What is SEC rule 17a-4?
SEC rule 17a-4 puts guidelines in place for data management at companies brokering financial securities, including stocks, bonds, and futures. The rule states that companies must retain records of certain transactions and grant immediate access for six months, with delayed access for at least two years. Companies must also keep duplicate records at an off-site location for the same period.
What are the requirements for SEC Rule 17a-4?
The SEC 17a-4 rule amendment defines how broker-dealers and other financial services must manage their electronically stored information (ESI). This includes what information is and is not covered by Rule 17a-4, and what steps brokers must take to be compliant.
- Record Types: Including emails, financial transactions, and communications.
- Retention Periods: Typically 3-6 years depending on record type.
- Accessibility: To facilitate swift regulatory reviews.
- WORM Compliance: Write Once, Read Many (WORM) non-erasable format.
These provisions ensure that all original records are preserved in an easily accessible format that can be provided to the SEC upon request. This brings the requirements for electronically stored information up to date with modern recordkeeping technologies and accounts for new forms of ESI being created, such as internal messaging systems.
They also more closely align the requirements of Rules 17a-4 and 18a-6, which apply to broker-dealers, including those registered as security-based swap dealers (SBSDs) or major security-based swap participants (MSBSPs); and SBSDs and MSBSPs that are not alsoalso not registered as broker-dealers, respectively.
The risks of SEC Rule 17a-4 noncompliance
Failure to comply with SEC Rule 17a-4 noncompliance carries significant financial and reputational risks. The SEC can fine broker dealers for violations or and suspend or revoke their registration. In addition, failure to comply with SEC regulations may leave broker-dealers open to legal action from investors.
SEC fines for improper recordkeeping
- In September 2023, 10 firms were fined a combined $79 million
- In August 2023, 11 firms agreed to pay a total of $289 million in penalties
- In May 2023, two banks received fines of $22.5 million combined
The pandemic accelerated the uptake of electronic messaging systems like Slack, Microsoft Teams, and texting application WhatsApp, and the SEC has responded with a series of regulatory actions that have affirmed definitively that this dataset is included in the amended Rule 17a-4.
In addition, noncompliant firms face reputational risk due to negative publicity surrounding SEC actions, and they may be at increased risk of data breaches and other security incidents. This is because broker dealers that are not in compliance with SEC Rule 17a-4 may not have adequate security controls in place to protect their customers' sensitive data.
Achieving SEC regulation 17a 4 compliance
For financial industry firms affected by Rule 17a 4 of the Securities Exchange Act (SEA), achieving 17a 4 compliance requires sophisticated solutions for protecting, archiving and managing access to financial documents, including email.
Specifically, SEC 17a 4 compliance requires brokers, dealers and other regulated companies to retain originals and copies of all communications related to the business for up to six years. Communications may include written documents as well as email, instant messages, fax messages and other communications. Data may be stored electronically, but it must be preserved in a non-rewritable, non-erasable format, with duplicate copies stored in separate locations, and all data must be indexed and made available for examination by the SEC.
Because email has become the primary form of communication for most businesses, including financial firms, 17a 4 compliance necessarily requires solutions to retain, secure and control access to vast amounts of email data. For financial firms that want a simple and easy-to-use solution for achieving 17a 4 compliance, Mimecast provides a cloud-based, subscription service.
Mimecast solutions for 17a 4 compliance
Mimecast provides thousands of organizations around the world with SaaS-based solutions for email security, archiving and continuity. As a cloud-based service, Mimecast can be implemented quickly and cost-efficiently, with no hardware to purchase and no software to install. Easy-to-use tools accessible from a single web-based console help to streamline management of business email, while state-of-the-art defenses and powerful continuity solutions help to promote cyber resilience and security for email data.
To help financial organizations achieve 17a 4 compliance, Mimecast provides a powerful email retention and archiving solution in the Mimecast Cloud Archive. As a centralized repository of email, files and IM conversations, Mimecast Cloud Archive simplifies 17a 4 compliance by retaining three tamper-proof encrypted copies of every email, stored in separate, geographically dispersed data centers. Mimecast retains the original email along with detailed metadata and a copy of the email if it was changed through enforcement of company content control policy.
To simplify compliance inquiries and litigation readiness, Mimecast provides lightning fast search capabilities along with case management and eDiscovery tools that significantly reduce the administrative burden on IT teams tasked with managing legal and compliance requirements. And by giving administrators powerful yet easy-to-use tools for managing email retention, Mimecast helps to streamline 17a 4 compliance as well as compliance with a wide variety of other regulatory frameworks.
Benefits of managing 17a 4 compliance with Mimecast
When using Mimecast to manage 17a 4 compliance, you can:
- Dramatically reduce the time and cost of email retention and compliance-related tasks, as well as managing litigation hold in Office 365.
- Implement a 17a 4 compliance solution quickly and easily with Mimecast's SaaS-based solution.
- Improve email security and continuity with Mimecast's all-in-one solution.
In addition to 17a 4 compliance, Mimecast is a HIPAA compliant email technology.
Learn more about handling 17a 4 compliance with Mimecast, and about Mimecast solutions for government cyber security.
SEC 17a-4 FAQs
What types of records are covered by SEC Rule 17a-4?
Examples of the types of records covered by SEC Rule 17a-4 include:
- Order tickets
- Account statements
- Trade confirmations
- Correspondence with customers
- Internal collaboration messages
What are the basic necessities for rule 17a-4?
The necessities for compliance with rule 17-a4 include:
- Working with a Designated Third Party consultant (D3P).
- Documented, enforceable retention policies.
- Data that are stored in a searchable index that's easily retrievable and viewable.
- Data that are stored on write once read many (WORM) electronic media.
- Data that are stored off-site.
Ultimately, broker-dealers should have systems in place to store digital content which is protected from tampering and loss.
What are the major consequences of SEC 17a-4 non-compliance?
Companies that fail to comply with SEC 17a-4 will face financial penalties that increase depending on the severity of the event. Companies should also be aware of non-financial penalties, which could include suspension of company operations or certain individuals.
