What is FINRA Compliance?

FINRA Record Retention Rules: What You Need to Do to Make Sure Your Data Retention is FINRA Compliant.

The financial sector is at high risk for cybercrime, fraud, and scams. The 2024 PWC Global Economic Crime survey says about financial fraud: "Fraud, in all its forms, remains a persistent challenge." Research from Alloy concurs with PWC's findings. Alloy found that almost 60% of banks, FinTechs, and credit unions lost over $500,000 in direct fraud losses. In the USA, the FTC announced that losses due to investment scams would come in at more than $4.6 billion in 2023.

The Financial Industry Regulatory Authority (FINRA) handles the regulatory requirements of security firms and their representatives. FINRA's rules and guidance help prevent securities and investment fraud and protect personally identifiable information (PII) and financial data.

TitanHQ explains what FINRA is and how TitanHQ can help your organization meet FINRA compliance.

History of FINRA?

In July 2007, the lawful formation of the Financial Industry Regulatory Authority (FINRA) was announced. FINRA was formed from a consolidation of the National Association of Securities Dealers (NASD) and the member regulation, enforcement, and arbitration operations of the New York Stock Exchange (NYSE). This non-governmental organization aimed to provide regulatory oversight of securities firms and registered representatives. FINRA thus became responsible for the rules, examination, enforcement, and arbitration of securities firms doing business with US citizens. FINRA's CEO, Mary L. Schapiro, said, "The creation of FINRA is the most significant modernization of the self-regulatory regime in decades." 

In 2023, FINRA was responsible for regulating 3,298 securities firms and 628,392 registered securities representatives. FINRA processed 546 billion market events daily, prosecuted 623 insider trading and fraud cases, and suspended 257 individuals.

What are FINRA Regulatory Requirements?

FINRA provides a set of rules and guidance to protect investors and their investments. FINRA sets out strict requirements for email retention and protecting personally identifying information (PII) and financial data as part of this protective shield. FINRA compliance rules expect financial institutions to retain covered electronic correspondence and prevent data loss and theft while also ensuring authorized access and mitigating redundant storage to ensure data integrity.

FINRA rules are comprehensive and take into account all aspects of investor protection. Understandably, a key FINRA topic is "cybersecurity." FINRA rules are designed to prevent individual risks and discuss "related controls needed to protect customer and firm confidential data." FINRA cybersecurity rules highlight the following areas:

• In Case of a Disruptive Attack or Breach
• Common Cybersecurity Threats
• Events
• Reports
• Compliance Tools
• FINRA Cybersecurity Contact

Because the cybersecurity threat landscape is constantly changing, FINRA rules must reflect this, so changes to FINRA rules are ongoing.  The current set of most pressing threats covered by the rules are:

• Phishing
• Imposter Websites
• Malware
• Customer Account Takeover (ATO)
• Firm Account Compromise or Takeover
• Fraudulent Wires or ACH Transactions
• Ransomware
• Distributed Denial-of-Service (“DDoS”) Attacks
• Vendor Breaches

Among the list of cybersecurity measures advised by FINRA are:

• Regular backups of email and attachments
• Identity and access control measures, including least privilege access
• Password protection
• Anti-malware
• Phishing prevention, including phishing simulations
• Multi-factor authentication (MFA)
• Security awareness training, including password hygiene
• Encryption during transfer and storage of PII and financial information
• Regular patching

What are FINRA Retention Requirements?

In 2022, Rule 17a-4 was amended to modify the requirements for the maintenance and preservation of electronic records, the use of third-party record-keeping services to hold records, and the prompt production of records.  Records must be accurate, current, and detailed. The records typically include customer account information, communications, e.g., emails and social media posts, securities transactions, etc. The new rule definition for electronic records is as follows:

"Firms may use an "electronic record-keeping system" to maintain and preserve required records. An electronic record-keeping system is defined as a system that preserves records in a digital format that permits the records to be viewed and downloaded."

The retention rules require that a covered firm keep detailed audit records covering details such as amendments and the identity of individuals accessing and amending records. The audit trail capability is an option to the conventional WORM (write once, read many) format used for records.

Various other restrictions and requirements are placed on the record-keeping system, including the ability to "verify automatically the completeness and accuracy of the processes for storing and retaining records electronically." Other requirements cover:

• Redundancy capabilities to ensure access to the records
• Ensure the authenticity and reliability of records, including backup emails.
• Easy and accurate search and access capability
• Provision of records on request
• Retention periods for specific types of records are three to six years. A secondary consideration is that the records must be easily accessible in the first two years.
• Firms must have a business continuity plan to preserve records in case of business disruption or crisis.

FINRA and the SEC

FINRA is registered with and works alongside the Securities and Exchange Commission (SEC). Unlike FINRA, the SEC is a government organization created to protect investors and ensure the integrity of the securities market. If a complaint is made against FINRA, the SEC will oversee that complaint and handle any appeals.

What Happens if a Firm is Non-Compliant with FINRA?

If a FINRA rule violation is suspected or reported, FINRA then investigates the potential securities issue. FINRA investigations call upon various information, including automated surveillance reports, customer complaints, examination findings, filings made with FINRA, etc. If these investigations show an organization to be non-compliant, FINRA can issue severe penalties and sanctions, inducing hefty fines and disciplinary actions against firms and associated persons. Companies can also be barred from FINRA membership, which affects their status as securities firms.

In 2023, FINRA served 784 enforcement actions, orders totaled almost $5 billion in financial remedies, and $1 billion was distributed to harmed investors.

Example of a Significant FINRA Non-Compliance Scenario

JP Morgan's non-compliance with FINRA led to $200 Million in Penalties.

For large financial institutions, failure to comply with FINRA regulations is costly. In previous years, the worst fines, totaling $14.4 million, were given to 12 firms that failed to secure financial records from being altered without a proper audit trail. In addition, any changes to records must be logged in case of a data breach and further investigation into the root cause. Unfortunately, the 12 firms failed to properly log and protect data, which caused damage to customers' data integrity.

JP Morgan was recently fined $200 million for failing to preserve email archives containing staff communications on workstations and mobile devices. After a third-party subpoena could not be fulfilled, an audit revealed JP Morgan's oversight of data retention policies, costing them millions of dollars in fines.

What Financial Institutions and Brokers Should Know?

Any institution regulated by the US Securities and Exchange Commission (SEC) must review requirements and ensure they are met. The organization needs a strategy to back up and retain data to protect financial data. Of course, having a retention plan for electronic data is only one component of FINRA regulations, so every organization should thoroughly review FINRA compliance. Usually, full FINRA compliance requires a third party knowledgeable in all things FINRA, but organizations can take steps to secure their data and move forward with FINRA compliance.

Electronic data includes communication and stored customer information. Sensitive information should be protected using cryptographically secure methods, such as encrypting data at rest and in transit. Backups and archives should also be secured, but they must still be available when necessary.

TitanHQ Supports FINRA Compliance.

FINRA's guidance questions in its 2024 Annual Regulatory Oversight Report are a great way to determine how to meet data protection requirements under FINRA's supervision.

The following guideline questions show how TitanHQ's solution dovetails with FINRA to help your organization adhere to the regulation:

FINRA: “What steps has your firm taken to prevent a cybersecurity intrusion, such as a business email compromise, phishing, or ransomware attack?”

TitanHQ: Our integrated and defense-in-depth approach provides the baseline for protection against human-centric attacks. TitanSecure protects against Business email compromise (BEC), phishing, and ransomware. It is an AI-powered solution that identifies complex phishing threats, including multi-stage BEC attacks and zero-day exploits. TitanSecure integrates three powerful and intelligent email security solutions to stop phishing messages from entering a securities firm network. Phishing and malicious attachment prevention help mitigate the threats of malware infection and ransomware attacks, which can compromise PII and financial data.

FINRA: “If your firm experiences an intrusion, how will it restore critical data from backups, as well as identify and recover customer information that was exfiltrated?”

TitanHQ: TitanHQ: ArcTitan provides FINRA compliance email archiving and includes the following capabilities:

• Fast eDiscovery to ensure legal requirements during litigation and other law cases are fast and accurate.
• Documentation and traceability for audit and investigations
• Business continuity and disaster recovery processes
• Records management
• Encryption authentication and access control to ensure the security of emails and attachments
• Secure and encrypted storage
• Data loss prevention (DLP)

Archives differ from backups, and ArcTitan ensures that all archives follow FINRA rules while staying available to the people who need to work with them. Email is necessary for investigations and legal concerns. For example, the start of JP Morgan's audit was the failure to answer a subpoena correctly. Still, ArcTitan archives allow your legal team and corporate staff to search for important data to respond to subpoenas or investigate cybersecurity incidents.

Sound archives also provide a search feature and index content for fast results. ArcTitan offers an archiving platform that helps everyone involved in an audit quickly find data and export it for future use. Stakeholders get reports to identify any activity on the platform. ArcTitan secures all data in the cloud, so administrators do not have the overhead of applying specific security measures.

FINRA: “How does your firm monitor for imposter websites impersonating your firm or your registered representatives? How does your firm address imposter websites once they are identified?”

TitanHQ: phishing websites often mimic brands that people know well. These imposter sites can be complex for users to identify. A DNS Filtering solution, like WebTitan, is designed to work in complex environments. Some of the core features of WebTitan that ensure FINRA compliance include the following:

• Deploys layers of protection, including AI-driven detection, to identify imposter websites and prevent employees from navigating to those sites.
• Out-of-office protection (24/7 network protection) for BYOD policies.
• Excellent audit and reporting capabilities to demonstrate FINRA compliance.
• Low Management Overhead can be delivered using a managed service model (MSP).

FINRA: “What kind of security training does your firm conduct, such as email best practices and phishing? Does your firm train all staff and not just registered persons? Is the training tailored to the staff’s role and level of access to systems?”

TitanHQ: SafeTitan is an intuitive, gamified security awareness training platform that teaches employees about all aspects of cybersecurity. Features offered by SafeTitan that help meet FINRA compliance are:

• Gamified interactive and fun training.
• Contextual learning, where employees are trained as they learn to ensure the lessons stick.
• Simulated phishing is provided via controlled but fake phishing emails. The fake phishing campaigns test employees' responses, and contextual learning helps them understand the "what ifs" of phishing attacks. SafeTitan demonstrates a reduced staff susceptibility to phishing by up to 92%.
• Real-time metrics provide insights into the effectiveness of a security awareness campaign.
• Risk and compliance reporting are used to demonstrate compliance with FINRA.

Talk to a TitanHQ expert on how to meet FINRA compliance.