We recently published an article on what is needed for a financial firm’s website archiving to meet SEC and FINRA requirements. This article follows on from that one by looking at the specific storage requirements, which is very technical and can lead to uncertainty with regards to compliance.
In December 2016, the Financial Industry Regulatory Authority (FINRA) fined 12 firms a total of $14.4 million for what it called “failing to protect records from alteration.” This is a somewhat general statement, so what did this failure to protect records look like in practical terms? Quite simply, these firms had failed to make use of the proper WORM storage.
“FINRA found that at various times, and in most cases for prolonged periods, the firms failed to maintain electronic records in “write once, read many,” or WORM, format, which prevents the alteration or destruction of records stored electronically,” said an official FINRA press statement. “Federal securities laws and FINRA rules require that business-related electronic records be kept in WORM format to prevent alteration. The SEC has stated that these requirements are an essential part of the investor protection function because a firm's books and records are the ‘primary means of monitoring compliance with applicable securities laws, including antifraud provisions and financial responsibility standards.’”
SEC Rule 17a-4(f) WORM Recordkeeping Requirements
According to FINRA, “each of these 12 firms had WORM deficiencies that affected millions, and in some cases, hundreds of millions, of records pivotal to the firms’ brokerage businesses, spanning multiple systems and categories of records.”
This sounds like gross negligence—and it was undoubtedly a very costly mistake to make—but the reality is that it is all too easy for a firm to find itself on the wrong side of these recordkeeping rules. For this reason, many firms still continue to struggle with WORM requirements—and FINRA and the SEC continue to issue fines.
Not only does section (f) of SEC Rule 17a-4 state that WORM storage must be used when records are electronically stored, but it also gives very specific requirements related to verification, serialization, indexing, and duplication of data. If any of these aren’t met, a firm will be noncompliant. And keep in mind that if a company has taken an incorrect approach to WORM storage, it has likely done that across all or most of its electronic records, which is why FINRA found that the companies above “had WORM deficiencies that affected millions, and in some cases, hundreds of millions, of records.”
Given how technical these specifications can get, it’s worth taking a close look at the individual WORM requirements of 17a-4(f). We’ll also discuss Pagefreezer’s processes as an example of how these recordkeeping demands can be met.
SEC 17a-4(f)(2)(ii)(A)
“The electronic storage media must preserve the records exclusively in a non-rewriteable, non-erasable format.”
As the SEC’s interpretive document on 17a-4(f) simply states,“the WORM requirement is designed to ensure that electronic records are capable of being accurately reproduced for later reference by maintaining the records in an unalterable form.”
By using a format that is non-rewriteable and non-erasable, any concern that records were altered or deleted after the fact disappear. As long as a record is present on a WORM storage device, it is reasonable to assume that it is in the same state as when it was first stored.
So what does WORM storage look like in practice? For data archiving in compliance with FINRA rules, Pagefreezer stores all data on a private Ceph data storage cluster that is WORM configured with two storage nodes—with the data replicated on both nodes.
The Ceph data storage cluster applies an object lock to prevent any deletion or modification of the backup data. (This is comparable to the AWS S3 Object Lock used in AWS Glacier, which is also SEC compliant.) In addition, data is backed up to WORM (LTO-8) tape storage. These WORM tapes offer device-level data encryption to ensure data privacy and reduce the risk of data corruption.
Backups are created in 15-minute intervals and stored to WORM tape backup storage on a weekly basis. Secure collection and offsite storage of tape storage media is managed by a third party on Pagefreezer’s behalf.
By design, data on WORM tapes cannot be overwritten, and the cartridge cannot be reused if degaussed. The technology of the Ceph WORM storage cluster and the WORM tape storage provide Pagefreezer customers with a reliable, accurate, and virtually tamper-proof data archive tool to meet tough regulatory requirements.
SEC 17a-4(f)(2)(ii)(B)
“The electronic storage media must verify automatically the quality and accuracy of the storage media recording process.”
In the line with the previous section, the aim of this requirement is to ensure the integrity of records by having the recording process automatically verified for quality and accuracy. Crucially, the requirement includes quality verification of both the recording process itself, and post-recording processes.
When capturing a customer’s data, Pagefreezer verifies the data integrity and authenticity by calculating a hash and placing a digital signature on each data object to confirm authenticity. In addition, our Ceph WORM storage cluster has built-in bit-rot detection, which automatically verifies the quality and accuracy of the data.
For the WORM tape backup, Pagefreezer uses VEEAM as the backup software solution to write data to the WORM tape storage. VEEAM performs a data integrity check when exporting on tape; the writing process is committed only when the software finds a perfect match between the data, metadata, and file descriptors on the data source and destination (WORM tape). VEEAM also includes advanced security features such as secure shell, integrated firewall, RBAC/IAM access controls, AES-256 server-side encryption for data at rest, and SSL for data in transit.
SEC 17a-4(f)(2)(ii)(C)
“The electronic storage media must serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media.”
As the FINRA fines mentioned at the top of this article clearly illustrate, a large firm’s digital records can quickly stretch into the millions. Because of this, it’s essential that records be stored in a way that allows you to easily locate a specific record.
The SEC’s interpretive document states that “the serialization provision is intended to ensure both the accuracy and accessibility of the records by indicating the order in which records are stored, thereby making specific records easier to locate and authenticating the storage process.”
The rule can be satisfied by capturing index data, or metadata, associated with each electronic record that:
- Uniquely identifies a record
- Associates the date and time of recording with each record
In addition to applying a hash value to every record collected, Pagefreezer places a timestamp that indicates exactly when the data was collected. Data on the Ceph WORM storage cluster and the WORM tape backup are also serialized by date, while the tape backup is marked with a unique serial number.
SEC 17a-4(f)(2)(ii)(D)
“The electronic storage media must have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.”
This requirement is designed to enable regulators like FINRA and the SEC to request that a broker-dealer download records and associated indexes from the primary storage medium, which in turn allows them to easily take possession of the downloaded records and indexes.
With Pagefreezer, the relevant archived content (with indexes and records preserved as required) can be downloaded through the Pagefreezer dashboard. Should a large number of records be needed to meet a request, our support team can also offer assistance.
SEC 17a-4(f)(3)(iii)
“If a member, broker, or dealer uses micrographic media or electronic storage media, it shall store separately from the original, a duplicate copy of the record stored on any medium acceptable under 17a-4 for the time required.”
The aim of this requirement is simply to ensure that there is more than one copy of a firm’s stored records. This way, if the primary storage source is lost or damaged, a second source is still available.
When discussing backups and duplicates, it’s important to remember that a “duplicate copy” is different from a “backup copy.” A duplicate is the recording of each record to a second compliant storage system or media, which is then retained for the same time period as the originally-stored record. In contrast, a backup copy is typically overwritten on a periodic basis as part of a backup rotation scheme, which usually results in a much shorter retention period than the original. For this reason, it’s important to never treat a backup as a duplicate.
As standard security practice, Pagefreezer stores duplicate copies of customer data on our WORM cloud storage environment, and we store a third copy on the WORM backup tapes (which can be retained for a set retention period).
SEC 17a-4(f)(3)(iv)
“Organize and index accurately all information maintained on both original and any duplicate storage media.”
Similar to 17a-4(f)(2)(ii)(D), the intent here is to ensure that the electronic records and duplicate copies can be readily searched, identified, and retrieved using an accurate set of indexes or metadata. Importantly, this has to be done for both the original and the duplicate copy.
As mentioned, Pagefreezer captures associated metadata and indexes records when archiving data. This means that content can quickly and easily be searched through the Pagefreezer dashboard. The data files in cloud storage and on WORM tape storage are also indexed to facilitate search and retrieval using disk-like directory tree structures.
SEC 17a-4(f)(3)(iv)(B)
“Each index must be duplicated and the duplicate copies must be stored separately from the original copy of each index.”
Although this requirement can seem similar to 17a-4(f)(3)(iii), the two requirements are actually complementary.
The earlier requirement focuses on the actual information that a record consists of, while this requirement pertains to the index associated with a record. This rule ensures that the original structure remains, so if the primary storage source is lost, you’re still left with an indexed copy that can easily be searched.
In order to comply with this rule, the Pagefreezer production environment has data replicated over two separated nodes on cloud storage. For added security, a third snapshot is kept on WORM tape storage and retained offsite. And all versions are indexed as required.
SEC 17a-4(f)(3)(iv)(C)
“Original and duplicate indexes must be preserved for the time required for the indexed records.”
Following on from the above point, this requirement ensures that both an original and duplicate index is preserved for the same period of time as the indexed record (and its duplicate security copy). This prevents a situation where records are inaccessible because the index wasn’t retained as long as its associated records.
At Pagefreezer, we store data (verified and indexed exactly as required) for as long as a customer stipulates. Depending on the industry and its recordkeeping requirements, this typically ranges from two to ten years. If the recordkeeping rules related to a particular data source are unclear, we recommend that organizations store data for at least three years.
SEC 17a-4(f)(3)(v)
“The member, broker, or dealer must have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved pursuant to §§ 240.17a-3 and 240.17a-4 to electronic storage media and inputting of any changes made to every original and duplicate record maintained and preserved thereby.
- “At all times, a member, broker, or dealer must be able to have the results of such audit system available for examination by the staffs of the Commission and the self-regulatory organizations of which the broker or dealer is a member.
- “The audit results must be preserved for the time required for the audited records.”
This requirement asks for an audit trail that tracks all activity related to records and indexes. By looking at this audit trail, it should be clear when, how, and by whom records were created, altered, erased, or overwritten.
The Pagefreezer dashboard provides continuous access to archived data and indexes. Data can be exported from the dashboard, or with help from the Pagefreezer support team. The dashboard also provides administrators with detailed audit logs that give insight into all activities on the system, including what exactly was done, who did it, and when this activity took place.
SEC and FINRA Compliance Simplified
Meeting the financial services industry’s requirements can seem daunting, but companies like Pagefreezer can provide an automated recordkeeping solution that complies with all rules and regulations.
Pagefreezer simplifies compliance and streamlines audits by automatically archiving websites, social media accounts, mobile text messages, and enterprise collaboration platforms through our SaaS archiving solutions.
