FINRA Record Retention Requirements Checklist

The Financial Industry Regulatory Authority (FINRA) is the largest independent regulator for securities firms doing business in the United States. FINRA’s purpose is to protect American investors by making sure the securities industry operates fairly and honestly. FINRA has regulatory oversight over all securities firms that do business with the public.

We’ve compiled a short-list of the various requirements mandated by FINRA concerning record requirements. For a full description of each requirement, please visit FINRA’s web site or click on this link to see the entire record-keeping checklist:

Memoranda of Brokerage Orders and Dealer Transactions

Record Retention: Three (3) years, the first two years in an easily accessible place.

Associated Person Location and Identification Number Records

Record Retention: Three (3) years after the associated person has terminated employment and all other connections with the firm.

Associated Person Compensation Records

Record Retention: Three (3) years, the first two years in an easily accessible place.

Associated Person Complaint Records

Record Retention: Three (3) years, the first two years in an easily accessible place.

Customer Account Records

Record Retention: Six (6) years after the closing of the account or the date on which the information was replaced or updated, whichever is earlier.

Filetwin Commentary: It’s important to note here that it states “after the closing of the account”. If a customer remains a customer for five years, then the Broker would be required to hold that record for the five years that the customer was a customer and then six (6) years thereafter. In effect, that record would have a retention lifespan of eleven years.

Communications Supervision Records

Record Retention: Three (3) years, the first two years in an easily accessible place.

Contact Person Records

Record Retention: Six (6) years, the first two years in an easily accessible place.

Responsible Principal Records

Record Retention: Six (6) years, the first two years in an easily accessible place.

Office Records

Record Retention: For the most recent two (2) year period.

Communications with the Public

Record Retention: Three (3) years, the first two years in an easily accessible place.

Organizational Documents

Record Retention: Life of the enterprise and of any successor enterprise.

Filetwin Commentary: If certain documents need to be retained for an indefinite period of time, it only seems prudent to maintain a retention that stores all digital records indefinitely. In the digital world, the cost of storage is dropping so holding larger amounts of records is becoming more cost efficient.

Special Reports

Record Retention: Three (3) years after the date of the report.

Compliance, Supervisory & Procedures Manuals

Record Retention: Three (3) years after the termination of use of manual.

Exception Reports

Record Retention: Eighteen (18) months after the date the report was generated.

As you can see, certain documents require different retention policies. The longest period being six years – with the exception of the Organization documents. It’s our belief that Brokers should set their overall retention period for six (6) years. With Filetwin software, specific files can have specific retention periods set so you could create rules to match the above requirements, however, the SEC even recommends that files should be retained indefinitely. If you’d like to continue this conversation with one of our U.S. based Backup Specialists, please feel free to contact us 1 877 310-2884.

Copyright secured by Digiprove © 2011

Often, we find people are familiar with “technology terms” they’ve heard in discussion or perhaps they’ve read about it or maybe they even have exposure to some complex technology at work. Yet, when it comes down to fully understanding the nitty gritty about that technology, they often admit that theirs is but a working knowledge of that technology. We think that’s fair enough because everyone has been in that situation before – nothing to be ashamed of.

FINRA is requiring that all members use 256-bit AES encryption on their data if they use portable storage devices such as CD, DVD or flash drives. Now, you probably don’t want the scientific description of the 256-bit AES algorithm but if you did, there are plenty of articles all over the Internet that can explain the nuts and bolts.

What we think people want to know is… “Just gimme the high-level overview”, so we will:

In today’s complex world and even more complex communicating environments, the need for protecting information takes on added importance and significance.

The NSA, which is our government’s National Security Agency, conducted a review and analysis of AES encryption to satisfy Information Assurance (IA) requirements associated with the protection of national security information. Their findings were…

The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths.

So basically FINRA is mandating that their members use encryption that at one time was the same encryption applied to TOP SECRET documents. No doubt NSA has upgraded their encryption standards as available facts about security over the Internet have been well established and data protection has only improved over the years. Still, it’s good to know that FINRA is setting a standard for protecting customer records and suggesting a responsible level of encryption.

Imagine this, line up 256 numbers in a row…







Now that you see 256 numbers in a row, imagine all the different variations it would take to “unlock the combination”.

To put it simply, decrypting 256-bit encryption becomes a formidable task and therefore less probable.

At Filetwin, we’ve been using 256-bit encryption levels which are computationally unfeasible to crack. Our security architecture was specifically designed to provide corporate customers with the ability to trasmit mission-critical data over the Internet while also providing them with the necessary assurance that no one could decrypt their data.

Copyright secured by Digiprove © 2010