SEC & FINRA Compliance

SEC and FINRA regulations

The Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA – created in July 2007 through the consolidation of the NASD and the regulation enforcement and arbitration functions of the New York Stock Exchange) are regulatory agencies for the financial services industry. Message storage, retrieval and surveillance solutions need to be in place in order for member firms to be compliant with a number of regulatory guidelines – a number of which overlap and/or reinforce each other - including:  SEC 17a-3 and 17a-4, NASD 3010 and 3110, NYSE 342, 440 & 442 and SEC RIA 204-2 and 206(4)-7.

• Firms must preserve electronic business records and retain for 3-6 year retention period. (SEC 17a-4)
• Messages must be stored in their original form on tamperproof, non-rewriteable and non-erasable media and must be stored in duplicate in separate locations. (SEC 17a-4)
• Archived messages must be time/date stamped and serialized. Messages must be indexed and searchable. (SEC Rule 17a-4)
• Firms must have an auditing system in place and store audit records. (SEC 17a-4)
• Firms must appoint an independent third party downloader to access the organization’s electronic records, if the firm is unable or unwilling to do so. (SEC 17a-4)
• Policy and procedures should be in place to supervise, review and sample registered representatives’ electronic communication. Supervisors must have the ability to review outgoing email for noncompliant language. (NASD 3010)
• Firms need to be able to show that supervisory procedures are being enforced with documented records. (NASD 3010)
  

The Smarsh Solution

Developing messaging-compliance solutions for the financial services industry is where it all started for Smarsh, and in parallel, where the email archiving service industry had its initial flux of activity.

Eliminating compliance loopholes and adding functionality became essential because SEC and FINRA regulatory audits for our growing customer base were commonplace and the price for noncompliance is high. Traders on the floor of the New York Stock Exchange, where immediate results are expected, needed our services to operate with high reliability. Investment advisors, handling private client information and their clients’ financial investments, needed message and infrastructural security to be a paramount priority.

Smarsh customers are prepared with the necessary tools to meet regulatory obligations. Solutions are bolstered by a commitment to detail, eliminating potential compliance risks and offering peace of mind.

The Smarsh Management Console

As part of our full-service offering, your privacy and/or security official(s) or system administrator will have access to our web-based toolkit. The Smarsh management console allows companies to facilitate their need for both retrieval and surveillance of their archive. The enhanced search capabilities coupled with our hierarchy functionality make it easy for companies of any size to review their internal and external electronic communication.

• The management console can flag messages by set criteria and search by individual or multiple fields (using Boolean "and/or" logic). Fields include: date range, sender, recipient, subject, body text, and header fields (i.e. servers and other technical/forensic fields).  Messages can also be searched attachment names, contents and file types.
• The tool is capable of saving selected search criteria, a useful best practice in establishing supervisory policy.
• An auto-scan functionality allows for a continuous search for selected keywords.
• The tool easily tracks chains of emails from multiple individuals using customized criteria.

Message Integrity

Incoming, outgoing and internal messages are instantly captured by the Smarsh mail server to ensure that any message sent or delivered by the customer’s users will be archived and processed by Smarsh software.  Messages are then:

• Scanned for keyword, phrase or rule (established by the customer) violations.
• Indexed using a full-text index/catalog to permit searches in the Smarsh management console.
• Archived to redundant WORM (write-once read-many) storage.
• Replicated to remote Smarsh datacenters.

Working copies of attachments and email files are also stored to a file server to facilitate immediate access and searchability.

Archive Availability & Retrievability

Your messages are ALWAYS readily accessible - they never go offline unless a specified retention period is indicated. Archived emails can be retrieved using the Smarsh management console. Once the desired email(s) have been identified in the archive search, they can be immediately viewed online, downloaded directly to a PC, or burned to a CD/DVD. A client can always make a request to the Smarsh support team to supply requested information.

Reporting Center

All messages are time-stamped, serialized and indexed in the Smarsh archive database, and all administrator actions within the Smarsh management console are documented as evidence of supervisory policy in practice.

The Smarsh management console allows users to generate hundreds of reports that can be completely customized over a dozen tracking systems. Administrators can produce useful and necessary information to assist during both internal and regulatory audits and/or investigations.

• Review historic searches by compliance/legal department.
• Demonstrate email supervision and fulfillment of corporate policy.
• Identify "worst" (biggest risk) email senders.
• Identify highest risk emails (compliance, legal, HR).
• Identify most common violations in messages.
• General email usage (number of messages, size of archive).
• Ensure end-users are using corporate email addresses.

Third Party Downloader

As part of our email archiving service, Smarsh will produce the documentation signifying that it serves as an independent third-party downloader that can produce a client’s electronic records for the SEC, if the firm is unable or unwilling to do so.