Whitepaper for SEC-17A-4 Rules
We have the tools and processes that make compliance happen.
Secure Archive Manager is a data management application developed by DataTrust Solutions to meet the archival storage needs of customers in regulated industries and subject to compliance rules or governance policies. Secure Archive Manager enables administrators to create Archives and apply Policies to the records for the life of the records. Policies can be set make data immutable forever or a set period of time. Once records exceed a variable retention period they can be managed like ordinary files or automatically expunged from the archive. Legal Hold policies can be created and applied to files for any number of eDiscovery processes. This whitepaper is limited in scope and written for Exchange members subject to SEC rules 17A-3 and 17A-4.
Rule: Rule 17a-4(a)(b)(c)(d)(e) Preservation of Records
Requirements: Every member, broker and dealer subject to § 240.17a-3 shall maintain and preserve records for periods that range from three years to the life of the enterprise and any successor enterprises. These records are typically required to be maintained and preserved in an easily accessible place.
Solution: Secure Archive Manager allows the administrator to create retention policies for each type of record. During the retention period Secure Archive Manager preserves the records and protects them from any changes or delete attempts. The retention period can be variable or immutable with WORM (write once and read many). An audit trail of all actions on a record is tracked and available for review.
Rule: Rule 17a-4(f)(2)(ii)(A) Acceptable Media
Requirements: The electronic storage media must: Preserve the records exclusively in a non-rewriteable, non-erasable format; in 1997 the Securities Exchange Commission (SEC) amended the primary rule 17a-4 to allow for the electronic storage of records and states:
“A broker-dealer would not violate the requirement in paragraph (f)(2)(ii)(A) of the rule if it used an electronic storage system that prevents the overwriting, erasing or otherwise altering of a record during its required retention period through the use of integrated hardware and software control codes.”
Solution: Secure Archive Manager (SAM) fulfills this requirement by allowing the admin to create a WORM policy and applying the policy to the storage it manages. A WORM policy prevents the changing, altering or deleting of a record forever. A Retention Policy provides the same protection as a WORM policy but for a specified period of time.
Rule: Rule 17a-4(f)(2)(ii)(B) Quality Verification
Requirements: Verify automatically the quality and accuracy of the storage media recording process;
Solution: SAM uses selectable content based cryptographic hashing algorithms to calculate a digital fingerprint for each file archived to it. As a file is ingested into a memory buffer the digital fingerprint is calculated and then after the file is committed to storage the digital fingerprint is verified. If the digital fingerprints do not match then the file is discarded. A policy can be set to “re-verify” each file on
subsequent read requests to avoid bit rot file corruption. These processes provide a complete validation of the accuracy of the recording process and guarantee the integrity of the contents over time.
Rule: Rule 17a-4(f)(2)(ii)(C) Record Duplication and Time-Dating
Requirements: Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media;
Solution: SAM serializes media by defining a globally unique id (GUID) for the original media and any media containing duplicate copies of content. In addition each file is also serialized with a GUID that is maintained across all copies. SAM tracks the media locations of all original content and copies. All date-time retention requirements are preserved on the original record and all copies.
Rule: Rule 17a-4(f)(2)(ii)(D) Downloadable Indexes and Records
Requirements: Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.
Solution: Indexes and data managed by SAM are available and accessible by authorized users or applications. Files and Indexes can be readily copied to any media of choice; as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.
Rule: Rule 17a-4(f)(3)(i) Easily Readable Images
Requirements: If a member, broker, or dealer uses micrographic media or electronic storage media, it shall:i) At all times have available, for examination by the staffs of the Commission and self-regulatory organizations of which it is a member, facilities for immediate, easily readable projection or production of micrographic media or electronic storage media images and for producing easily readable images.
Solution: All images or other content managed by SAM is available for examination at all times. SAM provides users and administrators an easy to use web browser interface to search for and view file or image content.
Rule: Rule 17a-4(f)(3)(ii) Facsimile Enlargement
Requirements: Be ready at all times to provide, and immediately provide, any facsimile enlargement which the Commission or its representatives may request.
Solution: SAM meets this requirement.
Rule: Rule 17a-4(f)(3)(iii) Separate Storage of Duplicate Records
Requirements: Store separately from the original, a duplicate copy of the record stored on any medium acceptable under Rule 17a-4 for the time required.
Solution: SAM can create multiple copies of data and store the duplicate copies on a different storage medium that the original. The original record and any copies will maintain any retention or WORM policies as the original.
Rule: Rule 17a-4(f)(3)(iv) Organizing and Indexing of Records
Requirements: “Organize and index accurately all information maintained on both original and any duplicate storage media.
(A) At all times, a member, broker, or dealer must be able to have such indexes available for examination by the staffs of the Commission and the self-regulatory organizations of which the broker or dealer is a member.
(B) Each index must be duplicated and the duplicate copies must be stored separately from the original copy of each index.
(C) Original and duplicate indexes must be preserved for the time required for the indexed records.”
Solution: All data and indexes managed by SAM are readily accessible to a valid user at all times. All original data and indexes are by policy duplicated and stored independently from the original copy of the data. All duplicate copies maintain the retention policy and enforcement assigned to the original copies. Some content management applications may maintain local indexes independent of the data archived to SAM. These applications are responsible for meeting the indexing and retention requirements of this rule.
Rule: Rule 17a-4(f)(3)(v) Audit System
Requirements: The member, broker, or dealer must have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved pursuant to Rule 17a-3 and Rule 17a-4 to electronic storage media and inputting of any changes made to every original and duplicate record maintained and preserved thereby.
(A) At all times, a member, broker, or dealer must be able to have the results of such audit system available for examination by the staffs of the Commission and the self-regulatory organizations of which the broker or dealer is a member.
(B) The audit results must be preserved for the time required for the audited records.” The SEC interpretive release states: “The audit procedures for a storage system using integrated software and hardware codes to comply with paragraph (f) would need to provide accountability regarding the length of time records are stored in a non-rewriteable and non-erasable manner.”
Solution: SAM maintains several systems for auditing of data and user activities. The inputting of records is tracked by file create time. The Policies assigned to each record are also tracked and logged into a database that is easily searchable. This information is also available via a searchable file browser interface under properties settings which contains file metadata, time stamps and policy settings such as retention or WORM. User actions such as file access, attempted modification or deletes are logged and auditable. Third party applications that provide access to content archived to SAM may have limited user action information and would need to be independently auditable.
Rule: Rule 17a-4(f)(3)(vi) Documentation
Requirements: “The member, broker, or dealer must maintain, keep current, and provide promptly upon request by the staffs of the Commission or the self-regulatory organizations of which the member, broker, or broker-dealer is a member all information necessary to access records and indexes stored on the electronic storage media; or place in escrow and keep current a copy of the physical and logical file format of the electronic storage media, the field format of all different information types written on the electronic storage media and the source code, together with the appropriate documentation and information necessary to access records and indexes.”
Solution: All records and images managed by SAM are readily accessible to a valid user or applications at all times. All files are readily accessible using standard file system interfaces or via S3 protocol. Additionally all files and metadata is readily accessible via a file explorer interface in a web browser.
Rule: Rule 17a-4(f)(3)(vii) Third-party Access Filing
Requirements: “For every member, broker, or dealer exclusively using electronic storage media for some or all of its record preservation under this section, at least one third party (‘the undersigned’), who has access to and the ability to download information from the member’s, broker’s, or dealer’s electronic storage media to any acceptable medium under this section, shall file with the designated examining authority for the member, broker, or dealer the following undertakings with respect to such records: *…* ” *The following information was omitted because it pertains specifically to the responsibilities of the third parties.
Solution: Authorized third party organizations can access and download record information in original data formats by accessing SAM via industry standard interfaces (CIFS, NFS, or S3).
Rule: Rule 17 CFR Part 248.30 Procedures to safeguard customer records and information. Regulation S-P
Requirements: Every broker, dealer, ... registered with the Commission must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.
(a) Insure the security and confidentiality of customer records and information;
(b) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(c) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Solution: Records archived to and managed by SAM with WORM or retention policy cannot be modified or deleted for the duration of the retention period. All files archived to SAM are individually encrypted with separate keys and not readable outside of the SAM system. No content is readable on media removed from the SAM infrastructure. Access to content is managed by policy and can be fully restricted, preventing even system administrators from viewing records.
If you would like more information or meet with a consultant, please reach out to Cheryl or Joe. Joe Ferrerra
Customer Success Manager
Western Integrated Systems
Office: 415.989.1777 x29
Cheryl Ahrens Young, IGP, CIP, CTT+, APMD, CDIA+, ermM, ecmP Western Integrated Systems
Cheryl.email@example.com Office: 415.989.1777, x31