Major Compliance Standards, Laws & Regulations
Rule |
Summary |
Affects |
Highlight |
| SEC 17a-4 | Broker/Dealers must retain records for up to 7 years. | Financial services such as brokers, dealers, exchange members | Gives retention periods for securities broker/dealer records; stipulates requirements if electronic record-keeping systems are used |
| Sarbanes-Oxley Act 404 | Monitoring of the process involved in producing and changing financial records |
All publicly traded companies, public accounting firms, auditors, brokers, securities analysts |
For public companies, provides requirements for audit committees, financial reporting, insider trading, executive loans, change disclosure and management's assessment of controls |
| Requires member organizations to establish and maintain a system of supervision, demonstrate that their system is complete, evaluate it on a regular basis and ensure that it remains effective | Members of the National Assoc. of Securities Dealers (NASD) and New York Stock Exchange (NYSE) | Record-keeping requirements concerning e-mail communications | |
| Sarbanes-Oxley 409 | Disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis | All publicly traded companies, public accounting firms, auditors, brokers, securities analysts | Same as "Sarbanes- Oxley 404" |
| HIPAA | Protects "Individually identifiable health information" that is, any data identified by name, social security, address or birth date whether it is electronic, paper or oral. Also requires patient notification of privacy policies. | Health plans, including employer-sponsored health and all healthcare providers that transmit patient information electronically for claims, benefit eligibility, referral authorizations, etc. | Security rule, effective April 21, 2005, requires best practices for assuring that electronic patient data is confidential, available as needed and maintained with integrity intact. |
| IRS Rev. Proc. 97-22 | Provides guidance to taxpayers that maintain books and records by using an electronic storage system that either images their hardcopy (paper) books and records, or transfers their computerized books and records, to an electronic storage media. | Financial Services | An electronic storage system must ensure an accurate and complete transfer of the hardcopy or computerized books and records to an electronic storage media The electronic storage system must also index, store, preserve, retrieve, and reproduce the electronically stored books and records. |
| Gramm-Leach Bliley Act | Requires financial services companies to implement safeguards for customers' current and legacy information. | Financial services such as brokers, dealers, exchange members | In essence, the act makes it illegal for a financial institution to share customers' "nonpublic personal information" with third parties unless the company first discloses its privacy policy to consumers and allows them to opt-out of that disclosure. |
| 21 CFR 11 | Defines the recommendations for managing audit trails, access control and electronic records retrieval. | Healthcare and Pharmaceuticals | On February 20, 2003, the FDA released a new draft--Draft Guidance for Industry; Part 11, Electronic Records; Electronic Signatures - Scope and Application which changes the requirements for electronic records. It also withdraws many previous guidance documents on maintenance of records, e-copies of records, timestamps and validation. |
REGULATION |
RETENTION |
PENALTIES |
| SEC 17a-3 and 17a-4 | Broker/Dealers must retain records for up to 7 years. | Determined on a case by case basis. |
| Gramm-Leach-Bliley Act | Financial institutions must ensure security and confidentiality of customer data. No time limit given. | Fines up to $500,000, imprisonment up to 10 years. |
| Members of health care industry must retain patient information for 6 years. | Fines up to $250,000, imprisonment up to 10 years. | |
| Sarbanes-Oxley | Accounting firms that audit publicly traded companies must retain all related documents for 7 years after audit. |
Fines up to $5 million, mprisonment up to 20 years. |
