SEC Rule 17a-4 (WORM Storage)

SEC Rule 17a-4, adopted under the Securities Exchange Act of 1934, establishes records retention and preservation requirements for registered broker-dealers. The rule specifies minimum retention periods for a wide range of business records — trade confirmations and account statements must be kept for six years, order tickets for three years, and general ledger records for six years — and requires that records be maintained in an accessible, auditable form. The 1997 amendments to Rule 17a-4(f) explicitly addressed electronic storage media, establishing the requirement that electronic records be stored on non-erasable, non-rewritable media — commonly referred to as WORM (Write Once, Read Many) storage — to prevent tampering or deletion.

The 2022 amendments to Rule 17a-4, finalized by the SEC alongside companion FINRA Rule 4511 guidance, updated the WORM storage requirements to accommodate modern cloud storage architectures. The amendments allow broker-dealers to use audit-trail alternatives to hardware WORM storage — specifically, electronic storage systems that have a third-party audit capability, where an independent accountant or compliance consultant can verify that records cannot be altered or deleted before the end of their required retention period. This change allows cloud-based immutable storage solutions (such as AWS S3 Object Lock, Azure Immutable Blob Storage, or purpose-built financial archive platforms) to satisfy the rule's requirements, provided the broker-dealer enters a written agreement with an attestation provider.

The 2022 amendments also codified requirements for text message, instant message, and other electronic communications preservation — an area where the SEC and CFTC have levied over $2 billion in fines against major banks since 2021 for employees using personal devices and unapproved messaging applications. Broker-dealers must now affirmatively supervise communications channels, capture and preserve communications in approved applications (such as Bloomberg Chat, Refinitiv Messenger, or enterprise archiving solutions like Global Relay or Smarsh), and produce them in response to regulatory requests and litigation discovery.

Technology implementations for Rule 17a-4 compliance require careful architecture decisions around storage immutability, retention lifecycle management, legal hold workflows, and e-discovery production capabilities. Object-level WORM locks must be applied at ingestion, with retention periods calculated from the record creation date and automatically extended for records under legal hold. Index structures must enable rapid search and retrieval by date range, counterparty, security, account, and communication metadata. Integration with compliance supervision platforms for communications surveillance, and with trade reconstruction systems for order management data, completes the end-to-end records preservation architecture.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.