SEC Rule 17a-4(f)
Overview - Broker-dealer Recordkeeping on AWS
The US Securities and Exchange Commission (SEC), Commodities Futures Trading Commission (CFTC) and the Financial Industry Financial Authority (FINRA) have recordkeeping rules that establish the types of records that regulated broker-dealers (BDs) must maintain. SEC and FINRA rules also set out requirements that BDs must meet if they store these records on “electronic storage media” (ESM) such as AWS Storage Services. For customers in the financial services industry, Amazon S3 Object Lock and Amazon S3 Glacier Vault Lock provide added support for BDs who must retain records in a non-erasable and non-rewritable format. Customers can easily designate the records retention timeframe to retain regulatory archives in the original form for the required duration, and also place legal holds to retain data until the hold is removed.
Cohasset Associates, a third-party management consulting firm that specializes in records management and information governance, has produced reviews describing how Amazon S3 Object Lock and Amazon S3 Glacier Vault Lock satisfy the technical requirements in SEC, CFTC and FINRA rules. This gives AWS customers confidence, for example, that they can use these services to store immutable record objects and metadata. AWS customers can also use AWS services to store or replicate data in multiple regions, encrypt their data in motion and at rest, and use tools such as AWS CloudTrail to enable governance, compliance, and auditing of their AWS account. AWS understands financial services institutions have unique security, regulatory, and compliance obligations. AWS’s financial services industry specialists are ready to assist customers in building with AWS technologies.
Amazon S3 Object Lock and Amazon S3 Glacier Vault Lock enable users to preserve record objects and metadata in an immutable form. See Protecting data with Amazon S3 Object Lock for an overview of the S3 Object Lock configuration. This feature assists BDs in complying with SEC and FINRA requirements that require records stored through ESM be preserved exclusively in a non-rewritable, non-erasable format.
Please note that, if a BD uses ESM exclusively to store required books and records, then it must appoint a “designated third party” (D3P) who can access such books and records. BDs should seek their own professional advice on applicable regulatory requirements for appointing their D3P. While AWS services can assist customers with storage and retention solutions, AWS does not act as D3P.
Contact our industry experts to explore broker-dealer recordkeeping on AWS today.