SEC Rules 17a-4 and 18a-6
Overview - SEC Recordkeeping on AWS
Broker-dealers (BDs), security-based swap dealers (SBSDs), and major security-based swap participants (MSBSPs) are using AWS’s cloud services to produce, maintain, and preserve electronic records.
The US Securities and Exchange Commission (SEC), Commodities Futures Trading Commission (CFTC) and the Financial Industry Financial Authority (FINRA) have recordkeeping rules that establish the types of records that covered entities must maintain. SEC and FINRA rules also set out requirements that covered entities must meet if they store these records on “electronic storage media” (ESM) such as Amazon S3, Amazon FSx for NetApp ONTAP, or AWS Backup. For customers in the financial services industry, Amazon S3 Object Lock, Amazon S3 Glacier Vault Lock, Amazon FSx for NetApp ONTAP with SnapLock, or AWS Backup Vault Lock provide added support for customers who choose to retain records in a non-erasable and non-rewritable (WORM) format. Customers can easily designate the records retention timeframe to retain regulatory archives in the original form for the required duration, and also place legal holds to retain data until the hold is removed. Please note that the latest version of Rule 17a-4 adds an audit-trail alternative to the non-erasable and non-rewritable requirement.
Cohasset Associates, a third-party management consulting firm that specializes in records management and information governance, has produced reports describing how Amazon S3 Object Lock, Amazon S3 Glacier Vault Lock, Amazon FSx for NetApp ONTAP with SnapLock, and AWS Backup Vault Lock, when properly configured, can help customers meet their compliance requirements described in SEC, CFTC and FINRA rules. AWS customers can also use AWS services to store or replicate data in multiple regions, encrypt their data in motion and at rest, and use tools such as AWS CloudTrail to enable governance, compliance, and auditing of their AWS account. AWS understands financial services institutions have unique security, regulatory, and compliance obligations. AWS’s financial services industry specialists are ready to assist customers in building with AWS technologies.
AWS offers its customers separate contractual addenda for 17a-4 and 18a-6. After the appropriate addendum in AWS Artifact is electronically accepted by the Customer, AWS will send a signed Letter of Undertaking to the SEC, pursuant to Section 17 CFR 240.17a-4(i)(1)(ii)(A) or 17 CFR 240.18a-6(f)(1)(ii)(A), as applicable. For information on how to accept contractual addenda terms for your eligible AWS Account(s) containing 17a-4 or 18a-6 records, please see the instructions within the Agreements section of AWS Artifact.
Contact our industry experts to explore broker-dealer recordkeeping on AWS today.
What are rules 17a-4 and 18a-6?
Rules 17a-4 and 18a-6 describe electronic recordkeeping requirements for broker-dealers, security-based swap dealers, and major security-based swap participants. Rule 17a-4 applies to broker-dealers, including those registered as SBSDs and MSBSPs. Rule 18a-6 applies to SBSDs and MSBSPs that are not also registered as broker-dealers (“SBS Entities”).
How does AWS help customers comply with these rules?
AWS offers customers separate 17a-4 and 18a-6 contractual addenda to their Customer Agreement or Enterprise Agreement. You may review and electronically accept the appropriate addenda in the Agreements section of AWS Artifact. Provided you meet all terms and conditions listed when you electronically accept the agreement in AWS Artifact, AWS will file a Letter of Undertaking directly with the SEC, based upon the registrant information you provide to AWS, in accordance with Section 17 CFR 240.17a-4(i)(1)(ii)(A) or 17 CFR 240.18a 6(f)(1)(ii)(A), as applicable. AWS does not act as a Designated Third Party (“D3P”), or file undertakings, pursuant to Section 17 CFR 240.17a-4(f)(3)(v)(A) or 17 CFR 240.18a-6(e)(3)(v)(A).
To review, accept, and view the status of the 17a-4 or 18a-6 addenda for your account, sign in to AWS Artifact in the AWS Management Console from the account(s) you use to maintain and preserve covered records. If you don’t have access to your account, request a free IAM account from your administrator and ask for access to Artifact IAM policies
I am an AWS Customer that is not regulated by 17a-4 or 18a-6 but I have end users who are regulated by one or both of these Rules. What should I do?
In addition to accepting the addendum in AWS Artifact, is there anything else I need to do before AWS can file a Letter of Undertaking with the SEC?
Yes. Please follow the instructions in AWS Artifact, and be ready to provide AWS your registrant name and registration number. AWS will use this information to complete the Letter before sending to the SEC.
Will AWS provide the Letter of Undertaking directly to the SEC?
AWS will file a Letter of Undertaking directly with the SEC on behalf of eligible customers, pursuant to Section 17 CFR 240.17a-4(i)(1)(ii)(A) or 17 CFR 240.18a 6(f)(1)(ii)(A), as applicable. AWS will make a copy of the Undertaking AWS files with the SEC available to you after submission. AWS does not act as a Designated Third Party (“D3P”), or file undertakings, pursuant to Section 17 CFR 240.17a-4(f)(3)(v)(A) or 17 CFR 240.18a-6(e)(3)(v)(A).