Regulatory Update

The Modernization of SEC Rule 17a-4

by Robert Cruz

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Listen to article highlights.

As you’ve most likely heard by now, the SEC released its final update to the SEC 17a-4 immutable storage requirement late last week. While there are plenty of details to unpack across 147 pages, here is a quick take-away of the changes and potential impact.

What changed and why

The immutable storage rule was modified to allow for the use of audit trail approaches to satisfy financial services recordkeeping requirements as an alternative to traditional ‘WORM’ storage approaches, as long as records can be recreated if modified or deleted.

The SEC’s stated objective is to modernize regulatory recordkeeping storage requirements to remove reference to obsolete technologies, such as “spinning disks,” CD-ROM, 8-track tapes, and other technologies from yesteryear. The updated rule focuses on preserving complete and accurate compliance records – not the means to achieve it.

The addition of the audit trail approach gives firms the option of “recreating” records if they can demonstrate that the records:

  • Are complete and time-stamped
  • Reflect any modifications, interim iterations or deletions

In theory, this alternative offers firms flexibility and cost savings, especially for smaller firms that may have only infrequently accessed a standalone third-party compliance archive.

Other changes

Beyond the modernization, the update also addresses the following:

Inclusion of securities-based swap dealers and participants
Firms that are not registered as broker-dealers but regulated under SEC 18a-6 are now — for the first time — also subject to SEC 17a-4.

Elimination of the 90-day notification requirement
While this removes a relatively minor administrative obligation, its removal makes it implicit that firms select storage vendors or third parties “with appropriate expertise” to meet regulatory obligations, as had been stated in the earlier rule.

Modification of the third-party downloader requirement

Firms now have the choice to either:

  1. Engage a third party to fulfill requests from regulators that they cannot or will not fulfill; or
  2. Appoint a Designated Executive Officer and the Officers’ designees, to provide electronic records

While this continues an existing obligation for those that choose to use a third-party downloader, it creates an additional client obligation for those that choose to designate an executive officer.

Reference to cloud service providers
The update acknowledges that many firms leverage recordkeeping systems owned or operated by a third party, such as cloud-based service infrastructure providers. The new language adds the requirement that firms must have "independent access" to records, meaning that firms can access the records "without the need of any intervention of the third party."

Expansion of back-up / redundant recordkeeping requirement
While the earlier rule required that firms maintain a separate system to store records, the revised language expands the requirement to a manner that "will serve as a redundant set of records … that is at least equal to the level that is achieved through using a backup recordkeeping system."

The market impact

As the SEC noted, the rule has evolved from "electronic storage media" to defining the obligation as maintaining an "electronic recordkeeping system," that encompasses systems and controls to preserve records in a digital format.

Despite audit trail being another technological approach that will be made obsolete by the next generation of technology, the revised rule emphasizes the responsibility for firms to have the expertise – and to work with appropriate third parties – to fulfill the requirements. While the impact to the industry is unclear, here are some of the considerations that firms should keep in mind in evaluating the new rule.

What is the benefit to the business?
While the update does provide additional flexibility, the determination of better-faster-cheaper is a fair question for firms to assess.

For very small firms with very basic requirements (e.g., approved use of email only, infrequent access to their compliance archive), this could allow them to 'check the box' at a lower cost. The updated rule will likely cause an evaluation of potential cost savings against the feasibility of modifying a core business communications platform to meet the audit-trail requirements and the cost of moving existing compliance records from a worm storage system.

For large firms, better is the operative phase to use in comparing alternatives. Their use of electronic recordkeeping systems typically supports multiple purposes, serving as the system of record to provide:

  • Supervisory oversight
  • The ‘source of truth’ for e-discovery and investigation
  • Power conduct surveillance processes

How is the rule update impacted by today's collaborative platforms?
The original SEC 17a-4 was written when firms were moving from paper to email. Now, they are doing business on a variety of collaborative platforms that include persistent chats, voice, video, bots and collaborative authoring.

What’s key for firms to consider is the complexity of attempting to account for all modifications, interim iterations, or deletions to an individual record within a single collaborative tool – much less across multiple heterogenous products across an entire organization.

The comparison in the release to trade blotters to account for all activities that have impacted a record can significantly understate the time and effort to meet the requirement. For example, not only must records be complete and accurate, they also must be transferred to regulators in both human- and machine-readable formats that allow regulators to carry out their oversight responsibilities.

In short, if your business runs on Microsoft Teams, Slack, and Zoom, determining the most effective approach to preserving and producing a complete record of today’s communications should not be a decision taken without careful analysis.

How will this impact cloud providers?
As more firms leverage public cloud infrastructure, the rule update can potentially impact their choice of service providers as the requirement indicates that the third party "will not impede or prevent the examination, access, download, or transfer of records by a regulator."

The added language here can also be noteworthy if firms are currently backing up or have redundant storage that doesn't provide equivalent capabilities, such as operation only in an active/passive configuration. The ability to provide self-service on highly available infrastructure is now the standard that firms will need from their cloud service providers.

How does this reconcile with recent SEC enforcement actions surrounding off-channel communications?
This may be the most important – and ironic – aspect of the SEC 17a-4 update. The SEC has stated unequivocally in recent enforcement actions that firms must move toward a posture that "recordkeeping is sacrosanct," and simply checking-the-box will be harder to demonstrate the supervisory oversight and culture of compliance that regulators expect.

The final thought

Modernization of the rule was necessary. Flexibility and options are better than none. But leveraging the most effective approach to preserve and produce business records has never been more important, nor the cost of non-compliance higher.

Share this post!

Robert Cruz
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.