SEA Rule 17a-4 Compliance Services

2017 Regulatory and Examination Priorities Letter

In its 2017 Regulatory and Examination Priorities Letter, FINRA informed firms that its 2017 cycle examinations would include a review of B/D compliance with the requirements of SEA Rule 17a-4. FINRA stated, “in multiple instances, firms have failed to fulfill one or more of their obligations under Securities Exchange Act (SEA) Rule 17a-4(f) that requires firms to, among other things, preserve certain records in a non-rewriteable, non-erasable format, commonly known as write once read many (WORM) format.”

Since 2007-2008, B/Ds have generally satisfied Rule 17a-4’s requirements pertaining to the archiving of emails. Until recently, however, it was difficult to find a cost-effective, WORM storage system for a B/D’s static files (PDF, Excel, Word, etc.). As shown below, cost-effective and fully compliant archiving services are now available through reputable providers including Amazon, Google, and Microsoft.

SEA Rule 17a-4

SEA Rule 17a-4(f) allows a B/D “to employ, under certain conditions, electronic storage media” to preserve its required books and records (Release No. 34-38245).

Rule 17a-4(f) has two main requirements:

• Compliant Data Backup
  17a-4(f)(3)(iii) requires a B/D to “store separately from the original, a duplicate copy of the [firm’s electronic records]….” This storage must comply with the standards (non-erasable, non-rewriteable) set forth in 17a-4(f)(2)(ii). In recent years, reputable technology providers, including Amazon, Google, and Microsoft, have developed 17a-4-compliant archiving services. Amazon’s Object Lock, Google’s Bucket Lock, and Microsoft’s Preservation Lock features allow a B/D to preserve records in a manner that complies with the requirements of Rule 17a-4(f).
  • Amazon S3 Receives Third-Party Assessment for SEC Rule 17a-4(f) from Cohasset Associates
  • Google Cloud Storage meets the requirements of SEC Rule 17a-4
  • Use Exchange Online and the Security & Compliance Center to Comply with SEC Rule 17a-4

• Designated Third Party (“D3P”)
  17a-4(f)(3)(vii) requires a B/D to engage the services of “at least one third party…, who has access to and the ability to download information from the [B/D’s] electronic storage media.” To address this requirement, SIRS offers its D3P services. Through a contractual agreement, SIRS establishes access to the B/D’s records. For an annually renewable service charge of $500, SIRS’ staff will remain continually available to respond to regulatory requests for document retrieval services.

---

17a-4 Certifications Provided

Since 2007, SIRS has been a respected provider of SEA Rule 17a-4, D3P services. SIRS is listed in the FINRA Compliance Vendor Directory.

By subscribing to SIRS’ D3P services, you will receive the following:

• Third-party Undertaking Letter
  Rule 17a-4 requires each B/D to file an undertaking letter, signed by its designated third party, with the B/D’s designated examining authority. SIRS will provide your firm with this signed undertaking letter.
• Storage Media Representation Template
  This form provides the storage media representation required by 17a-4(f)(2)(i).

To comply with 17a-4’s electronic storage media requirements, a B/D must use FINRA’s Firm Gateway application to submit these two required filings.