Taking up the Rule 17a-4 data-storage challenge with people, process, and WORM tape
As federal regulations go, Rule 17a-4 sounds benign enough. But it's almost certainly been the cause of numerous ulcers for broker-dealers trying to deal with the rigorous data-retention requirements a 2003 Securities and Exchange Commission interpretation lays out.
Part of the Securities Exchange Act of 1934, Rule 17a-4 specifies how records created by broker-dealers—including financial accounting documents and communications with clients—must be kept as put down in 17a-4's companion rule, 17a-3. 17a-4 also prescribes how long those records must be kept.
Catching up somewhat belatedly to changes in technology, in 1997 the SEC amended Rule 17a-4 to allow broker-dealers to store records electronically. The amended rule didn't specify what type of media the records needed to be stored on, only that it "preserve the records exclusively in a non-rewriteable, non-erasable format."
The good old data days
At the time, this meant writing the data onto DVDs, CD-ROMS, or other optical discs—formats which, intrinsically, were unrewriteable once written on. In other words, the hardware itself was the data-integrity defender. As such, these types of media were clearly in compliance with the SEC's requirements of unalterable record storage.
But as technology continued to change, broker-dealers began asking the SEC if they could store their data on newer systems—systems that used hardware in tandem with software to make data unalterable on storage media that was otherwise built to be altered, like computer hard drives.
With the new data-storing technology, then, only software code would prevent users from making changes—something that may have started some SEC higher-ups on the road to their own ulcers. In the end, the agency's guidance on Rule 17a-4 as laid out in its 2003 interpretation was simply to set up-to-date standards non-rewriteable, non-erasable electronic storage media must meet, rather than specify the type of technology that can be used.
Not so fast
But that didn't make things suddenly straightforward for broker-dealers. Rule 17a-4 gets into plenty of specifics regarding how data must be kept, including how storage must:
- Verify the quality and accuracy of the recording process automatically.
- Serialize the original and, if applicable, duplicate units of storage media.
- Time-date the required period of retention of the data stored.
- Be able to download stored data to any medium acceptable to the SEC or enquiring SROs.
Additionally, systems that use software techniques like authentication policies, passwords, or other extrinsic security controls are not considered unalterable and are therefore noncompliant, as are systems that just create a “fingerprint” of a record based on its content. Rule 17a-4 gives broker-dealers a lot to manage from a technological and regulatory standpoint.
So let it be written, so let it be compliant
StarCompliance helps clients tackle this complex data-storage challenge by, first and foremost, taking a "save everything" approach—meaning the STAR Platform snapshots every data change on every table, and then saves the changes in a full history record. As such, it's always possible to see all data as it appeared at any point in the history of that record.
All data retained is stored in a relational database using Microsoft SQL Server. The SEC often discusses Rule 17a-4 storage requirements in terms of records being discrete documents. While this is true for some records, such as firm-client email communications, the situation is less clear for structured data that may be stored across many tables and have a number of different purposes.
Relational databases like Microsoft SQL Server are specifically designed to handle just such structured data. But even this exhaustive, data-savvy records-capture process doesn't in and of itself fully satisfy Rule 17a-4.
Up to this point in the process, it remains theoretically possible for a user with the appropriate level of access to modify data after the fact, so Star offers as an option a database backup to WORM tape. WORM is short for Write Once, Read Many. While magnetic tape is typically known as a rewriteable medium, WORM tape uses a hardware-software combination, like the kind mentioned earlier, to make a storage system that's verifiably unalterable and hence definitively Rule 17a-4 compliant.
Because of its reputation as a tamperproof data-storage system and its SEC friendliness, WORM tape has become a go-to Rule 17a-4 data-storage system.
Keep calm and carry on with your business
The STAR Platform also keeps a comprehensive index of database backups, and everything collected is encrypted, labeled, and stored in an offsite location—with all pertinent data readily retrievable if the SEC, FCA, FINRA, or other regulatory body a broker-dealer answers to comes calling.
Rule 17a-4 compliance needn't be daunting. Partner with people who know the ins and outs, and leave the ulcers to the SEC.