In 1937, the Securities and Exchange Commission (SEC) set out rules that stipulated records retention requirements for

Fantastic news! We've Found the answer you've been seeking!

Question:

In 1937, the Securities and Exchange Commission (SEC) set out rules that stipulated records retention requirements for securities brokers and dealers. The SEC's concern was (and is) that records of financial transactions not be altered after the fact, that they be retained for a stipulated period of time, and that indexes be created so that the records can be readily searched.

In 1937, the rules assumed that such records were recorded on paper media. With the rise of information systems storage, the SEC updated the rules in 1997 by stating that such records can be kept electronically, provided that the storage devices are write once, read many times (WORM) devices. This rule was readily accepted by the financial services industry because the first CDs and DVDs were WORM devices.

However, as technology developed, broker-dealers and other financial institutions wanted to store records using regular disk storage and petitioned the SEC for guidance on how they might do that. In May 2003, the SEC interpreted the rule to enable the storage of such records on read-write medium, provided that the storage mechanism included software that would prohibit data alternation:

A broker-dealer would not violate the requirement in paragraph (f)(2)(ii)(A) of the rule if it used an electronic storage system that prevents the overwriting, erasing or otherwise altering of a record during its required retention period through the use of integrated hardware and software control codes. Rule 17a-4 requires broker-dealers to retain records for specified lengths of time. Therefore, it follows that the non-erasable and non-rewriteable aspect of their storage need not continue beyond that period.

Notice the SEC specifically excludes extrinsic controls such as authentication, passwords, and manual procedures because it believes it would be possible for such systems to be readily misused to overwrite records. The SEC is striking a fine line in this ruling; if, for example, someone were to tamper with the storage systems' software, it would be possible to overwrite data. Apparently, the SEC assumes such tampering would be illegal and so rare as to not be a concern.

Given this ruling, organizations began to develop systems in compliance. The NASDAQ OMX Group, a multinational corporation that owns and operates the NASDAQ stock market as well as eight European exchanges, developed FinQloud, a cloudbased storage system that is compliant with the SEC's (and other regulating organizations') rulings NASDAQ OMX operates in 70 different markets, in 50 countries worldwide, and claims that it processes one out of 10 stock transactions worldwide.11

Figure shows the fundamental structure of the FinQloud system. On the back end, it uses Amazon's S3 product to provide scalable, elastic storage. When financial institutions submit records to FinQloud for storage. FinQloud.

The Commission's interpretation does not include storage systems that only mitigate the risk a record will be overwritten or erased. Such systems?which may use software applications to protect electronic records, such as authentication and approval policies, passwords or other extrinsic security controls?do not maintain the records in a manner that is non-rewriteable and non-erasable. The external measures used by these other systems do not prevent a record from being changed or deleted. For example, they might limit access to records through the use of passwords. Additionally, they might create a "finger print" of the record based on its content. If the record is changed, the fingerprint will indicate that it was altered (but the original record would not be preserved). The ability to overwrite or erase records stored on these systems makes them non-compliant with Rule 17a-4(f).10 processes the data in such a way that it cannot be updated, encrypts the data, and transmits the processed, encrypted data to AWS. where it is encrypted yet again and stored on S3 devices. Data is indexed on S3 and can be readily read by authorized users. When development was complete. NASDAQ OMS claimed that FinQloud's processing and encryption were done in such a way that the system meets the SEC requirement. Of course. NASDAQ OMX's knew that this statement would be perceived as self-serving. so it hired two independent companies to verify it: Jordan&Jordan, a securities industry consulting company. and Cohasset Associates. a document-processing consulting company. According to The Wall Street Journal, both organizations concluded that when properly configured, FinQloud meets the requirements of the SEC's rule (Rule 17a-3) as well as a similar rule set out by the Commodities Futures Trading Commission.12

Consequently, NASDAQ OMX customers can use FinQloud; as long as the customers demonstrate that they have properly configured FinQloud, auditors will find it to be in compliance with the SEC rulings. Reread the SEC's 2003 interpretation. In your own words, explain the difference between "integrated hardware and software control codes" and software applications that use "authentication and approval policies, passwords, or other extrinsic controls." Give an example of each.