At the close of 2013, FINRA graced Barclays with a US$3.75 million holiday gift for "Systemic Record and Email Retention Failures." Specifically, violations of SEC Rules 17a-3 and 17a-4 requirements for "records to be made/preserved by certain exchange members, brokers and dealers" done via write-once read-many (WORM) storage caused the WORM to turn on Barclays. What's initially surprising about this is that WORM storage infrastructure is fundamental to financial services firms’ run-the-bank efforts, such mature, commoditized, and mundane infrastructure that not even IT gets excited about anymore ... just the type of very basic meat-and-potatoes infrastructure that ISVs have been pitching firms to consider outsourcing to private server farms or shared clouds for cost benefits.
Bloomberg's Vault and Nasdaq's FinQloud are two of the more prominent solutions available for outsourcing WORM storage, the former leveraging Bloomberg's private server farms and the latter Nasdaq's partnering with Amazon to provide a private cloud solution. Moreover, the many firms already with connectivity to or a presence in Equinix, either directly or indirectly, can now choose to connect directly to Amazon Web services (AWS) themselves via AWS Direct Connect and perhaps leverage S3 on their own for such infrastructure. If looking for a WORM middle ground, those firms already using NetApp for their storage solutions could mix and match on-premises storage, hosted storage, and AWS. All of these offerings are predicated on cost savings for what should otherwise be routine infrastructure, turning what can be rather heavy CapEx into more reasonable OpEx.
Evidently, what this FINRA fine demonstrates is that perhaps infrastructure, like WORM storage, isn't so routine after all. Not only were there gaps over 10 years from 2002 to 2012 in Barclays' "electronic books and records—including order and trade ticket data, trade confirmations, blotters, account records and other similar records—in WORM format" but also 3.3 million Bloomberg IBs from 2008 to May 2010 missing from WORM storage. What's as yet unclear is how systemic these lapses were, whether it was because these records weren't stored at all or just not done so in an unalterable format, or what predicated this discovery by FINRA. Undoubtedly, Barclays is not alone in this regard, and other firms just haven't had the WORM turn on them in public yet. You can bet that this fine rang a bell at most every U.S. sell-side, and CCOs, CIOs, and GCs are now actively engaged in ensuring that they've got this WORM covered and that their potential eDiscovery needs are being met as well.
Coincidentally, much has been made recently of the less-than-optimal things (e.g., alleged Libor rigging) being turned up in the OTC derivatives world. One would think that instant messaging itself was the root of all evil, that "put it in the chat" were dirty words ... to the point where Bloomberg moved to consolidate all of its compliance tools and repackage them as the Bloomberg Compliance Center. Of course, compliance officers have had access to IM logs for well over a decade, so it’s really more a matter of fully monitoring communication as via voice and email, and the technology infrastructure to do so feeds (and frequently sits right next to) WORM storage.
Though in Barclays' case not for a few years.
Two immediate take-homes from this FINRA fine:
1. Barclays is probably not alone in these WORM lapses, and FINRA is sending a message to its members that they take WORM storage requirements seriously, so make sure it's/get it together.
2. What started as an argument to outsource WORM infrastructure (and the like) on the basis of cost-benefit analysis may very well end up hinging on rapid implementation of state-of-the-art best-of-breed compliance solutions.
Time will tell if Barclays is just the first of several firms to be hit by a WORM storage gap and how much renewed interest there will be on such infrastructure CapeEx or outsourcing.