The Bottom Line on Archiving Online Communications Under SEC Rules 17a-3 and 17a-4

| April 15 2020

If you’re in the financial services industry, you’ve got a lot on your plate. You’re researching investments, advising customers, marketing your business, and maintaining strict compliance with a veritable alphabet soup of regulations.

Or are you?

Under Securities and Exchange Commission (SEC) Rules 17a-3 and 17a-4, brokers and dealers are required to maintain archives of a host of information, including communications with the public. The wrinkle is that those communications are increasingly happening online—and legacy web archiving solutions may not capture them all. 

Here’s the bottom line on what you need to know about archiving your online communications to maintain compliance with SEC Rules 17a-3 and 17a-4. 


Who Must Comply With These Rules?

If you’re engaged in trading securities—whether as a broker or a dealer—or associated with such a business, you’re subject to the SEC’s requirements. 


Why Do You Need to Comply With SEC Rules 17a-3 and 17a-4?

There are two reasons to comply with the recordkeeping requirements of SEC Rules 17a-3 and 17a-4. The first, of course, is to avoid penalties. The Financial Industry Regulatory Authority (FINRA) investigates and penalizes firms that fail to maintain proper records

But there’s a bigger reason to maintain careful records: it’s how you prove that you’re in compliance with all of your regulatory obligations. As FINRA noted in its report of one complaint—not yet substantiated or finalized—the firm in question “failed to produce documents and information requested by FINRA that were material to its investigation of the firm.”

If you don’t have records, you don’t have any way to defend yourself against an allegation. 

Like what you're reading? Here's a resource you may Like.

Get the guide today!

What Does It Take to Comply With the SEC’s Recordkeeping Rules?

SEC Rule 17a-3 enumerates a wide range of information that exchange members, brokers, and dealers must make and keep records of, from blotters and transactions to memoranda detailing instructions for any purchases or sales of securities. Rule 17a-4 mandates that those records should be kept for not less than three to six years, depending on the type of record, and dictates the way in which required records can be maintained. 

The records that brokers and dealers must keep include any and all “communications with the public” “relating to [their] business as such.” Online communications, including those on social media, are explicitly subject to FINRA’s general rules on communicating with the public. That means that financial services firms need to retain records of all of their online communications about anything that qualifies as “business as such,” just as they would retain records of communications that happened over more traditional modalities. FINRA has further noted that the definition of “business as such” should be based on the content of the communication itself, not on “the type of device or technology used” to convey the message. 

FINRA’s Regulatory Notice 17-18, Social Media and Digital Communications, clarifies that online and social media content is subject to the usual rules requiring disclosures, guarantees of truthfulness and fairness, and supervision and monitoring of all business communications.


Where Are Those Business Communications With the Public Occurring?

Here’s where recordkeeping compliance gets complicated. 

You’re probably communicating about your “business as such”—whether that’s recommending investment strategies, explaining market changes, or marketing your services—on both your business website and your social media channels. Anywhere your marketing team is working, you need to be creating an archive. Regulatory Notice 17-18 specifically requires that “every firm that intends to communicate, or permit its associated persons to communicate, with regard to its business through” technological means “must first ensure that it can retain records of those communications as required” by the SEC Rules and FINRA Rule 4511.

That means you need to archive your business’s:

  • website, including any blogs; 
  • Facebook page; 
  • Twitter feed;
  • Instagram account; 
  • YouTube uploads; 
  • LinkedIn profile and posts; 
  • and any other social media or online communications platforms you use.


When Must You Archive Your Online Communications?

You must create an archive for every communication. That means that anytime you add or update any communication you have with the public about your business as such, you need to update your archive. For most firms, that requires daily archiving. 


How Should You Archive Your Online Communications?

There are two aspects to “how” you need to archive your online communications. First, you need to consider how you will capture your statements, especially those that are dynamic, interactive, and/or personalized. Second, you need to know how to store those archives to ensure compliance with the rule. 

How to Capture All of Your Online Content

With the increasing complexity and sophistication of the internet, online statements have become incredibly complicated. It’s no longer enough—if it ever was—to snap a screenshot of a webpage and pretend that captures its content. TIFF and PDF screengrabs miss content such as:

  • dynamic page elements including videos, GIFs, and image or text carousels; 
  • interactive elements such as dropdown menus, clickable links, and mouse- or hover-over text, which often includes disclosures and disclaimers; and
  • personalized content that varies depending on the visitor’s location, history with the page, or other criteria, as well as A/B testing variants for pages. 


Bear in mind that your archives must also capture the content of any linked pages. FINRA Regulatory Notice 17-18 states that a firm adopts content—thus becoming responsible for ensuring that it complies with regulatory demands—merely “by sharing or linking to [that] specific content.” To show what you linked to, your archives must extend beyond the main page of interest to capture related or linked pages as well.

To capture all of this content, you need, again, two things: 

  • a sophisticated web crawler that can identify and include new webpages, links, and personalized content; and 
  • a capture format that creates a fully functional replica website. 


To create a fully functional archive, we recommend using the WARC (Web ARChive) file format. It builds a replica website that allows all dynamic content to play, enables manipulation of interactive components, and captures linked pages and content. 


How to Store Your Archives to Ensure Compliance

Turning to the second point, how do you need to store your archives to maintain compliance? SEC Rule 17a-4(f) allows for records to be maintained and preserved on “electronic storage media,” so long as it meets certain specific requirements. Electronic storage media must: 

1. preserve records exclusively in a non-rewritable, non-erasable format (commonly known as WORM, or “write once read many,” storage);

2. automatically verify the quality and accuracy of the recording process;

3. time-date stamp and serialize all captures; and 

4. be able to create downloads of indexes and records onto any other medium for regulatory compliance review. 

Using WORM storage ensures that the records you create cannot be manipulated in the future. Having the ability to change your archives at will would, naturally, defeat the very purpose of maintaining records intended to prove how you behaved in the past. 

Compliance with the second and third elements can be achieved by creating a hash value for each archive: a string of numbers that acts as a “digital fingerprint,” uniquely identifying a file or document. Once data has been “hashed,” or had its hash value calculated through a standard algorithm, any subsequent changes to the underlying data or file will change the hash value. In short, hash values are a simple, quick, cost-effective way to verify that an original dataset has not been modified.

Here’s the bottom line: if you’re in the financial services industry, you need to ensure that you’re archiving all of your online communications with the public relating to your business as such. Those archives must go everywhere you do—from your business’s website to any social media platforms you use—and capture everything you say, no matter how complex, dynamic, interactive, or personalized your marketing team gets. And those archives must be stored in a permanent, verified storage medium. 

Get in touch to learn how Hanzo can help. Or for a more detailed examination of recordkeeping compliance, check out our earlier blog about Rule 17a-4


Related posts

Understanding SEC Rule 18a-6: Navigating the New Landscape for SBSDs and MSBSPs

Understanding SEC Rule 18a-6:...

The Securities and Exchange Commission (SEC) is tasked with creating and enforcing regulations that safeguard ...

Read More >
Why Marketing Compliance for Financial Services Is A Big Deal

Why Marketing Compliance for...

In today's fiercely competitive business landscape, financial services companies, like their counterparts in other ...

Read More >
4 Best Practices to Build Better ESG and Sustainability Programs

4 Best Practices to Build...

In recent years, there has been an increasing trend for companies to claim environmental sustainability, making public ...

Read More >

Get in Touch to Learn More

Hanzo’s purpose-built, best-in-class solutions can help your readiness to respond to the next discovery request, investigation, or audit. Contact us to learn more.

Contact Us