When it comes to ensuring that financial data is secure and compliant with compliance regulations, understanding the various regulatory bodies and their impact on your organization is an essential first step.
Two of the most common financial regulators are FINRA and SOX (both of which come under the jurisdiction of the SEC). Let’s take a look at some of the compliance guidelines for each of them.
The Financial Industry Regulatory Authority (FINRA) is a not-for-profit self-regulatory organization covering the securities industry and the New York Stock Exchange, and is overseen by the Securities Exchange Commission (SEC), and its purpose is to monitor and to regulate securities dealers and brokerage firms, deter misconduct and ensure fair financial markets.
One of the many aspects of FINRA compliance relates to electronic storage media (ESM). According to FINRA rules, the selected ESM must:
- Keep recordings exclusively in a non-rewritable and non-erasable format
- Automatically verify the quality and accuracy of the storage media recording process
- Serialize the original and, if applicable, duplicate units of the storage medium, along with the dates and times of the required retention period for the information stored therein
- Have the ability to easily download stored records and indexes
- Include an audit system identifying when original and duplicate records are entered, when changes are made to existing records, and must retain audit results for review by SEC staff.
FINRA also has compliance rules regarding electronic communications. According to FINRA rules:
- A broker-dealer must retain originals of all communications received (including all electronic communications) and copies of all communications sent by the broker-dealer relating to its business for at least three years, the first two years in a easily accessible place
- FINRA’s rules cover both external and internal electronic communications relating to business activities and apply equally whether the electronic communication was received or sent through the platform or system. a member or a third party.
- FINRA and SEC rules do not prohibit the use of non-business e-mail or e-mail systems or accounts to conduct business activities, so long as the company captures and retains communications as it would with emails or other communications from its own system or account.
- Firms may not authorize the use of any type of electronic communication if they are unable to meet the record keeping requirements applicable to that particular type of electronic communication.
The Sarbanes-Oxley Act of 2002 (SOX) was created in response to the major accounting scandals of the early 2000s by Enron, Tyco, and WorldCom to protect investors from fraudulent corporate accounting activities.
SOX mandates corporate financial disclosure to prevent accounting fraud. It also covers issues such as auditor independence, corporate governance, internal control assessment and improving financial disclosure.
Sarbanes-Oxley affects all public companies in the United States, as well as their wholly-owned subsidiaries and publicly traded foreign companies doing business in the United States SOX also regulates accounting firms that perform audits for any US public company.
Some of the requirements for keeping electronic records under SOX are:
Corporate Responsibility for Financial Reporting – Every public company is required to file periodic financial reports with the SEC, and the CEO and CFO must sign each report to validate its veracity.
Management’s assessment of internal controls – All annual financial reports must include an internal control report stating that management is responsible for an “adequate” internal control structure. In addition, registered external auditors must attest to the accuracy of management’s assertion that internal accounting controls are in place, operating and effective.
Real-time issuer disclosures – Companies are required to disclose to the public in a timely manner any material change in the financial condition or operations of the company in the interest of protecting investors and the public.
Penalties and fines under FINRA and SOX
Non-compliance with FINRA and Sox regulations can be quite significant.
FINRA applies aggressive penalties to deter misconduct, with more than $100 million in compliance penalties imposed each year. FINRA can also order suspensions or permanently ban people from working in the financial industry.
Penalties for violating SOX are extremely strict and considered criminal. For certifying a misleading or fraudulent financial report or knowingly altering, destroying or otherwise falsifying any record, document or tangible object with the intention of obstructing, obstructing or influencing the investigation, fines can range from up to $5 million with up to 20 years in prison.
Since the Sarbanes-Oxley Act and the Dodd-Frank Act of 2010 both require companies to maintain a zero-tolerance policy for retaliation against whistleblowers, the most recent rulings concern the protection of whistleblowers.
According to a source, “The fourth quarter of 2020 alone saw approximately $176 million in whistleblower awards…partly due to a single whistleblower award of $114 million awarded on October 22, 2020 in which “the SEC called the whistleblower’s actions ‘extraordinary’ and noted that the whistleblower ‘has suffered serious personal and professional hardship’ resulting from the writing of a report.
This represents a 35% increase in tips, complaints and referrals for investigation in the second quarter of 2020 compared to the same period in 2019, due to increased enforcement actions and sanctions from the SEC. This means that SEC-regulated organizations must re-evaluate their compliance programs to ensure strong anti-retaliation policies.
Enterprise Information Archiving Solutions
With so much at stake, it’s clear that any organization that needs to comply with FINRA, SOX, or other regulations regarding the retention of corporate data and communications should have an information archiving solution. to properly store, manage, access and audit all required data in a manner that fulfills compliance obligations while providing a defensible record to protect both the organization and whistleblowers, in the event of a complaint .