SEC Rule 17a-4 under the Securities Exchange Act of 1934 establishes the record retention obligations of registered broker-dealers and members of national securities exchanges. The rule specifies which records must be preserved, for how long, and — critically — in what format. The electronic storage requirements, in Rule 17a-4(f), require that electronic records be preserved in a non-erasable, non-rewritable format (WORM — Write Once Read Many), with the ability for an independent third party to access those records in the event the firm ceases operations or becomes unable to provide access. These requirements were written when optical disk storage was the technology of choice. Applying them to cloud object storage requires careful architectural design.
The WORM Requirement in Cloud Environments
The SEC and FINRA began approving cloud-based record retention solutions in 2003, following the issuance of no-action letters to vendors who demonstrated that their cloud storage platforms could satisfy the WORM requirements. The key technical requirements that must be satisfied are: records must not be alterable or erasable during the required retention period; the retention period must be enforced by the storage system, not by application-level controls alone; and an independent third party must be able to access the records directly, without relying on the broker-dealer's own systems or staff. All three major cloud providers offer object storage features that can satisfy these requirements when configured correctly.
AWS S3 Object Lock in Compliance Mode prevents any user — including administrators and root account users — from deleting or modifying objects during the retention period. Objects are locked at the bucket level with a defined default retention period, which can be set but not shortened. Azure Blob Storage immutability policies provide equivalent functionality. GCP Cloud Storage Bucket Lock achieves the same effect. The key architectural decision is that the retention policy must be set at the storage layer, not in the application or IAM layer. Application-level delete prevention — achieved through IAM policies or application code — does not satisfy 17a-4(f) because it is susceptible to change by privileged users.
The SEC's no-action letters approving cloud storage solutions all specify that the WORM characteristics must be inherent to the storage medium, not dependent on external controls. A broker-dealer that relies on IAM policies to prevent record deletion rather than using object lock in compliance mode has not satisfied Rule 17a-4(f) even if the practical result is the same. Examiners check configuration, not outcomes.
The Third-Party Access Requirement
Rule 17a-4(f)(3)(vii) requires broker-dealers to enter into an agreement with a designated third party — typically an independent third-party access provider — who will maintain the ability to access the preserved records in the event the broker-dealer fails or becomes unable to access its own records. The technical implementation of this requirement in cloud environments requires that the third party have access credentials that are independent of the broker-dealer's own IAM hierarchy, stored in a manner that the broker-dealer cannot revoke or modify, and sufficient to read all records that the firm is required to preserve. This is architecturally straightforward but frequently omitted in implementations that focus on the WORM storage requirement without reading the full rule text.
Scope: What Must Be Preserved
Rule 17a-4 is specific about what must be preserved and for how long. Business communications — emails, instant messages, and since the SEC's recent enforcement actions, communications on platforms including WhatsApp, Signal, and other off-channel applications — must be preserved for three years with the first two years in an accessible location. Trade confirmations, account statements, and order records have different retention periods. The recent SEC and CFTC enforcement actions against broker-dealers and investment advisers for off-channel communications, resulting in fines totalling more than $2 billion, demonstrate the scope of this requirement extends beyond firm-controlled systems to communications wherever they occur.
Audit Trail and Index Requirements
Rule 17a-4(f)(2)(ii) requires that preserved records be indexed — the storage system must maintain a searchable index allowing records to be retrieved by record type, date, and identity of the relevant person or account. In cloud implementations, this typically requires a metadata index maintained alongside the object storage, with the index itself subject to the same WORM requirements as the underlying records. Index integrity — the ability to demonstrate that the index accurately reflects the stored records and has not been modified — is a component of the overall record integrity demonstration that FINRA examination teams look for.
EU AI Act: What CTOs Actually Need to Do Before August 2026
DORA Is Live. Here's What 'Operational Resilience' Means for Your Codebase
FedRAMP Rev 5: What Changed and Why Most Current ATO Holders Are Already Non-Compliant
The engineering behind this article is available as a service.
We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.