SEC Rules 17a-4 and 18a-6

AWS will offer separate contractual addenda for you to comply with SEC Rules 17a-4 and 18a-6 recordkeeping requirements. The 17a-4 addendum is available now and you may review and accept it in the Agreements section of AWS Artifact using the AWS account you use to maintain and preserve covered records. AWS will submit a Letter of Undertaking to the SEC after you accept the 17a-4 addendum. 

*PLEASE NOTE: The compliance deadline for SEC Rule 18a-6 is November 3, 2023. The 18-a6 addendum will be posted in Artifact for review and acceptance soon. For more information about these Rules and our process, please see the FAQ below. 

Overview - SEC Recordkeeping on AWS

Broker-dealers (BDs), security-based swap dealers (SBSDs), and major security-based swap participants (MSBSPs) are using AWS’s cloud services to produce, maintain, and preserve electronic records.

The US Securities and Exchange Commission (SEC), Commodities Futures Trading Commission (CFTC) and the Financial Industry Financial Authority (FINRA) have recordkeeping rules that establish the types of records that regulated broker-dealers (BDs) must maintain. SEC and FINRA rules also set out requirements that BDs must meet if they store these records on “electronic storage media” (ESM) such as Amazon S3. For customers in the financial services industry, Amazon S3 Object Lock and Amazon S3 Glacier Vault Lock provide added support for customers who choose to retain records in a non-erasable and non-rewritable (WORM) format. Customers can easily designate the records retention timeframe to retain regulatory archives in the original form for the required duration, and also place legal holds to retain data until the hold is removed. Please note that the latest version of Rule 17a-4 adds an audit-trail alternative to the non-erasable and non-rewritable requirement.

Cohasset Associates, a third-party management consulting firm that specializes in records management and information governance, has produced reviews describing how Amazon S3 Object Lock and Amazon S3 Glacier Vault Lock satisfy the technical requirements in SEC, CFTC and FINRA rules. This gives AWS customers confidence, for example, that they can use these services to store immutable record objects and metadata. AWS customers can also use AWS services to store or replicate data in multiple regions, encrypt their data in motion and at rest, and use tools such as AWS CloudTrail to enable governance, compliance, and auditing of their AWS account. AWS understands financial services institutions have unique security, regulatory, and compliance obligations. AWS’s financial services industry specialists are ready to assist customers in building with AWS technologies.

Amazon S3 Object Lock and Amazon S3 Glacier Vault Lock enable users to preserve record objects and metadata in an immutable form. See Protecting data with Amazon S3 Object Lock for an overview of the S3 Object Lock configuration.

AWS offers separate contractual addenda for 17a-4 and 18a-6. Once the appropriate addendum is electronically accepted in AWS Artifact, AWS will send a signed Letter of Undertaking to the SEC, pursuant to Section 17 CFR 240.17a-4(i)(1)(ii)(A) or 17 CFR 240.18a-6(f)(1)(ii)(A), as applicable.

Contact our industry experts to explore broker-dealer recordkeeping on AWS today.

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »