in response to major accounting scandals in the early 2000’s by Enron, Tyco, and WorldCom to protect investors from fraudulent accounting activities by corporations.
SOX mandates financial disclosures from corporations to prevent accounting fraud. It also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.
Sarbanes-Oxley affects all public companies in the United States, as well as their wholly-owned subsidiaries and publicly traded foreign companies conducting business in the U.S. SOX also regulates accounting firms that perform audits for any U.S. public company.
Some of the requirements regarding electronic recordkeeping under SOX are:
Corporate Responsibility for Financial Reports – Every public company is required to file periodic financial reports with the SEC, and the principal executive officer and the principal financial officer must sign each report to validate its veracity.
Management Assessment of Internal Controls – All annual financial reports must include an Internal Control Report stating that management is responsible for an “adequate” internal control structure. In addition, registered external auditors must attest to the accuracy of management’s assertion that internal accounting controls are in place, operational, and effective.
Real-Time Issuer Disclosures – Companies are required to disclose to the public in a timely manner any material changes in the financial condition or operations of the company in the interest of protecting investors and the public.
Penalties and Fines Under FINRA and SOX
Failure to comply with FINRA and Sox regulations can be quite extensive.
FINRA aggressively applies penalties to deter misconduct, with more than $100 million in compliance penalties given each year. FINRA can also order suspensions or permanently bar individuals from working in the financial industry.
The punishments for violation of SOX are extremely strict and viewed as criminal. For certifying a misleading or fraudulent financial report or knowingly altering, destroying, or in any other way falsifying any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation, fines can be upwards of $5 million with up to 20 years in prison.
Because both the Sarbanes-Oxley Act and the Dodd-Frank act of 2010 both require companies to maintain a zero-tolerance policy for retaliation against whistleblowers, the most recent rulings involve the protection of whistleblowers.
According to one source, “The fourth quarter of 2020 alone saw approximately $176 million in whistleblower awards…driven in part by a single $114 million whistleblower award issued on October 22, 2020” in which “the SEC characterized the whistleblower's actions as ‘extraordinary’ and noted that the whistleblower ‘suffered serious personal and professional hardships’ that resulted from making a report.”
This marks a 35% increase in tips, complaints, and referrals for investigation in Q2 of 2020 than during the same period in 2019, led by increased SEC enforcement actions and penalties. This means SEC-regulated organizations should reevaluate their compliance programs to ensure strong anti-retaliation policies.
Enterprise Information Archiving Solutions
With this much at stake, it’s clear why any organization which must comply with FINRA, SOX, or other regulations regarding enterprise data and communications retention should have an Enterprise Information Archiving solution to properly store, manage, access, and audit all required data in a way that fulfills compliance obligations while providing defensible archives to protect both the organization and whistleblowers alike, should a complaint arise.
To learn more about how EIA can help with your compliance needs download our latest guide: Enterprise Information Archiving in the Digital Age: A Guide to Satisfying Regulatory Bodies Like FINRA, HIPAA, FDA & More