Mandatory Metadata Fields for FINRA Audits
FINRA Rule 4511 points to SEC Rule 17a-4 for how records must be made and preserved: accurate, complete, immutable (WORM or equivalent), and retained for specified periods.
Minimum Per-Record Metadata
For Markdown-based "books and records":
Identity
| Field | Type | Description |
|---|---|---|
record_id | UUID | Stable, unique identifier |
record_type | enum | customer_communication, order_ticket, supervisory_procedure, trade_blotter |
Business Context
| Field | Type | Description |
|---|---|---|
account_id | string | Customer account (where applicable) |
customer_id | string | Customer identifier |
business_unit | string | Organizational unit |
desk | string | Trading desk |
product | string | Financial product |
Regulatory Mapping
| Field | Type | Description |
|---|---|---|
rules | string[] | ["FINRA-4511", "SEC-17a-4", "SEC-17a-3"] |
Authorship and Timestamps
| Field | Type | Description |
|---|---|---|
created_at | timestamp | Record creation time |
created_by | string | Author user ID |
received_at | timestamp | For inbound communications |
sent_at | timestamp | For outbound communications |
last_modified_at | timestamp | Content modification time |
Note: For WORM compliance, "modifications" create new records/versions, not in-place edits.
Retention
| Field | Type | Description |
|---|---|---|
retention_category | string | communications-6y, trade-record-3y |
retention_period_years | int | 3, 6, or 7 with legal basis |
retain_until | date | Computed destruction date |
legal_hold | boolean | Hold flag |
legal_hold_reason | string | Why hold was placed |
Integrity and Storage
| Field | Type | Description |
|---|---|---|
content_hash | string | SHA-256 of Markdown content |
worm_storage_location | string | WORM archive location |
archive_bucket_id | string | Storage bucket identifier |
Status & Lineage
| Field | Type | Description |
|---|---|---|
status | enum | active, superseded, archived |
supersedes_record_id | UUID | Previous version |
superseded_by_record_id | UUID | Next version |
Schema Reference
Data Structure
field_name:
type: string
required: true
description: Field description
example: "example_value"
API Reference
Endpoint Overview
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/resource | List resources |
| POST | /api/v1/resource | Create resource |
| PUT | /api/v1/resource/:id | Update resource |
| DELETE | /api/v1/resource/:id | Delete resource |
YAML Frontmatter Example
---
record_id: "550e8400-e29b-41d4-a716-446655440123"
record_type: "supervisory_procedure"
# Business Context
business_unit: "Equities Trading"
desk: "Institutional Sales"
product: "Equity Options"
# Regulatory
rules:
- "FINRA-4511"
- "SEC-17a-4"
- "SEC-17a-3"
# Timestamps
created_at: "2025-01-15T10:30:00Z"
created_by: "user-456"
last_modified_at: "2025-01-15T10:30:00Z"
# Retention
retention_category: "supervisory-procedure-6y"
retention_period_years: 6
retain_until: "2031-01-15"
legal_hold: false
legal_hold_reason: null
# Integrity
content_hash: "sha256:a1b2c3d4e5f6..."
worm_storage_location: "s3://finra-archive/2025/01/550e8400.worm"
# Status
status: "active"
supersedes_record_id: null
superseded_by_record_id: null
---
FINRA Record Categories
| Category | Retention | Example Records |
|---|---|---|
| Customer communications | 6 years | Emails, letters, instant messages |
| Order tickets | 3 years | Trade confirmations, order records |
| Trade blotters | 6 years | Daily trading activity |
| Supervisory procedures | 6 years | Compliance policies, procedures |
| Customer complaints | 4 years | Written complaints, resolutions |
| Account records | 6 years | Customer account documentation |
Auditor Focus Areas
Auditors will focus heavily on:
- Accurate timestamps - Precise creation and modification times
- Clear regulatory mapping - Which rules apply to this record
- Retention duration - Proper retention periods applied
- Demonstrable immutability - Record and metadata cannot be altered