Answered step by step
Verified Expert Solution
Link Copied!
Question
1 Approved Answer

In 1937, the Securities and Exchange Commission (SEC) set out rules that stipulated records retention requirements for securities brokers and dealers. The SEC's concern was

In 1937, the Securities and Exchange Commission (SEC) set out rules that stipulated records retention requirements for securities brokers and dealers. The SEC's concern was (and is) that records of financial transactions not be altered after the fact, that they be retained for a stipulated period of time, and that indexes be created so that the records can be readily searched.

In 1937, the rules assumed that such records were recorded on paper media. With the rise of information systems storage, the SEC updated the rules in 1997 by stating that such records can be kept electronically, provided that the storage devices are write once, read many times (WORM) devices. This rule was readily accepted by the financial services industry because the first CDs and DVDs were WORM devices.

However, as technology developed, broker-dealers and other financial institutions wanted to store records using regular disk storage and petitioned the SEC for guidance on how they might do that. In May 2003, the SEC interpreted the rule to enable the storage of such records on read-write medium, provided that the storage mechanism included software that would prohibit data alternation:

A broker-dealer would not violate the requirement in paragraph (f)(2)(ii)(A) of the rule if it used an electronic storage system that prevents the overwriting, erasing or otherwise altering of a record during its required retention period through the use of integrated hardware and software control codes. Rule 17a-4 requires broker-dealers to retain records for specified lengths of time. Therefore, it follows that the non-erasable and non-rewriteable aspect of their storage need not continue beyond that period.

Notice the SEC specifically excludes extrinsic controls such as authentication, passwords, and manual procedures because it believes it would be possible for such systems to be readily misused to overwrite records. The SEC is striking a fine line in this ruling; if, for example, someone were to tamper with the storage systems' software, it would be possible to overwrite data. Apparently, the SEC assumes such tampering would be illegal and so rare as to not be a concern.

Given this ruling, organizations began to develop systems in compliance. The NASDAQ OMX Group, a multinational corporation that owns and operates the NASDAQ stock market as well as eight European exchanges, developed FinQloud, a cloudbased storage system that is compliant with the SEC's (and other regulating organizations') rulings NASDAQ OMX operates in 70 different markets, in 50 countries worldwide, and claims that it processes one out of 10 stock transactions worldwide.11

Figure shows the fundamental structure of the FinQloud system. On the back end, it uses Amazon's S3 product to provide scalable, elastic storage. When financial institutions submit records to FinQloud for storage. FinQloud.

The Commission's interpretation does not include storage systems that only mitigate the risk a record will be overwritten or erased. Such systems?which may use software applications to protect electronic records, such as authentication and approval policies, passwords or other extrinsic security controls?do not maintain the records in a manner that is non-rewriteable and non-erasable. The external measures used by these other systems do not prevent a record from being changed or deleted. For example, they might limit access to records through the use of passwords. Additionally, they might create a "finger print" of the record based on its content. If the record is changed, the fingerprint will indicate that it was altered (but the original record would not be preserved). The ability to overwrite or erase records stored on these systems makes them non-compliant with Rule 17a-4(f).10 processes the data in such a way that it cannot be updated, encrypts the data, and transmits the processed, encrypted data to AWS. where it is encrypted yet again and stored on S3 devices. Data is indexed on S3 and can be readily read by authorized users. When development was complete. NASDAQ OMS claimed that FinQloud's processing and encryption were done in such a way that the system meets the SEC requirement. Of course. NASDAQ OMX's knew that this statement would be perceived as self-serving. so it hired two independent companies to verify it: Jordan&Jordan, a securities industry consulting company. and Cohasset Associates. a document-processing consulting company. According to The Wall Street Journal, both organizations concluded that when properly configured, FinQloud meets the requirements of the SEC's rule (Rule 17a-3) as well as a similar rule set out by the Commodities Futures Trading Commission.12

Consequently, NASDAQ OMX customers can use FinQloud; as long as the customers demonstrate that they have properly configured FinQloud, auditors will find it to be in compliance with the SEC rulings. Reread the SEC's 2003 interpretation. In your own words, explain the difference between "integrated hardware and software control codes" and software applications that use "authentication and approval policies, passwords, or other extrinsic controls." Give an example of each.

Financial Institutions' Computing Infrastructure FinQloud Servers Processing & Encryption FinQloud Amazon AWS Encryption 53 53 53 53

Step by Step Solution

3.40 Rating (150 Votes )

There are 3 Steps involved in it

Step: 1 Unlock smart solutions to boost your understanding

Considering this situation integrated hardware basically refers to embedding number of circuits on a ... blur-text-image
Get Instant Access to Expert-Tailored Solutions

83% of Computer Science Students Improved their GPA!

Step: 2Unlock detailed examples and clear explanations to master concepts

blur-text-image_2

Step: 3Unlock to practice, ask, and learn with real-world examples

blur-text-image_3

See step-by-step solutions with expert insights and AI powered tools for academic success

  • tick Icon Access 30 Million+ textbook solutions.
  • tick Icon Ask unlimited questions from AI Tutors.
  • tick Icon 24/7 Expert guidance tailored to your subject.
  • tick Icon Order free textbooks.

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Financial and Managerial Accounting

Authors: Belverd E. Needles, Marian Powers, Susan V. Crosson

10th edition

978-1285441979, 1285441974, 978-1133626992, 1133626998, 978-1133940593

More Books

Students explore these related Computer Network questions