Industry trade groups told the Securities and Exchange Commission Tuesday to update its broker-dealer electronic retention Rule 17a-4 by eliminating an outdated recordkeeping requirement known as WORM (write once, read many).
The trade groups — which include the Financial Services Institute, the Securities Industry and Financial Markets Association and the Financial Services Roundtable — proposed “a rigorous retention standard that is technology-neutral and consistent with current business record management principles.”
The amendments would also “harmonize the SEC rules with the correlating principles-based” Commodity Futures Trading Commission rules adopted in May, which eliminated the WORM standard and third-party downloader requirements from CFTC.
“The 20-year-old standards are outdated, costly and no longer effectively provide investor protections,” said Melissa MacGregor, SIFMA managing director and associate general counsel, in a statement.
“Updating the rule would align with the SEC’s fintech initiatives by fostering innovation and investor access to markets, as well as promoting the industry’s technological advancement and competitive opportunities,” MacGregor added. “In addition, harmonizing recordkeeping rules across the SEC and the CFTC would modernize electronic storage requirements.”
The groups argued in their letter to the SEC that WORM storage “is not an effective business continuity or cybersecurity defense tool because the nature of current complex records makes such use of the outdated technology impractical if not impossible.”
David Bellaire, vice president and general counsel for the Financial Services Institute, added in the joint statement that “technology is continually evolving. By updating this rule, the SEC would demonstrate they are responsive to these changes in technology that impact the industry.”
The updates, Bellaire continued, “would make the rule more effective and efficient in the current technological landscape and provide a solution to an issue FSI members have been facing for some time.”
A principles-based standard would enable broker-dealers “to adopt appropriate technology solutions for their customers’ needs, while ensuring regulators have prompt access to records,” added Felicia Smith, FSR vice president and senior counsel for regulatory affairs.
The groups also urged the SEC to eliminate a requirement to hire a third party who has the access and the ability to download information from a broker-dealer’s electronic storage system.
“This presents a serious cybersecurity threat, as any time a firm allows unfettered access to another entity, the cyber risk increases,” the groups said. “There are also privacy concerns about third-party access to customer data. Broker-dealers have internal resources to access their data whenever necessary, and are also registered entities that are required to provide information to regulators on demand, making paying a third party costly and redundant.”
--- Check out SEC Shows Off Cybersecurity Muscle Following EDGAR Breach on ThinkAdvisor.