Once an advisor confirms that all required books and records are actually being captured and retained for the required period of time (generally five years, unless otherwise noted), the next step is to determine what records are being maintained electronically (and hopefully not in microfiche).
For those records that are being maintained electronically, Rule 204-2(g) of the Act enumerates certain general and specific requirements.
An advisor should review the actual Rule itself, but I will attempt to simplify and translate the requirements below:
- Keep your records organized
SEC examiners don't want to be left twiddling their thumbs while you hunt and peck on some file server for the documents they've requested. Records must have the ability to be produced "promptly," which generally means 24 hours. Test yourself: throw a dart at a record required to be maintained pursuant to Rule 204-2. If you're not able to produce a few months' worth of that record within 24 hours, you may have a larger organizational problem.
- Keep your records complete, legible, and un-altered
Powers of attorney with pages missing or scanned at a 45-degree angle won't cut it. An account agreement that was hand-signed and scanned to death on a 1995-era telefax at 50 dpi will likely not fit the bill. Journals or ledgers that have been altered or otherwise manipulated mean you have larger issues to address besides a books and records infraction.
- Records should be accessible, viewable, and printable by the SEC
This provisioning can be accomplished in many ways: providing a password-protected CD-ROM or USB drive, setting up a secure FTP site, sending encrypted or password-protected emails, or, for the brave, even setting up a username and password for discreet recordkeeping systems.
- Separately back-up your records
Advisors must "separately store… a duplicate copy of the record" on any electronic medium permitted by Rule 204-2(g). In other words, advisors must avoid a single point of failure when it comes to recordkeeping, and must maintain a separate backup copy of the record in a manner that would survive the inadvertent destruction of the original record.
- Safeguard your records Specifically, records should be safeguarded from "loss, alteration, or destruction." Keep both physical and electronic safeguards in mind (storage cabinets to servers), and integrate safeguarding techniques into your business continuity plan and privacy protection policies pursuant to Regulation S-P to ensure all policies are consistent. Though the SEC did not specifically impose the "write once, read many" or "WORM" recordkeeping format for advisors (in contrast to broker-dealer recordkeeping rules, which mandates the WORM format), advisors must still safeguard records from alteration (and the SEC has "alternative means to verify the accuracy of adviser… records"). Lastly, maintain records on a need-to-know basis (i.e., to authorized personnel and SEC staff).
Rule 204-2(g) does not specifically speak to cloud storage and any other new-fangled blasphemy, but the same rules and requirements apply.
As priceless as the reaction would be if an examinee wheeled out a microfilm reader and a stack of reels during an SEC exam, perhaps an advisor would be more prudent to embrace technology, carefully apply the electronic recordkeeping requirements to its chosen recordkeeping medium and test its correspondent policies and procedures accordingly.
