It’s hard to believe, but here we all are, in the first week of the last month of 2022. The year has been an eventful one, to say the least. In this Q4 edition of the Access Legal and IG quarterly update, we’ll highlight some of the latest regulatory news and legislation happening around the world.
We hope that professionals in the information governance, legal, compliance, and records management fields continue to find these briefings helpful. Our areas of research focus mainly on data privacy and security, records retention, financial services, payment processing, workplace safety, and back-office refresh.
Just as we set out to do when we first launched this quarterly update last year, in this fourth edition of 2022, we aim to ensure that you have all the latest updates and provisional information you need to do your job as efficiently as possible and with the utmost confidence.
We also include notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo, as a courtesy to active clients. We look forward to continuing to provide these updates in 2023 and beyond. Following is the latest on that front.
SEC regulatory updates in the United States:
The SEC adopted rule amendments to modernize how broker-dealers and security-based swap entities preserve electronic records (found in Virgo as: 17 C.F.R. § 240.17a–4 & 17 C.F.R. § 240.18a–6). The current rules require firms to preserve electronic records exclusively in a non-rewriteable, non-erasable format, known as the write once, read many format (“WORM”).
The new rules, effective January 3, 2023, add an audit-trail alternative under which electronic records can be preserved in a manner that permits the recreation of an original record if it is altered, over-written, or erased. The audit-trail alternative is designed to provide broker-dealers with greater flexibility in configuring their electronic recordkeeping systems so they more closely align with current electronic recordkeeping practices while also protecting the authenticity and reliability of original records.
Affected Industries: Financial services, specifically broker-dealers; security-based swap dealers (SBSDs); & major security-based swap participants (MSBSPs)
- Blotters (or other records of original entry) containing an itemized daily record of all purchases and sales of securities (including security-based swaps), all receipts and deliveries of securities (including certificate numbers), all receipts and disbursements of cash and all other debits and credits.
- Ledgers (or other records) reflecting all assets and liabilities, income and expense and capital accounts.
- Ledger accounts (or other records) itemizing separately as to each account for every customer or non-customer of such security-based swap dealer or major security-based swap participant, all purchases and sales, receipts and deliveries of securities (including security-based swaps) and commodities for such account and all other debits and credits to such account; and in addition, for a security-based swap, the type of security-based swap, the reference security, index, or obligor, the date and time of execution, the effective date, the scheduled termination date, the notional amount(s) and the currenc(ies) in which the notional amount(s) is expressed, the unique transaction identifier, and the counterparty’s unique identification code.
- A securities record or ledger reflecting separately for each:
- (i) Security, other than a security-based swap, as of the clearance dates all “long” or “short” positions (including securities in safekeeping and securities that are the subjects of repurchase or reverse repurchase agreements) carried by such security-based swap dealer or major security-based swap participant for its account or for the account of its customers and showing the location of all securities long and the offsetting position to all securities short, including long security count differences and short security count differences classified by the date of the physical count and verification in which they were discovered, and, in all cases the name or designation of the account in which each position is carried.
- (ii) Security-based swap, the reference security, index, or obligor, the unique transaction identifier, the counterparty’s unique identification code, whether it is a “bought” or “sold” position in the security-based swap, whether the security-based swap is cleared or not cleared, and if cleared, identification of the clearing agency where the security-based swap is cleared.
- A memorandum of each purchase or sale of a security-based swap for the account of the security-based swap dealer or major security-based swap participant showing the price.
- With respect to a security other than a security-based swap, copies of confirmations of all purchases and sales of securities. With respect to a security-based swap, copies of the security-based swap trade acknowledgment and verification made.
- For each security-based swap account, a record of the unique identification code of such counterparty, the name and address of such counterparty, and a record of the authorization of each person the counterparty has granted authority to transact business in the security-based swap account.
- A record of all puts, calls, spreads, straddles and other options in which such security-based swap dealer or major security-based swap participant has any direct or indirect interest or which such security-based swap dealer or major security-based swap participant has granted or guaranteed, containing, at least, an identification of the security, and the number of units involved.
- A record of the proof of money balances of all ledger accounts in the form of trial balances, and a record of the computation of net capital or tangible net worth, as applicable, as of the trial balance date.
- A questionnaire or application for employment executed by each “associated person” (as defined in paragraph (d) of this section) of the security-based swap dealer or major security-based swap participant who effects or is involved in effecting security-based swaps on the security-based swap dealer’s or major security-based swap participant’s behalf, which questionnaire or application must be approved in writing by an authorized representative of the security-based swap dealer or major security-based swap participant.
- A record of the daily calculation of the current exposure and, if applicable, the initial margin amount for each account of a counterparty required under § 240.18a–3(c).
- A record of compliance with possession or control requirements under § 240.18a–4(b).
- A record of the reserve computation required under § 240.18a–4(c).
- A record of each security-based swap transaction that is not verified under § 240.15Fi–2 within five business days of execution that includes, at a minimum, the unique transaction identifier and the counterparty’s unique identification code.
- A record documenting that the security-based swap dealer has complied with the business conduct standards as required under § 240.15Fh–6.
- A record documenting that the security-based swap dealer or major security-based swap participant has complied with the business conduct standards as required under §§ 240.15Fh–1 through 240.15Fh–5 and 240.15Fk–1.
- A record of each security-based swap portfolio reconciliation, whether conducted pursuant to § 240.15Fi–3 or otherwise, including the dates of the security-based swap portfolio reconciliation, the number of portfolio reconciliation discrepancies, the number of security-based swap valuation disputes (including the time-to-resolution of each valuation dispute and the age of outstanding valuation disputes, categorized by transaction and counterparty), and the name of the third-party entity performing the security-based swap portfolio reconciliation, if any.
- A copy of each notification required to be provided to the Commission pursuant to § 240.15Fi–3(c).
- A record of each bilateral offset and each bilateral portfolio compression exercise or multilateral portfolio compression exercise in which it participates, whether conducted pursuant to § 240.15Fi–4 or otherwise, including the dates of the offset or compression, the security-based swaps included in the offset or compression, the identity of the counterparties participating in the offset or compression, the results of the compression, and the name of the third-party entity performing the offset or compression, if any.
From the Box and Beyond: It’s About Dang Time! Simplifying Event-Based Retention
Join us in our next Access Corp. webinar as we take a look at this critical compliance issue and discuss how you tackle this complex problem and mitigate the risk of substantial penalties.
New & Noteworthy Legislation in Switzerland:
The final text of the Swiss Data Protection Act was published in August and is set to take effect on September 1, 2023.
- It implements provisions on data security, information and documentation obligations, the rights to access and data portability, the outsourcing of data processing to third parties, cross-border data transfers, the data protection advisor, data protection impact assessments and the notification of data breaches.
- On records obligations, the Act stipulates data controllers have an obligation to inform data subjects appropriately about the collection of personal data.
- If an intended data processing activity potentially bears a high risk for the rights of the person whose data is processed, the controller may need to perform a data protection impact assessment (DPIA) beforehand.
- The controller must store this assessment for at least 2 years after termination of the processing.
Cited in Virgo as, “DSV 235.11” under the title, “Data Protection Ordinance (Privacy Ordinance) [Verordnung über den Datenschutz (Datenschutzverordnung)]”.
New & Noteworthy Legislation in Indonesia:
Indonesia’s Personal Data Protection Act came into force on October 17, 2022.
- Noteworthy in this long-awaited Act is the requirement to delete personal information when it is no longer required to achieve the purpose for which it was collected.
Cited in Virgo as, “Personal Data Protection Act”.
Additionally, over the last 90 days, the Access Legal Research Team added other recordkeeping requirements from the following jurisdictions:
- Canada + 11 provinces/territories
- Czech Republic
- Moldova, Republic of
- New Zealand
- United Arab Emirates
- United States federal + 40 states