The Financial Industry Regulatory Authority (FINRA) announced recently that it fined a leading online brokerage firm $2.6 million for failing to retain a large number of securities-related electronic records in the required format, and for failing to retain certain categories of outgoing emails.
According to a many industry articles, including reports in MarketWatch:
- The firm also did not have a reasonable supervisory system in place to achieve compliance with certain Securities and Exchange Commission (SEC) and FINRA books and records rules, which contributed to its record-retention failures.
- Federal securities laws and FINRA rules require that business-related electronic records be kept in non-rewritable, non-erasable format (also referred to as "Write-Once, Read-Many" or "WORM" format) to prevent alteration. The SEC has stated that these requirements are an essential part of the investor protection function because a firm's books and records are the "primary means of monitoring compliance with applicable securities laws, including antifraud provisions and financial responsibility standards."
- FINRA found that from January 2011 to January 2014, the firm did not have centralized document-retention processes or procedures for all firm departments to follow.
- Further, no one at the firm was charged with responsibility for ensuring a consistent document-retention process, fully compliant with the record-retention rules, including the requirement that all records be retained in WORM format.
- Personnel in different departments of the firm saved certain documents to a restricted shared drive, which was not WORM-compliant. As a result, the firm failed to preserve a large number of key securities business electronic records in the required format.
- Over a related time frame, FINRA found that the firm also failed to copy more than 168 million outgoing emails to the firm's WORM storage device, resulting in the deletion of those emails. These emails were generated automatically by the firm's internal systems or by third-party vendors acting on the firm's behalf, and included items such as margin call notices, address change notifications and failed password attempt notifications.
- Brad Bennett, Executive Vice President and Chief of Enforcement, released the cautionary statement: "Firms must maintain sound supervisory systems and procedures to ensure the integrity, accuracy, and accessibility of electronic books and records."
- In concluding this settlement, the firm neither admitted nor denied the charges, but consented to the entry of FINRA's findings.
World According To GARP
What lesson can be learned from the tale of this online brokerage firm? The principles of information governance, known as the Generally Accepted Recordkeeping Principles®, or “the Principles”, are well-defined and well-understood by information governance and information management practitioners.
However, for some enterprises, where the GARP maturity baseline is low, The Principles may seem overwhelming.
The Principles are grounded in practical experience and based on extensive consideration and analysis of legal doctrine and information theory.
They form the basis upon which every effective information governance program is built, measured, and – regardless of whether or not an organization or its personnel are aware of them – will one day be judged.
Therefore, it is in the best interest of all organizations to be fully aware of the Principles and to manage records and information assets in accordance with them.