SEC Rules 17a-4 and 18a-6
AWS will offer separate contractual addenda for you to comply with SEC Rules 17a-4 and 18a-6 recordkeeping requirements. The 17a-4 addendum is available now and you may review and accept it in the Agreements section of AWS Artifact using the AWS account you use to maintain and preserve covered records. AWS will submit a Letter of Undertaking to the SEC after you accept the 17a-4 addendum.
*PLEASE NOTE: The compliance deadline for SEC Rule 18a-6 is November 3, 2023. The 18-a6 addendum will be posted in Artifact for review and acceptance soon. For more information about these Rules and our process, please see the FAQ below.
Overview - SEC Recordkeeping on AWS
Broker-dealers (BDs), security-based swap dealers (SBSDs), and major security-based swap participants (MSBSPs) are using AWS’s cloud services to produce, maintain, and preserve electronic records.
The US Securities and Exchange Commission (SEC), Commodities Futures Trading Commission (CFTC) and the Financial Industry Financial Authority (FINRA) have recordkeeping rules that establish the types of records that regulated broker-dealers (BDs) must maintain. SEC and FINRA rules also set out requirements that BDs must meet if they store these records on “electronic storage media” (ESM) such as Amazon S3. For customers in the financial services industry, Amazon S3 Object Lock and Amazon S3 Glacier Vault Lock provide added support for customers who choose to retain records in a non-erasable and non-rewritable (WORM) format. Customers can easily designate the records retention timeframe to retain regulatory archives in the original form for the required duration, and also place legal holds to retain data until the hold is removed. Please note that the latest version of Rule 17a-4 adds an audit-trail alternative to the non-erasable and non-rewritable requirement.
Cohasset Associates, a third-party management consulting firm that specializes in records management and information governance, has produced reviews describing how Amazon S3 Object Lock and Amazon S3 Glacier Vault Lock satisfy the technical requirements in SEC, CFTC and FINRA rules. This gives AWS customers confidence, for example, that they can use these services to store immutable record objects and metadata. AWS customers can also use AWS services to store or replicate data in multiple regions, encrypt their data in motion and at rest, and use tools such as AWS CloudTrail to enable governance, compliance, and auditing of their AWS account. AWS understands financial services institutions have unique security, regulatory, and compliance obligations. AWS’s financial services industry specialists are ready to assist customers in building with AWS technologies.
Amazon S3 Object Lock and Amazon S3 Glacier Vault Lock enable users to preserve record objects and metadata in an immutable form. See Protecting data with Amazon S3 Object Lock for an overview of the S3 Object Lock configuration.
AWS offers separate contractual addenda for 17a-4 and 18a-6. Once the appropriate addendum is electronically accepted in AWS Artifact, AWS will send a signed Letter of Undertaking to the SEC, pursuant to Section 17 CFR 240.17a-4(i)(1)(ii)(A) or 17 CFR 240.18a-6(f)(1)(ii)(A), as applicable.
Contact our industry experts to explore broker-dealer recordkeeping on AWS today.
What are rules 17a-4 and 18a-6?
Rules 17a-4 and 18a-6 describe electronic recordkeeping requirements for broker-dealers, security-based swap dealers, and major security-based swap participants. Rule 17a-4 applies to broker-dealers, including those registered as SBSDs and MSBSPs. Rule 18a-6 applies to SBSDs and MSBSPs that are not also registered as broker-dealers (“SBS Entities”).
How does AWS help customers comply with these rules?
AWS offers separate 17a-4 and 18a-6 contractual addenda, which you may review and electronically accept in the Agreements section of AWS Artifact. Provided you meet all terms and conditions listed when you electronically accept the agreement in AWS Artifact, AWS will file a Letter of Undertaking with the SEC based upon the registrant information you provide to AWS.
To review, accept, and view the status of the 17a-4 or 18a-6 addenda for your account, sign in to AWS Artifact in the AWS Management Console from the account you use to maintain and preserve covered records. If you don’t have access to your account, request a free IAM account from your administrator and ask for access to Artifact IAM policies.
I am an AWS Customer that is not regulated by 17a-4 or 18a-6 but I have end users who are regulated by one or both of these Rules. What should I do?
Please contact our industry experts with your questions. We will work with you to provide the appropriate paperwork or documents, as needed.
In addition to accepting the addendum in AWS Artifact, is there anything else I need to do before AWS can file a Letter of Undertaking with the SEC?
Yes. Please follow the instructions in AWS Artifact, and be ready to provide AWS your registrant name and registration number. AWS will use this information to complete the Letter before sending to the SEC.
Will AWS provide the Letter of Undertaking directly to the SEC?
AWS will send the Letter of Undertaking directly to the SEC for each covered entity pursuant to Section 17 CFR 240.17a-4(i)(1)(ii)(A) or 17 CFR 240.18a 6(f)(1)(ii)(A), as applicable. AWS will make a copy of the Undertaking AWS files with the SEC available to you after submission.