Records Management Compliance Checklist for Financial Services Organizations
Take Control of Your Records
Get a free consultation to simplify storage, scanning, retrieval, and secure destruction.
Get StartedFinancial records compliance rests on six regulatory pillars: SEC Rule 17a-4 and 17a-3, FINRA Rule 4511, Investment Advisers Act Rule 204-2, the Bank Secrecy Act, Sarbanes-Oxley, and the Gramm-Leach-Bliley Act. Each defines what records to keep, how long, and how to produce them on demand. This checklist walks through the obligations and gives you a practical audit-ready framework.
Important. This article is general information for compliance and operations leaders, not legal advice. Specific obligations depend on your registration status, business lines, and state of operation. Confirm requirements with your General Counsel, Chief Compliance Officer, and outside counsel before changing your records program.
Why Financial Records Compliance Has a Higher Bar in 2026
Recordkeeping enforcement has shifted from periodic exam findings to a sustained, multi-year sweep. Since December 2021, more than 100 firms have paid over $3 billion in civil penalties for recordkeeping failures alone. Treating records as a back-office function is now the most expensive option available to a registered firm.
The SEC press release of August 14, 2024 announced $392.75 million in penalties across 26 broker-dealers, investment advisers, and dually-registered firms for failing to preserve electronic communications. The pattern is consistent across the sweep: when business communications cannot be produced, regulators assume the worst, and penalty severity climbs accordingly.
Three forces are tightening the bar in 2026. First, examination scope keeps expanding to include personal devices, ephemeral messaging, and AI-assisted workflows. Second, the SEC’s 2022 amendments to Rule 17a-4 modernized electronic storage and require firms relying on legacy WORM assumptions to revisit their architecture. Third, state regulators (particularly NYDFS) and federal cybersecurity rules now overlap with traditional recordkeeping in ways that compound the compliance burden.
The 6 Regulatory Pillars Every Financial Firm Must Address
Six federal regimes drive most financial records compliance work in the United States. Coverage varies by registration: a registered broker-dealer is subject to all six, while a community bank may focus on three. Identify which pillars apply to your firm before drafting your records program.
1. SEC Rule 17a-4 and Rule 17a-3 (broker-dealers)
Rule 17a-3 lists the records broker-dealers must create; Rule 17a-4 specifies retention. Most records require six years, with the first two years easily accessible. Customer account records run six years after account closure.
2. FINRA Rule 4511 (FINRA member firms)
FINRA Rule 4511 requires members to make and preserve books and records in conformity with Rule 17a-3, Rule 17a-4, and applicable FINRA rules. Rule 4511(b) is a catch-all: any record without a specified period must be retained at least six years.
3. Investment Advisers Act Rule 204-2 (registered investment advisers)
Rule 204-2 is the books and records rule for SEC-registered investment advisers. Most records require five years, with the first two easily accessible. Performance calculations and certain corporate documents have longer retention. Dually-registered firms must satisfy both Rule 204-2 and Rule 17a-4, applying the longer period.
4. Bank Secrecy Act (banks, broker-dealers, MSBs)
The Bank Secrecy Act and FinCEN regulations require five-year retention of CTRs, SARs, CIP records, and supporting AML documentation. SAR confidentiality rules often dictate where and how they can be stored alongside other records.
5. Sarbanes-Oxley Act (public companies and their auditors)
Section 802 of Sarbanes-Oxley requires audit work papers retained for seven years; Section 404 requires public companies to document internal controls over financial reporting. Any document supporting the financial close, controls testing, or external audit must be preserved with audit trail integrity for at least seven years.
6. Gramm-Leach-Bliley Act and state privacy laws
GLBA requires financial institutions to safeguard nonpublic personal information through administrative, technical, and physical controls; the FTC Safeguards Rule and Interagency Guidelines set the floor. State laws stack on top. NYDFS Part 500 requires written cybersecurity policies, MFA, and incident reporting for covered New York entities. CCPA and CPRA add data subject rights that extend records governance into customer-facing privacy programs.
Retention Periods at a Glance
These are the minimums most financial firms encounter. State law and litigation holds can extend any retention period. Apply the longer of every applicable requirement, and document the rationale.
| Record category | Minimum retention | Source |
|---|---|---|
| Trade blotters, ledgers, customer account ledgers | 6 years (first 2 easily accessible) | SEC Rule 17a-4(b) |
| Customer account records (active firm) | 6 years after account closure | SEC Rule 17a-4(e)(5) |
| Communications (email, IM, business texts) | 3 years (first 2 easily accessible) | SEC Rule 17a-4(b)(4) |
| Compliance, supervisory, procedures manuals | Period in effect + 3 years | SEC Rule 17a-4(e)(7) |
| RIA books and records (general) | 5 years (first 2 easily accessible) | Investment Advisers Act Rule 204-2 |
| BSA/AML records (CTRs, SARs, CIP) | 5 years | 31 CFR Chapter X |
| Audit work papers (public companies) | 7 years | Sarbanes-Oxley Section 802 |
| Employment tax records | 4 years | IRS |
| Most other tax records | 7 years (recommended) | IRS guidance / state law |
| Articles, minute books, formation records | Life of the enterprise | SEC Rule 17a-4(d) |
Electronic Recordkeeping: WORM vs. Audit-Trail After the 2022 SEC Amendments
Effective May 3, 2023, the SEC’s amended Rule 17a-4 gives broker-dealers two compliant options for electronic recordkeeping: traditional WORM (write once, read many) storage, or an audit-trail alternative that captures every modification and deletion with full attribution. Choose deliberately. The decision affects your storage architecture, vendor selection, and exam responsiveness.
Per the SEC’s adopting release on the amendments, the audit-trail alternative requires a system that maintains and preserves records for the full retention period and captures all modifications and deletions, the date and time of each event, the identity of the person responsible, and any other information needed to reconstruct the original record.
Practically, the audit-trail option lets firms leverage modern ECM and communications archiving systems they already use for business purposes, instead of running a separate WORM-only archive. The trade-off is heavier verification: the audit trail must be tamper-evident, exportable in human-readable and reasonably usable formats, and subject to the same prompt-production obligations as the underlying records.
The amendments also let a Designated Executive Officer file the required undertakings directly, eliminating the prior third-party access requirement. Modern records management software ships with the audit-trail capabilities required to support either pathway.
The Compliance Checklist (10 Sections)
Use this checklist to assess whether your records program is audit-ready. Each item should map to documented evidence: a policy, configuration, log, contract, or training record.
1. Records inventory and classification
- Inventory of every record type the firm creates, by business line and source system.
- Each record type mapped to the regulations that govern it (Rule 17a-4, 204-2, BSA, SOX, GLBA, state law).
- Classification scheme separating records, transitory documents, and personal items.
2. Retention schedule
- Written retention schedule covering every record type, with period and legal citation.
- Schedule reviewed annually by Compliance and Legal, and after material regulatory changes.
- Documented litigation hold procedure that suspends disposition for affected records.
3. Electronic recordkeeping architecture
- Documented choice of WORM or audit-trail alternative under Rule 17a-4(f), with rationale.
- System captures all modifications, deletions, timestamps, and user identities.
- Backup electronic recordkeeping system in place as a redundant set of records.
- Records and audit trails can be exported in human-readable and reasonably usable electronic formats.
4. Communications capture
- Email, internal chat, and business SMS captured into the archive in near real time.
- Personal device and approved-channel policy with signed employee acknowledgments.
- Supervisory program targeting off-channel communications risk.
- Periodic attestations from registered persons on use of approved channels.
5. Access controls
- Role-based access aligned to least-privilege and separation-of-duties.
- MFA enforced for every user accessing the archive, including privileged accounts.
- Quarterly access review with documented removal of users who no longer need access.
6. Audit trail and immutability
- Tamper-evident audit logs covering every record creation, change, and deletion.
- Audit logs protected, retained, and exportable for the full underlying retention period.
- Designated Executive Officer or third-party undertakings filed where required.
7. BSA/AML records
- CTRs, SARs, and CIP records preserved at least five years and segregated as appropriate.
- SAR confidentiality controls preventing disclosure outside authorized personnel.
- Procedures for FinCEN 314(a) and 314(b) information requests.
8. Privacy and information security
- GLBA Safeguards program covering administrative, technical, and physical controls.
- NYDFS Part 500 program if covered (CISO, MFA, incident reporting).
- State privacy law inventory (CCPA, CPRA, equivalents) with data subject rights workflows.
9. Vendor and outsourcing oversight
- Written agreements with every records vendor, including SOC 2 Type II where applicable.
- Annual vendor reviews of control attestations, breach history, and retention performance.
- Exit plan for retrieving or destroying records at vendor termination.
10. Training, testing, and exam readiness
- Annual training on records policies, communications channels, and litigation holds.
- Annual mock exam testing the firm’s ability to produce records within regulator timelines.
- Findings and remediation tracked to closure for every internal audit and exam observation.
Common Findings During SEC and FINRA Examinations
Most recordkeeping findings are predictable. They cluster around a small number of operational gaps that examiners look for first. Closing these gaps proactively shortens exams and reduces enforcement risk.
1. Off-channel communications. Business messages on personal phones, WhatsApp, or Signal never captured into the archive. The largest single source of penalties in the current sweep.
2. Stale supervisory procedures. Policies that reference systems no longer in use or roles that have been reorganized. Examiners read for consistency between policy and practice.
3. Incomplete audit trails. Records present but missing user identity or timestamp detail. The most common Rule 17a-4(f) finding.
4. Retention schedule gaps. Record types missing from the schedule, or retention periods that do not match the archive’s configuration.
5. Slow production. The firm has the records but cannot produce them in the time the regulator expects, usually because search and export were never fully tested.
A note from the field
Compliance teams often invest in upgrading the archive long before they invest in upgrading the policies that govern it. Both matter, but a documented, tested supervisory program is what examiners look at first. A modern archive without an owner and a calendar around it is a finding waiting to happen. A reasonable archive with disciplined supervisory routines is usually fine.
Frequently Asked Questions
How long must broker-dealers keep customer records?
Per SEC Rule 17a-4(e)(5), customer account records (account forms, agreements, and supporting documents) must be retained for at least six years after the account is closed. The first two years of any required record must be in an easily accessible location.
Are text messages considered business records?
Yes, when they discuss business matters. The recent SEC enforcement sweep specifically targeted text messages, WhatsApp, Signal, and other off-channel communications used for business purposes but not captured in firm archives. If the message would be a record if it were an email, it is a record on a phone.
What is the difference between WORM and the audit-trail alternative?
WORM (write once, read many) preserves records in a non-rewriteable, non-erasable format for the entire retention period. The audit-trail alternative, added by the 2022 amendments to Rule 17a-4, lets firms use systems that allow modifications as long as the system maintains a complete, tamper-evident audit trail of every change. Both are compliant; the choice affects architecture and vendor selection.
Do investment advisers have to follow Rule 17a-4?
Pure RIAs follow Investment Advisers Act Rule 204-2, which has its own retention periods (typically five years, with two readily accessible). Dually-registered firms (broker-dealer plus RIA) must satisfy both rules, applying the longer retention period when they conflict.
What happens if records cannot be produced during an exam?
Inability to produce required records is itself a recordkeeping violation. Examiners typically expand scope when records are missing or incomplete, and the firm may face civil penalties, supervisory findings, and undertakings requiring an independent consultant. The current SEC sweep shows penalties ranging from $50,000 to $50 million per firm, with most settlements between $5 million and $25 million.
Bring Your Financial Records Program Up to Standard
GRM works with banks, broker-dealers, RIAs, insurers, and lenders across every layer: document storage, scanning, and audit-trail-ready financial document management. To benchmark your environment against the checklist, request a free assessment.