The Securities and Exchange Commission (SEC Regulation 17a-4) and the National Association of Securities Dealers (NASD 3010) have instituted regulations that demand compliance surrounding the storage of financial records and electronic communications. Specifically, IT departments must implement processes that answer rules including:

SEC Regulation 17a-4:
« Broker/dealers are required to archive the electronic communications of licensed professionals for at least three years. The regulation specifically applies to email and instant messages.
« Unlike NASD Rule 3010, which applies only to external communications, this regulation applies to both internal and external electronic messages.
« Archived messages must be stored in two separately maintained online archives. In other words, broker/dealers must keep two copies of each message in an online archive.
« A third copy of each message must be stored on permanent, non-tamperable media, such as write-once-read-many (WORM) technology.
« Archived messages must be serialized meaning that each message is assigned a unique, consecutive identification number. This provides a means to ensure that no messages have been deleted.
« The archiving system must have the capacity to readily download indexes and/or the messages to an acceptable medium for regulators.
« The broker/dealer or its "storage medium vendor" must attest to the SEC that the broker/dealer's archiving process meets the conditions of the rule.
« The broker/dealer must designate at least one third party who has access to and the ability to download information from the archives to an acceptable medium for regulators.

NASD Rule 3010:
« Broker/dealers are required to monitor and supervise the external electronic communications of registered representatives.
« The rule imposes a post-review process, meaning that messages can be delivered in real-time and the monitoring and supervising can be done after the fact.
« The rule excludes internal messages (i.e. email sent between two employees within the firm).
« The broker/dealer needs to capture electronic messages by two mechanisms:
      1) The firm needs to set up a list of keywords. Every electronic message between a registered rep and someone outside the firm needs to be scanned to see if it includes any of the keywords. If one or more of the keywords is found, the message needs to be flagged for monitoring and supervision.
      2) Random sampling of each registered reps external communications must be flagged for monitoring and supervision. The sample rate is discretionary, but most firms set the sample rate between 4% and 10%. If the firm has reason to suspect that a specific registered rep is doing something suspicious or illegitimate, the firm should increase the sampling rate for that rep.
« On a regularly scheduled basis, each registered rep's supervisor - the RP24 (registered principal) - must log in to the supervisory system and read each message that was flagged for monitoring and supervision. Messages should be marked as having been reviewed without concern and/or as requiring clarification or conversation with the registered rep about the contents of the message.
« All monitored and supervised messages need to be archived pursuant to SEC Regulation 17a-4, which in a nutshell says that messages need to be serialized and archived for three years in two online data stores, with a third copy stored offline on non-tamperable media.
>The burden of proof rests with the broker/dealer.

The NASD recently clarified its position on how Rule 3010 applies to instant messaging. With regard to monitoring and supervision, broker/dealers must treat instant messages exactly like email.  Lastly, how the broker/dealer addresses compliance with NASD Rule 3010 must be spelled in an written policy.