Books and records

What are books and records?

Books and records are the required business records financial firms must create and retain to document financial, operational, and compliance activity, as mandated by SEC Rules 17a-3 and 17a-4 and FINRA rules.

In practice, books and records (often referred to as regulatory recordkeeping requirements) cover a wide range of information used to demonstrate how a firm conducts business, supervises employees, and manages clients. Examples include:

• Financial records: General ledgers and accounting records
• Trade documentation: Trade blotters and order tickets
• Customer records: Customer account documentation
• Digital communications: Business-related emails, instant messages, collaboration chats, and other communications
• Supervisory evidence: Supervisory approvals and exception reports
• Compliance documentation: Policies, procedures, and compliance certifications

The regulatory foundation comes from:

• SEC Rule 17a-3: defines which records must be created
• SEC Rule 17a-4: defines how long records must be retained and in what format
• FINRA Rule 4511: sets general recordkeeping requirements for broker-dealers

Why books and records matter

Accurate books and records are more than a regulatory requirement; they are essential to maintaining trust and integrity across the financial system. Proper recordkeeping:

• Enables efficiency: Supports seamless SEC and FINRA exams, audits, and routine inspections
• Supports transparency: Preserves the audit trail necessary for trusted market operations
• Helps detect misconduct: Helps identify financial and non-financial risks, including fraud, misrepresentation, and off-channel communications
• Provides evidence: Serves as critical documentation during investigations, enforcement actions, or litigation

When records are missing, incomplete, or improperly retained, firms can face significant regulatory and reputational risk.

Regulatory framework

SEC and FINRA requirements

Broker-dealers must comply with a detailed set of rules governing the creation, retention, and accessibility of books and records:

• SEC Exchange Act Rule 17a-3: Specifies required records (e.g., trade tickets, customer information, account statements, business-related communications)
• SEC Exchange Act Rule 17a-4: Outlines retention periods (most commonly 3–6 years), format requirements, and accessibility standards
• FINRA Rule 4511: Requires firms to maintain “legible, true, and complete” records and retain them for the timeframes specified in SEC rules
• FINRA Rules 3110 and 3120: Establish supervisory systems, testing, and verification that depend on accurate, accessible records

Does your current archive meet SEC 17a-4 standards? Learn how to modernize your recordkeeping with a WORM-compliant Cloud Archive.

Electronic recordkeeping systems (ERS)

Most modern books and records are stored electronically, and SEC Rule 17a-4(f) outlines specific requirements for electronic recordkeeping systems. Core components include:

• WORM storage: Traditional “Write Once, Read Many” format that preserves records in a non-rewriteable, non-erasable format to prevent tampering
• Audit trail alternatives: Systems that maintain a complete, time-stamped log of all access and modifications to allow for the reconstruction of the original record
• Redundant storage for resiliency and disaster recovery
• Immediate and reliable accessibility for regulators

Firms must also designate a designated executive officer (DEO) or engage a designated third party (D3P) that can deliver records to regulators upon request.

Outsourcing and third-party providers

Firms may outsource recordkeeping functions, but they cannot outsource responsibility. Per FINRA Regulatory Notice 21-29, firms must:

• Perform rigorous due diligence on vendors
• Ensure systems provide data integrity, auditability, and cybersecurity
• Guarantee regulators can obtain records promptly, regardless of vendor involvement

Books and records across sectors

Books and records requirements apply broadly across financial and public sector organizations:

• Investment advisers must follow Rule 204-2 under the Investment Advisers Act.
• Banks must follow GLBA and other prudential rules requiring secure retention and customer data protection.
• Public sector organizations, such as state and municipal agencies, must meet specific recordkeeping and “open records” (Sunshine) laws.

Explore solutions for your industry:

• Communications Compliance for Financial Services
• Public Records and Archiving for State and Local Government

Common challenges and risks

Modern books and records compliance presents several recurring challenges:

• Off-channel communications
  Business conducted on messaging apps, collaboration tools, or other emerging technologies may go uncaptured, creating regulatory and supervisory risk.
• Multi-channel data complexity
  Firms must preserve business records across numerous platforms while maintaining complete, auditable context.
• Legacy system constraints
  Older archiving systems may lack scalability, searchability, or timely access required by regulators.
• Supervisory limitations
  Manual review processes can struggle to keep pace with growing data volumes, increasing the risk of missed issues.

Failure to meet retention, supervision, or accessibility requirements can result in regulatory action, financial penalties, and reputational damage.

Best practices for books and records compliance

To maintain compliant books and records, firms should:

• Establish clear, documented record retention schedules
• Ensure your archiving system meets the updated SEC 17a-4(f) standards for WORM or audit trails
• Conduct regular audits, testing, and supervisory reviews
• Train employees on approved communication channels
• Implement coordinated governance between compliance, legal, and IT teams

Quick compliance guide:

• Keep a complete inventory of required record types
• Verify retention periods (three to six years depending on rule)
• Ensure immutability and audit trails for electronic records
• Validate DEO/D3P requirements
• Test retrieval capability to meet regulator deadlines

How Smarsh supports books and records compliance

Built for regulated industries, Smarsh captures, stores, and monitors communications across mobile, voice, email, AI, video, chat, and more — at scale. Smarsh helps firms meet SEC and FINRA books and records requirements by supporting the full lifecycle of regulated records.

• Unified capture across mobile, voice, email, AI, video, chat, and collaboration tools to reduce off-channel risk
• Immutable, compliant retention with SEC 17a-4–compliant archives, audit trails, and long-term storage
• AI-powered supervision and review to support FINRA supervisory obligations and surface risk
• Regulator-ready access with centralized search, rapid retrieval, and defensible production
• Scalable cloud platform that adapts as communication channels and regulations evolve

→ Manage regulatory risk using the Smarsh Intelligent Platform.