In last months article, Turnkey Trading Partners (“Turnkey”) discussed Critical CFTC Supervision and Record-Keeping Tips, emphasizing the significance of record-keeping and supervision specific to internal and client communications leading to trade execution. Building upon this, Turnkey now provides a step-by-step guide for establishing a robust digital record-keeping and retention program. This guide aims to make the process practical and seamless, ensuring businesses not only meet regulatory obligations but also enhance data integrity, security, and operational efficiency.

  1. Know Your Requirements:

Understand the specific regulatory requirements that apply to the commodity futures industry and your organization. For specifics on the rules surrounding record retention and production you can refer to CFTC Regulation 1.31, Regulation 1.35, or NFA Compliance Rule 2-10. However, as a rule of thumb for CFTC/NFA regulation, all records should be kept for 5 years from the date they were created.

  1. Create a Record-Keeping Policy:

Develop a comprehensive policy detailing the types of records to be maintained, retention periods, and procedures for creating, storing, and disposing of records. If this is not written into your current policies and procedures you should consider doing so now. For help on integrating this into your current policies please contact Turnkey today.

  1. Categorize and Classify Data:

Classify digital files based on subject matter, sensitivity, and importance. This can be accomplished by first segmenting folders. For example:

  • Documents Containing Customer PII
  • Accounting / Financials
  • Regulatory Filings
  • Sales and Marketing
  • Company Documents
  1. Establish Access Controls:

Implement access controls to ensure only authorized personnel can access and modify records, maintaining the integrity and confidentiality of information.

  1. Implement Version Control:

Establish version control mechanisms to track changes made to documents over time, crucial for audit trails and maintaining record accuracy. Save old versions of documents in a dedicated “old versions” folder that allows for search-ability if needed later.

Many of the biggest vendors in the cloud storage space will have this built into their products. Turnkey has observed the following to be some of the most reputable and reliable vendors:

  1. Utilize Document Management Systems (DMS):

Implement a robust DMS facilitating easy organization, retrieval, and tracking of digital files, ensuring compliance with security standards. Most major cloud service providers adhere to stringent security standards.

  1. Encryption and Security Measures:

Apply encryption to sensitive records and implement security measures to protect against unauthorized access, data breaches, and cyber threats. Regularly update security protocols to address emerging risks. According to Dropbox, a 256-bit Advanced Encryption Standard (AES) is the strongest method of AES encryption available, which makes the files in your cloud storage virtually-impossible to crack.” Check with your current provider if they have this level of encryption. If not you may want to consider a new vendor.

  1. Regular Audits and Monitoring:

Conduct regular audits of record-keeping processes to ensure compliance. Monitor access logs, changes to records, and relevant activities to identify and address irregularities. There are many reputable third-party service providers that offer penetration testing and other data security audits to ensure your files are as safe as possible. Remember, per NFA Compliance Rules 2-9, 2-36 and 2-49 an information systems security protocol (“ISSP”) review should be conducted and documented once every 12 months. Turnkey conducts this review for many of our clients. To learn more about our ISSP review and other compliance solutions please visit our Services Page or contact us directly at 312-324-0040.

  1. Backups and Disaster Recovery:

Establish regular backup procedures to prevent data loss (many of the best third-party cloud providers will supply this) by implementing a disaster recovery plan to ensure record availability in unexpected events. This should be part of the firm’s broader Business Continuity and Disaster Recovery (“BCDR”) procedures as spelled out in NFA Compliance Rule 2-38.

  1. Training and Awareness:

Provide employee training on the importance of record-keeping compliance and foster a culture of compliance within the organization. Turnkey Training offers NFA/CFTC compliant training in Cybersecurity, Ethics, and Identity theft. All of which are necessary to stay compliant but also to teach employees about the current threats to company data and the ethical standards by which they should judge their engagement with sensitive records.

  1. Consultation:

Seek advice to ensure record-keeping processes align with the latest regulatory requirements. Compliance counsel can interpret complex regulations and provide guidance on best practices. For assistance please contact us today.

  1. Document Destruction Procedures:

Data should be appropriately managed across the entire data lifecycle, from capture to destruction. Planning for data destruction is an integral part of a high-quality data management program. An area that is often overlooked when writing BCDR, ISSP, or other relevant procedures is how documents will be destroyed properly when the appropriate time has come. Every firm should develop secure procedures for the destruction of records at the end of their retention period.

  1. Regularly Update Policies:

Periodically review and update record-keeping policies to align with changes in regulations, technology, and business processes. Be aware that these changes most likely will affect your Business-Continuity and Disaster Recovery Policies, Third – Party Service Provider Policies, and your Information Systems Security Protocol Policies.

  1. Record-Keeping Training and Awareness:

Conduct regular training sessions to ensure employees understand record-keeping policies and procedures, maintaining consistency throughout the organization. Turnkey also conducts on-site trainings for record-keeping and retention when requested. Click here to learn more about Turnkey’s supervisory program.

By implementing these measures, organizations can establish a comprehensive record-keeping and retention process that ensures compliance and enhances data integrity, security, and overall operational efficiency. Regular reviews and updates are essential to adapt to evolving regulatory landscapes and technological advancements. In conclusion, strategic record-keeping strikes a balance between regulatory compliance and operational efficiency, transforming record-keeping into a strategic asset for businesses.