When Reviewing Books & Records, Don’t Forget About Data Destruction
The beginning of a new year is often when compliance officers assess whether the firm is meeting basic compliance requirements. Whether it is part of your annual 206(4)-7 or 3120 testing, making sure your records are in order is a basic requirement.
Many firms retain records long past their regulatory requirements. When asked, firms often state that the rationale for maintaining those records are “we may need them some day.” While true, that approach comes with some risk. If you have records, you need to keep them organized so they can be produced efficiently if requested by a regulator or as part of a subpoena. That production will cost time and money. More importantly, a good data destruction process should be part of your information or cyber-security program. Criminals can’t steal what you don’t have.
What Your Firm Should Do:
When considering a review of Books and Records, there many record keeping requirements. Having a consolidated document retention list with the location of the records and a retention period is the easiest way to stay on top of things. Making sure you have electronic records in WORM format with a designated third party downloader is a must for broker-dealers. Firms should also have a process to hold records that are the subject of a regulatory review or litigation.
If records are not required to be maintained, serious consideration should be given to destroying those records in a secure manner. Don’t forget about those old laptops and PCs, as they may contain information. At a minimum, those hard drives should be securely wiped using revision 1 of the NIST SP 800-88 media erasure guidelines.
How Oyster Can Help:
Oyster has worked with many different types of broker-dealer clients, small to large, with a variety of different clearing firms. Oyster can help you with a record retention program that is designed to meet the regulatory requirements while leveraging your existing infrastructure to reduce cost. Oyster can also act as a designated third party downloader for electronic records. For more information on Books and Records requirements, please contact Oyster and one of our Associates will be happy to help you.
Oyster Consulting, LLC
4128 Innslake Dr
Glen Allen, VA 23060