How SOX, FINRA, and Financial Compliance Impacts Data Backup and Retention

Public companies and financial organizations face many compliance requirements driven by external regulations or internal requirements. These have far-reaching impacts on IT’s data management and record retention strategies.

To meet these mandates, publicly traded companies, their audit firms, wealth management firms and brokers need to keep abreast of requirements while minimizing the impact on DataOps and DevOps. The following delves into some of these data management challenges.

[Download our financial and privacy compliance guide.]

Data and Record Retention for Corporations and Auditors, Sarbanes-Oxley (SOX) Act Compliance

Not a new regulation but one that changed how businesses operate, SOX was enacted in 2002 in the aftermath of Enron and many other financial scandals of the era. The scandals called into question how much investors could trust companies and their independent auditors. The act sought to reinstill this trust.

The impact on IT groups? IT leaders of the day were challenged with reimagining their systems to meet the new controls and record retention requirements. Like any major regulatory change, the murmurs of the day centered cost and resources needed to implement the changes for both corporations and independent audit firms. What follows are a few ways that the regulations impact data management and record retention.

For corporations, sections 103 and 104 require companies to retain records related to audits of their financial statements for seven years. SOX section 404 requires companies to retain records that support their annual internal control report.

For auditors, section 802 requires them to keep records for seven years after concluding an audit or review. What type of records? Work papers and other documents that formed the basis of the audit or review plus memorandums, correspondence, communications, other documents, and records (including electronic records) should be retained.

What are the fines? Download our guide.

Data and Record Retention for Wealth Management Firms

Wealth management firms that manage over $110 million in client assets need to adhere to SEC rules for record management and retention. Unless they are in New York or Wyoming, those under that threshold need to consider their state’s rules. What follows is a summary of some essential data and record retention rules.

Most records need to be retained for at least 5 years, with at least 2 of the most recent years located in the adviser’s office (see Title 17 CFR Part
275.204-2). Types of records that need to be retained are extensive including customer records, advisor records, financial and transactional records, agreements, communications, and promotional materials. As technology has advanced, even communication through SaaS apps such as chat is at stake.

How do SaaS chat apps impact data retention? Download our guide.

Data and Record Retention for Financial Dealers and Brokers

FINRA is the organization responsible for supervising broker-dealers and is overseen by the SEC. They also adopt rules to supplement those of the SEC, which include data and record retention rules.

Like wealth management firms, broker and dealer firms need to retain records for at least 6 years and need to have the last 2 years of records “easily accessible” with some exceptions. Generally, daily records and financial ledgers need to be retained for 6 years with some records, such as memorandums, only need to be kept for 3 years (see Title 17 CFR Part 240.17a).

How does FINRA impact business continuity plans?

Download our financial and privacy guide.

Leave a Reply