Securities and Exchange Commission (SEC) Rule 17a-4(f) United States

About SEC Rule 17a-4(f)

The US Securities and Exchange Commission (SEC) is an independent agency of the US federal government and the primary overseer and regulator of US securities markets. It wields enforcement authority over federal securities laws, proposes new securities rules, and oversees market regulation of the securities industry.

The SEC defines rigorous and explicit requirements for regulated entities that elect to retain books and records on electronic storage media. It established 17 CFR 240.17a-3 and 17 CFR 240.17a-4 to regulate recordkeeping, including retention periods, for securities broker-dealers. Later, the SEC amended 17 CFR 240.17a-4 paragraph (f), issuing two interpretive releases expressly to allow books and records to be retained on electronic storage media as long as certain conditions were met.

An electronic storage system meets those conditions if it prevents the alteration or erasure of records for the required retention period. Retention periods vary from three to six years based on record types, with immediate accessibility mandated for the first two years. Moreover, one of the interpretive releases requires that the storage system be capable of retaining records beyond the SEC-established retention period to comply with subpoenas, legal hold, or other such requirements.

Microsoft and SEC Rule 17a-4(f)

Financial services customers, representing one of the most heavily regulated industries in the world, are subject to complex provisions like the retention of financial transactions and related communication in a non-erasable and non-modifiable state. Among the most prescriptive is Rule 17a-4(f) of the US Security and Exchange Commission (SEC) that stipulates stringent requirements for regulated entities that elect to retain books and records on electronic storage media. Records stored must be tamper-proof with no ability to alter or delete them until after the designated retention period.

Microsoft Azure Immutable Blob Storage with Policy Lock and Microsoft Office 365 with Preservation Lock can help financial institutions meet the immutable storage requirements of SEC Rule 17a-4(f).

Microsoft in-scope cloud platforms & services

• Azure
• Office 365

Independent assessments

To evaluate Azure and Office 365 compliance with SEC Rule 17a-4(f), Microsoft retained an independent assessment firm that specializes in records management and information governance, Cohasset Associates.

Azure

Immutable storage for Azure Blob storage enables users to store business-critical records in a write once read many (WORM) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. These features of Azure immutable storage can help customers address their records retention requirements.

Microsoft retained an independent third-party assessment firm that specializes in records management and information governance to evaluate immutable storage for Azure Blob storage compliance with SEC Rule 17a-4(f) requirements. The resulting report Cohasset Assessment: Microsoft Azure WORM Storage is available to customers.

It is the assessor's opinion that Azure Storage with the immutable storage for Azure Blobs feature and locked time-based policy option retains time-based Blobs (records) in a non-erasable and non-rewritable format and meets relevant storage requirements of SEC Rule 17a-4(f), FINRA Rule 4511(c), and the principles-based requirements of CFTC Rule 1.31(c)-(d).

Upon request, Microsoft will also provide a 90-day letter required to meet the SEC 17a-4(f)(2) requirements for customers to notify their designated examining authority at least 90 days prior to employing electronic storage media. As stated in the regulations, "the member, broker, or dealer must provide its own representation or one from the storage medium vendor or other third party with appropriate expertise that the selected storage media meets the conditions set forth in this paragraph (f)(2)." To obtain the Microsoft Attestation of Electronic Storage Media Services for SEC Rule 17a-4, customers with an Azure support plan can create a support ticket in the Azure portal and request the attestation letter for SEC Rule 17a-4. In this document, Microsoft provides assurances relevant to the SEC 17a-4(f)(2) requirements.

Office 365

For SEC 17a-4(f) requirements, Cohasset validated that Microsoft 365 includes archiving features that enable regulated customers, including broker-dealers, to store data in a manner that helps them comply with SEC requirements for records retention. Retention features in Microsoft 365 help preserve a wide range of data, including email, voicemail, shared documents, instant messages, and third-party data. In particular, archiving in Microsoft 365 enables customers to set global or granular messaging retention policies to store data for a defined period and beyond in a non-rewriteable, non-erasable format.

Audits, reports, and certificates

Azure & SEC Rule 17

• SEC 17a-4(f) & CFTC 1.31 (c-d) Compliance Assessment of Azure Storage

Microsoft Attestation of Electronic Storage Media Services for SEC Rule 17a-4 can be requested by creating a support ticket with Azure support. In this attestation letter, Microsoft provides assurances to help customers comply with the SEC 17a-4(f)(2) requirements.

Office 365 & SEC Rule 17

• Office 365 - Cohasset Assessment - SEC Rule 17a-4(f) - Immutable Storage for SharePoint, OneDrive, Exchange, Teams, and Yammer (2022)

How to implement

Financial services regulation

Compliance map of key US regulatory principles for cloud computing and Microsoft online services. Learn more

Risk Assessment & Compliance Guide

Create a governance model for risk assessment of Microsoft cloud services, and regulator notification. Learn more

Financial use cases

Use case overviews, tutorials, and other resources to build Azure solutions for financial services. Learn more

Use Microsoft Purview Compliance Manager to assess your risk

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources

• Azure compliance documentation
• Azure enables a world of compliance
• Securities and Exchange Commission (SEC) Rule 17a-4
• Microsoft Cloud financial services resources
• Microsoft Cloud financial services compliance program
• Compliance map of cloud computing regulatory principles and Microsoft online services
• Risk assessment and compliance guide for financial institutions in the Microsoft Cloud
• Financial Services industry use cases
• Archiving in Microsoft Office 365, Data Retention, and Rule 17a-4