Share via

Securities and Exchange Commission (SEC) Rule 17a-4, SEC Rule 18a-6, FINRA 4511, & CFTC 1.31 United States

About the SEC, FINRA, & CFTC

The US Securities and Exchange Commission (SEC) is an independent agency of the US federal government and the primary overseer and regulator of US securities markets. It wields enforcement authority over federal securities laws, proposes new securities rules, and oversees market regulation of the securities industry.

The Financial Industry Regulatory Authority (FINRA) is an independent, nongovernmental organization that writes and enforces the rules governing registered brokers and broker-dealer firms in the United States.

The Commodity Futures Trading Commission (CFTC) is an independent federal agency that regulates the derivatives markets, including futures contracts, options, and swaps, in the United States. Its goals include the promotion of competitive and efficient markets and the protection of investors against manipulation, abusive trade practices, and fraud. The Commodity Futures Trading Commission Act established the CFTC in 1974.

These organizations define rigorous and explicit requirements for regulated entities that elect to retain books and records on electronic storage media. Since these rules were first published, there have been several updates and amendments over the years that seek to update these rules in the context of modern storage systems and cloud services, introducing new compliance options for financial institutions.

About SEC Rules 17a-4 and 18a-6

The Code of Federal Regulations (CFR) includes the following requirements. In 17 CFR § 240.17a4(f)(2) ("Rule 17a-4(f)") for the securities broker-dealer industry and 17 CFR § 240.18a6(e)(2) ("Rule 18a-6(e)") for security-based swap (SBS) dealers and major security-based swap participants, the SEC stipulates requirements for electronic recordkeeping systems. Effective January 3, 2023, the amended Rules require electronic recordkeeping systems to meet either:

  • Option A, SEC Rules 17a-4(f)(2)(i)(A) and 18a-6(e)(2)(i)(A): Preserve a record for the duration of its applicable retention period in a manner that maintains a complete time-stamped audit trail that includes: (1) All modifications to and deletions of the record or any part thereof; (2) The date and time of actions that create, modify, or delete the record; (3) If applicable, the identity of the individual creating, modifying, or deleting the record; and (4) Any other information needed to maintain an audit trail of the record in a way that maintains security, signatures, and data to ensure the authenticity and reliability of the record and will permit re-creation of the original record if it is modified or deleted.
  • Option B, SEC Rules 17a-4(f)(2)(i)(B) and 18a-6(e)(2)(i)(B): Preserve the records exclusively in a non-rewriteable, non-erasable format [also known as WORM or write-once, read-many format].

Additional requirements are enumerated in Rules 17a 4(f) and 18a 6(e).

Microsoft in-scope cloud platforms & services

The following Microsoft cloud platforms and services include features that can be configured to comply with these Rules:

  • Microsoft Azure Blob Storage
  • Exchange Online
  • Microsoft Teams
  • OneDrive for Business
  • SharePoint Online
  • Viva Engage (Yammer)

Microsoft Services Assisting Customers’ Compliance Efforts

Microsoft Azure Immutable Blob Storage with Policy Lock and Microsoft Office 365 with Preservation Lock can help financial institutions meet the immutable storage requirements of SEC Rule 17a-4(f)(2)(i)(B).

The most recent update to the rule, published on November 3, 2022, introduced a new Audit Trail Alternative, which is described in paragraph (f)(2)(i)(A). This alternative uses modern cloud service features such as retention, versioning, and robust audit log data to help reconstruct particular versions of records. Microsoft Office 365 supports compliance with the Audit Trail Alternative through our Purview solutions such as Data Lifecycle Management, eDiscovery (Premium), and Audit (Premium).

See Section 1.3 of the independent Compliance Assessment Reports (see links in the Independent Assessments section) for the specific features and scope of the assessed Microsoft services.

Independent Assessments

Microsoft has partnered with Cohasset Associates, Inc. to evaluate Azure and Microsoft 365 compliance with SEC 17a-4(f)(2), SEC 18a-6(e)(2), FINRA 4511(c), and CFTC 1.31(c)-(d). Cohasset is a professional consulting firm specializing in records management and information governance.

The assessments noted in the following sections describe the features within Microsoft products that enable customer compliance with these rules, and how these features should be configured in order to maintain compliance.


Microsoft 365

Designated Executive Officer or Third-Party Undertaking

SEC Rules 17 CFR § 240.17a 4(f)(3)(v) and 17 CFR § 240.18a 6(e)(3)(v) require the broker-dealer and SBS Entity, respectively, to designate either an executive officer of the firm (Designated Executive Officer) or an unaffiliated third-party (Designated Third Party) to submit a required undertaking to its Designated Examining Authority (DEA).

Microsoft doesn't provide Third-Party Undertaking letters or services.

The broker-dealer and SBS Entity organizations are responsible for (a) designating either an executive officer of the firm or a third-party, (b) obtaining the required undertaking, and (c) submitting the undertaking to its designated examining authority.

SEC Undertaking Letter and SEC Rules 17a-4(i)(1)(ii) and 18a-6(f)(1)(ii)

Separate from the electronic recordkeeping system requirements, 17 CFR § 240.17a-4(i) ("Rule 17a-4(i)") for the securities broker-dealer industry and 17 CFR § 240.18a-6(f) ("Rule 18a-6(f)") for security-based swap dealers and major security-based swap participants, the SEC requires a third-party who prepares or maintains Broker-Dealer Regulatory Records or SBS Regulatory Records (regardless of whether the records are in paper or electronic form) to file a written undertaking with the Commission signed by a duly authorized person.

Under the January 3, 2023, amendments, SEC Rules 17a-4(i)(1)(ii) and 18a-6(f)(1)(ii) stipulate the required undertaking when the broker-dealer or SBS Entity represents that it:

  1. Maintains and preserves records by means of an electronic recordkeeping system, as defined in Rules 17a-4(f) and 18a-6(e),
  2. Has independent access to the records held by the third-party, and
  3. Is able to permit examination of the books and records at any time or from time to time during business hours by representatives or designees of the Commission, and to promptly furnish to the Commission or its designee a true, correct, complete, and current hard copy of any or all or any part of such records.

Microsoft has established a process to provide an undertaking for compliance with SEC Rules 17a-4(i)(1)(ii) and 18a-6(f)(1)(ii).

  1. Navigate to the Microsoft 365 admin center. (Note: if your organization purchases Microsoft services through a reseller, you might need to work through the reseller to create a service request).

  2. Go to the Support section on the left. You might need to select Show all to view.

  3. Select New service request.

  4. When you submit your request, put Request for SEC Undertaking in the subject line and at the beginning of your documentation.

  5. The support engineer assigned to manage the request passes the request along to an escalation team to complete the request process, which includes:

    1. Collecting customer information and associated representations.
    2. Creation of a custom Letter of Undertaking with electronic signature by Microsoft.
    3. Filing the letter with the SEC via email with customer contact on cc for awareness.

Customers and partners can contact for assistance or clarifications.

Note: the content provided herein is intended for informational purposes only and shouldn't be construed as legal advice. While effort has been made to ensure the accuracy of the information, it isn't guaranteed to be correct, complete, or up-to-date. You shouldn't act or rely on this information without seeking the advice of a professional. Any action you take upon the information is at your own risk and Microsoft isn't liable for any losses or damages in connection with the use of the information.


Further assistance and feedback

Customers and partners can contact for assistance or clarifications.