Under SEC Rule 17Ad-7, a transfer agent is legally required to maintain a “Recordkeeping Policy” that dictates how long documents are kept and how they are stored.
As of 2026, the SEC has shifted heavily toward “Audit-Trail” methodology, meaning your software must not only save a record but also every single change made to that record (who, what, and when).
📄 Transfer Agent Record Retention Policy (Template)
1. Retention Schedule (The “Clock”)
We will maintain records according to the following statutory periods:
| Record Type | Retention Period | Storage Requirement |
|---|---|---|
| Fingerprint Records | Term + 3 Years | Easily accessible place |
| Control Book (Total Shares) | Permanent | During agency + 6 years after |
| Master Securityholder File | Permanent | During agency + 6 years after |
| Cancelled Certificates | 6 Years | First 6 months easily accessible |
| Daily Buy/Sell Blotters | 2 Years | First year easily accessible |
| Reg S-P Breach Notifications | 5 Years | (2026 Amended Requirement) |
2. Electronic Storage Standards (Rule 17Ad-7(f))
Since we utilize electronic media for recordkeeping, our systems must:
- Audit Trail: Maintain a complete, time-stamped audit trail of all modifications and deletions. This must include the identity of the person making the change.
- Integrity: Use manual and automated controls to detect any attempt to alter or remove a record.
- Duplicate Records: Maintain a duplicate copy of all records and indexes in a separate, off-site, or geographically diverse cloud location.
- Escrow Requirement: We must keep an updated copy of the software and “source code” (or the ability to download data into a human-readable format) in an independent escrow to ensure the SEC can access records if our company fails.
3. Immediate Accessibility
In the event of an SEC examination, our firm will be able to:
- Promptly Download: Produce any requested record on paper or in a “reasonably usable electronic format” (e.g., CSV or PDF) within 24 hours.
- Indexing: Maintain an accurate, up-to-the-minute index of all stored records to allow for immediate searching.
4. 2026 Privacy Addendum (Regulation S-P)
Under the June 2026 deadline for smaller entities:
- Sensitive Data: All records containing SSNs, Tax IDs, or bank info must be encrypted at the “field level.”
- Disposal: When the retention period expires, digital records must be “wiped” or “overwritten” using NIST-compliant methods to ensure they are non-reconstructable.
🛠️ Implementation Step
If you are using a third-party software (like Carta or DealMaker), you do not have to build this from scratch. However, you must ask them for a “17Ad-7 Compliance Letter.” This letter is what you show the SEC during an audit to prove that their software meets these “audit trail” and “escrow” requirements.
Would you like me to draft the “Employee Acknowledgment Form” that your staff needs to sign to confirm they understand these strict 2026 privacy and recordkeeping rules?