Section 3 Understanding Trading, Customer Accounts and Prohibited Activities

Books, Records, and Privacy

18 min read · Lesson 7 of 10

About This Lesson

Recordkeeping and customer-privacy rules come with specific timeframes the SIE tests directly. This is a numbers chapter, so the retention periods and the privacy deadlines are worth memorizing cold.

What you'll cover

The records a firm must create and maintain: trade confirmations, account statements, and a business continuity plan
Record retention periods, the 3-year, 4-year, and 6-year pattern
Regulation S-P: the privacy notices, opt-out rights, and the 2024 breach-notification rule

Two things show up on almost every form: the 3/4/6 retention pattern, and Reg S-P's 30-day breach-notification deadline from the 2024 amendments. Lock those in and this chapter pays off quickly.

In this chapter ~18 min · 5 concept checks

§1Records & Continuity~8 min · 1 check §2Retention Periods~4 min · 1 check §3Privacy (Reg S-P)~6 min · 3 checks SUMMARYChapter EssentialsCram-pass review

Section 1 of 3 ~8 min · 1 concept check

Firm Records and Continuity

Broker-dealers run on paperwork. SEC and FINRA rules require firms to create and keep careful records of nearly everything they do, and two customer-facing documents come up most.

Trade confirmations: sent to the customer at or before completion of each transaction. The next part covers exactly what a confirmation has to show.
Account statements: sent at least quarterly, and monthly in any month with account activity.

Beyond customer documents, every firm must also maintain a written business continuity plan, covered later in this chapter, and keep its records for set periods, covered in the next section.

A trade confirmation is the official record of a transaction, and it must reach the customer at or before completion of the transaction (settlement). The exam expects you to know what it has to disclose:

The date and time of execution.
The security, the quantity, and the price.
Capacity: whether the firm acted as agent (and disclosed a commission) or as principal (and charged a markup or markdown).
The settlement date.
The commission or markup/markdown amount.
Contra-party information, when the firm acted as agent.

The capacity disclosure is the one examiners care about most: a customer has to be able to tell whether they paid a commission or a markup.

A firm cannot simply go dark when a fire, a storm, or an outage hits. Under FINRA Rule 4370, every broker-dealer must create and maintain a written business continuity plan (BCP) describing how it will keep operating and protect customers through a disruption. A BCP addresses things like:

Data backup and recovery, so records and data survive.
Alternate communications with customers and employees.
Critical business functions, including order handling and trade settlement.
Customer access to funds and securities during the disruption.

Three details are testable. A firm must review and update the BCP at least annually (and after material changes), must disclose it to customers at account opening and post it on its website, and must designate a senior manager responsible for carrying it out.

Concept Check

A broker-dealer's business continuity plan (BCP) must be reviewed how often?

Under FINRA Rule 4370, a firm's BCP must be reviewed and updated at least annually, and also whenever there are material changes to the firm's operations. The BCP must be disclosed to customers at account opening and posted on the firm's website. A senior manager must be designated to implement the BCP.

Section 2 of 3 ~4 min · 1 concept check

Record Retention Periods

Record Retention Requirements

FINRA Rule 4511 and SEC Rule 17a-4 specify how long firms must retain different types of records:

Record Type	Retention Period
Blotters (daily purchase/sale records)	6 years
General ledger	6 years
Customer account records	6 years after account closure
Trade confirmations	3 years
Customer complaint records	4 years
Communications (emails, letters)	3 years
Written customer complaints	4 years
Partnership articles, corporate charter	Life of firm + 3 years

Exam shortcut: Most records fall into either 3 years or 6 years. Customer account records and major financial records = 6 years. Correspondence and confirmations = 3 years.

Record Retention, The 3/4/6 Pattern

Three numbers cover almost every retention question on the SIE:

6 years: Blotters, ledgers, customer account records, financial statements. Think "major financial records = 6."

4 years: Customer complaints. Think "4 for complaints."

3 years: Correspondence, emails, trade confirmations. Think "communications = 3."

Special cases: SAR and CTR records = 5 years. Partnership/corporate charter = life of firm + 3 years.

Concept Check

Under SEC Rule 17a-4, how long must a broker-dealer retain customer account records?

Customer account records must be retained for 6 years after the account is closed. Most major financial records (blotters, general ledger) also have a 6-year retention period. Correspondence and trade confirmations have a shorter 3-year requirement.

Section 3 of 3 ~6 min · 3 concept checks

Customer Privacy (Regulation S-P)

✅ Updated for 2026
This lesson reflects the latest FINRA rule changes, including the new $300 gift limit (Rule 3220, effective March 30, 2026), AI supervision guidance (Regulatory Notice 24-09), and Reg S-P 2024 amendments. Our content is current as of March 2026.

Regulation S-P, The Three Required Notices:

1. Initial privacy notice: Delivered when the customer relationship is established (account opening)
2. Annual privacy notice: Provided once per year (may be exempt if policies haven't changed. Fixing America's Surface Transportation (FAST) Act exception)
3. Opt-out notice: Must give customers the ability to opt out of sharing nonpublic personal information with non-affiliated third parties before any sharing occurs

Important: Reg S-P does NOT restrict sharing with affiliated companies or with service providers performing functions on the firm's behalf.

The original Reg S-P framework, its privacy notices, opt-out rights, and safeguard requirement, still stands. But the SEC's 2024 amendments added obligations that are now high-yield on the exam.

A written incident response program

Every firm must maintain a written program designed to detect, respond to, and recover from unauthorized access to customer information. If a breach occurs, the firm must notify each affected individual whose sensitive information was, or was reasonably likely to have been, accessed.

The 30-day notification deadline

That notice runs on a hard clock: it must go out as soon as practicable, and no later than 30 days after the firm becomes aware that unauthorized access has occurred or is reasonably likely to have occurred. The original Reg S-P had no specific breach deadline, so this 30-day rule is the detail to remember.

Stronger safeguards

Firms must apply administrative, technical, and physical safeguards to protect customer records, handle the secure disposal of those records, and oversee service providers that have access to customer information.

Concept Check

Under Regulation S-P, a firm must provide a privacy notice to customers at which of the following times?

Regulation S-P requires firms to provide a privacy notice at the time of account opening and annually thereafter. Customers must also be given the right to opt out of certain information sharing.

Concept Check

Under Regulation S-P, a broker-dealer must provide a customer with an initial privacy notice:

Regulation S-P requires an initial privacy notice at the time of establishing the customer relationship (at or before account opening). Firms must also provide annual privacy notices (though firms that have not changed their privacy policies and do not share data with non-affiliated third parties may be exempt under the FAST Act). An opt-out notice must be provided before sharing data with non-affiliated parties.

Concept Check

Under the 2024 amendments to Regulation S-P, if a broker-dealer experiences a data breach involving customer information, the firm must:

The 2024 amendments to Regulation S-P require firms to maintain a written incident response program and to notify affected individuals whose sensitive customer information was accessed without authorization. Notification must occur as soon as practicable but no later than 30 days after the firm becomes aware of the unauthorized access. This is a significant enhancement over the original Reg S-P framework, which did not include a specific breach notification timeline.

Summary Recap & exam traps

Chapter Essentials

Firms must create and keep detailed records. Trade confirmations go to the customer at or before completion of a transaction and must disclose the firm's capacity, agent (commission) or principal (markup); account statements go out at least quarterly, or monthly when there is activity; and every firm must maintain a written business continuity plan under Rule 4370, reviewed at least annually and disclosed to customers. Retention follows a 3/4/6 pattern: major financial records (blotters, ledgers, customer account records) are kept 6 years, customer complaints 4 years, and correspondence and confirmations 3 years, with charters kept for the life of the firm plus three.

Regulation S-P governs customer privacy. A firm gives an initial notice at or before account opening and an annual notice after that (subject to the FAST Act exception), and it must offer an opt-out before sharing nonpublic information with non-affiliated third parties; sharing with affiliates and service providers is not restricted. The 2024 amendments add a written incident response program and a breach-notification rule: affected customers must be told as soon as practicable, no later than 30 days after the firm learns of unauthorized access.

Interactive: Key Numbers Cheat Sheet

Record retention periods, reporting deadlines, and every other testable number.

Open Tool →

Exam Traps to Watch

The reliable gotchas in this chapter:

• Retention runs 3, 4, or 6 years. Major financial records (blotters, ledgers, customer account records) are 6 years; customer complaints are 4 years; correspondence and confirmations are 3 years. Mismatching a record to its period is the classic retention trap.

• Customer account records are 6 years after the account closes, not 6 years from opening. The clock starts at closure.

• A confirmation must disclose capacity. Agent means a commission; principal means a markup or markdown. Expect a question that hinges on which one the customer paid.

• Reg S-P opt-out covers non-affiliated third parties only. Sharing with affiliates, or with service providers acting for the firm, does not trigger an opt-out right.

• The Reg S-P breach deadline is 30 days. From the 2024 amendments: notify affected customers as soon as practicable but no later than 30 days after learning of unauthorized access. Watch for distractor deadlines like 24 hours or 90 days.

• The BCP is reviewed at least annually. Under Rule 4370 it is disclosed to customers at account opening and posted on the firm's website, with a senior manager responsible for carrying it out.

Previous Next

Practice what you just learned

Test yourself with exam-style questions on this topic.

Practice Questions