Both the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) lay out strict communication and recordkeeping regulations for investment firms and other financial institutions. These rules encompass almost everything, from the recording of investment activities, to how client data should be kept safe, and even the acceptable use of social media.
Predictably, these regulations extend to financial firms' websites as well. An official website is likely the single biggest and most important point of contact between the company and potential customers. As a result, any information related through that website needs to comply with the communication rules and guidelines provided by FINRA and the SEC.
Do you have systems in place to ensure that your organization complies with relevant communication and recordkeeping rules?
If you’re not sure, don’t worry. This article will help you understand your obligations. It will also provide practical, actionable advice for ensuring your website archiving complies with regulations.
What the SEC Says about Archiving Websites
The SEC enforces strict rules around recordkeeping, which are found in the Securities Exchange Act (SEA). The relevant rules are 17a-3 and 17a-4. These rules oblige brokers and dealers to keep records of all relevant documents.
This includes the entirety of a business’s website content, including all updates, edits, amendments, and deletions made to the site.
Since websites are used to communicate with the public on a large scale, and a firm's website typically contains information aimed at convincing a user to sign on with the company, the SEC and FINRA both pay close attention to what is said on these sites.
If strong claims are made, especially around expected investment outcomes, firms can quickly find themselves in hot water.
The SEC or FINRA can (and regularly do) request website content from firms for auditing. Companies are expected to be able to show not only how content looks now, but also what it looked like previously.
SEC rules also make it clear that you can’t archive these documents in any old format. They need to meet specific criteria:
- Records must be easily accessible
- They must be time-stamped
- They must be retained for at least six years
Rule 17a-4 gives more guidance on how long to keep each type of document. The rules also say you have to store your records in a way that can’t be rewritten or erased. Finally, you have to keep duplicates in separate locations.
If you’ve been doing any kind of archiving, you know it’s a good idea to keep several backups in different locations. Best practice suggests having at least three copies in two separate locations. This helps ensure you still have access to your data, even if the records in one location are damaged or lost. The SEC’s rules about recordkeeping echo this recommendation.
The SEC has fined businesses for failing to follow the recordkeeping rules. For example, Virtu Financial Capital LLC was fined for failing to keep records in the right format. They’d also failed to give notice that they were storing records electronically.
What FINRA Says about Website Archiving
FINRA has its own set of rules for recordkeeping, and website content falls squarely within their remit.
FINRA’s stated mission is to protect the public from fraud and bad practices. To that end, FINRA Rule 2210 deals with how firms need to communicate with the public.
Rule 2210 states that communications must be:
- Based on principles of fair dealing
- Fair and balanced
- A sound basis for evaluating the facts about products, industries, and services
Regulatory Notices 10-06, 11-39, and 17-18
To give more guidance, FINRA issued several Regulatory Notices that build on Rule 2210. These notices clarify what kinds of communications you need to archive. They also go over the considerations firms need to factor in when archiving.
FINRA makes it clear that firms should keep any communication about “business as such.” That could include text messages, tweets, and even instant messages. And it most definitely includes your website content.
FINRA's Regulatory Notice 11-39 is ultimately more interested in the content of a message than the platform.
So, what counts as “communication with the public” for the purposes of recordkeeping? Under FINRA rules, it includes anything your firm or associated persons post about products, services, and more. It’s easy to see why this is so pertinent to your website content.
Notice 17-18 also clarifies that recordkeeping extends to conversations you have with clients via chat. This could include messages in apps or with a chatbot running on your company website. So long as those communications are about products or services, you need to archive them.
Adoption and Entanglement
User-generated content (UGC) can be a real boon for modern businesses. Whether you’re featuring reviews as social proof, or leveraging the creativity of your customers via their own product images and social posts, user-generated content helps strengthen relationships and improves your positioning.
When working with content generated in this manner, it’s still important to to be mindful of the potential compliance implications. An unsolicited customer testimonial doesn’t meet FINRA criteria for entanglement or adoption. As a result, you may not need to archive it (although, we’d suggest, you might still want to!) FINRA’s view of an unsolicited review can change however, if you “adopt” it. Adoption is comparable to giving content your “seal of approval,” for example, as a result of liking or sharing the customer’s review. And adopted content must be archived.
Along similar lines, if you hire an influencer to post an endorsement, that communication is “entangled.” Why? The influencer is being paid by your firm. That means you have some impact upon what they post. In comparison, the unsolicited client endorsement is something you have no control over.
Hyperlinks pose another sticky problem for recordkeeping compliance. If you link to third-party content, FINRA considers that you’ve “adopted” it. That means you may need to archive the content you’re linking to. (Have a look at this linked blog post to see how you can capture third-party content.)
If you have any influence over the third-party site that you’re linking to, then you’re entangled. You would need to archive content on that site. That includes cases where the link would be “ongoing.”
What Do You Need to Archive?
As you can see, the SEC and FINRA have created quite the tangled web for financial services firms. What you archive is highly dependent on the content of the message, not the platform.
For that reason, it’s often best to err on the side of caution. If a message relates to your business’s products or services, then you likely need to archive it.
You may even need to archive content that exists on other websites and platforms to show true compliance. FINRA rules say you cannot link to content that you know to contain false or misleading information. How can you prove that the content was okay if you don’t include a time-stamped archive copy of it?
You want to be sure you keep a copy of anything you link to. By doing so, you ensure that you can prove, at the time, it didn’t contain misleading or false information. Someone might change their posts or content after the fact, and you could end up on the hook for “adopting” false information.
Given the rules around adoption and entanglement, it’s safest to archive everything, especially when it comes to your website. To create good records, though, you need to be sure you’re using the right technology.
Why Screenshots and Backups Don’t Cut It
Brokers and dealers often see backups as an easy way to achieve compliance with FINRA rules. Unfortunately, backups rarely meet the stringent criteria.
Why? In most cases, backups can be rewritten or erased with ease. In fact, some firms overwrite backups every time they create a new one.
In most cases, data taken from content management system (CMS) backups won’t have the digital signatures required to prove its authenticity. As a result, it won’t meet the criteria needed to provide evidence that’s accepted by auditors.
Similarly, screenshots aren't usually enough. That's because they don’t capture anything beyond the page you’re looking at. They don’t display menu options, and they don’t contain linked content that you may have adopted. The broader context of your site is lost.
Moreover, people can often tamper with screen captures. They may not be "absolute" records for that reason.
It's also possible to capture screenshots in the wrong format. That can lead to problems extracting the necessary data. They can also get cut off, which leads to incomplete records.
Given all this, it's easy to see why people are turning to more sophisticated technologies like automated web archiving.
Picking the Right Archiving Technology
Automated website archiving is a better solution to meet recordkeeping needs under FINRA and SEC rules, because this technology offers more complete archiving of your communications.
Website archiving overcomes the limitations of manual recording and screenshots by allowing your records to expand beyond the page. That means all captured information is placed within the full context of your website at that particular point in time.
As discussed above, linked content poses special challenges for financial services firms. Under FINRA rules, linking counts as “adoption.” That means you may need to archive any linked content as well as what’s on your page. Effective preservation tools also exist for capturing content on third-party websites and social media pages.
Automated web archiving helps you create better, smarter records. You’ll benefit from:
- Automated archiving that allows you to "set it and forget it"
- A sophisticated dashboard to search and export what you need
- A public portal that gives auditors easy access to what they need
- More complete records of your communications
- Defensible records that prove compliance
The right technologies can also help you keep your records in the right format. Sticking to a schedule and even removing records that have expired is much easier when you have the right technology on your side.
Don’t Forget About Supervision Rules
FINRA rules also create an obligation for firms to supervise their communications. You must also train your associates. Under FINRA Rule 3110, you must establish processes for supervision of your communications.
You’re responsible for communications from all your associates, as well as those you might be entangled with. A social media manager should give you the chance to review messages they post on your behalf. If you work with a marketing firm, make sure the ads they create and blog content they craft are compliant.
A review of your recordkeeping policies may also be in order. Those records can also be reviewed to help you establish new protocols for supervision.
Go Beyond Your Compliance Goals with Automated Website Archiving
Meeting FINRA and SEC regulations for recordkeeping in the digital age can be daunting, but for peace of mind in the fast-paced world of the web, you’ll want to make sure you’re covered for every eventuality.
Financial services firms should aim to go beyond compliance. The rules are designed to help protect your clients and help you communicate in a better way. And good recordkeeping can even protect your firm from other accusations. That's why companies should take a "best practices approach" and do everything they can to ensure they have reliable records of all website content.
Want to learn more about SEC and FINRA recordkeeping rules related to website content? Have a look at our Financial Services Page, or download our white paper, Why Your CMS Backups Don’t Meet Regulatory Requirements.