Good news for broker dealers and other covered entities using SaaS business applications such as ServiceNow and Salesforce! Now, you have greater flexibility to comply with the Securities and Exchange Commission’s electronic record-keeping requirements (SEC Rule 17a-4).
These requirements apply to securities brokers and dealers, OTC derivatives traders, security-based swap dealers, and potentially other companies that deal in trading securities, operating in the United States.
Previously under SEC 17a-4, it was necessary to preserve records using a non-rewritable, non-erasable format (a.k.a. WORM for write once, read many). The amended requirements allow for electronic records to be stored with a cloud vendor, so long as the solution provides a complete, verifiable, time-stamped audit trail that permits the re-creation of an original record with full integrity if it is altered, overwritten, or erased.
This blog summarizes how Own (formerly OwnBackup) cloud-based solutions allow customers to implement retention policies for regulated records stored in their Salesforce, ServiceNow, or Microsoft Dynamics instance(s).
Record Retention and Recovery
The SEC Rule 17a-4 continues to require that organizations retain financial records for set durations of time. While the exact length of time varies by record type, retention periods fall within 2-6 years. This requirement can be fulfilled by using Own solutions to build custom retention policies to ensure that regulated data is kept for the proper length of time.
If a record is deleted in the original data source, Recover can be used to perform record recreation. Using the archived data, Own products provide capabilities to find and recover records that have been lost or corrupted in the original SaaS data source. Using Own’s comparative analysis features, the user identifier that last modified a record can be determined in certain situations.
The Own infrastructure leverages encrypted, distributed object stores, in multiple zones, spanning multiple data centers, within the customer's storage region. Own then ensures the replicated data's integrity is maintained through the data lifecycle across multiple zones.
Own Recover maintains an audit trail, including the date and time when backups are created. The user account performing any action is also captured in the audit trail. Own Recover does not permit users to modify or delete specific backups or records after they have been created.
The audit trail displayed in the user interface can be exported to a report in CSV format. These features fulfill the SEC Rule 17a-4 requirement that the electronic recordkeeping system have the capacity to readily download and transfer copies of a record and its audit trail (if applicable) in both a human-readable format and in a reasonably usable electronic format.
To ensure the authenticity and reliability of archived data, Own Recover computes cryptographic hash values of copied data segments. In addition, an overall SHA256 hash value of combined segment hashes can be computed and stored in a public blockchain using Own’s Blockchain Verify solution, which supports independent integrity verification that a backup has not been changed.
Figure: Blockchain Verify uses a computational algorithm to generate a cryptographic hash of each backup before it is written to storage, registering that hash in a public blockchain, storing backups in a compressed form, and utilizing standard security protocols.
Own enables download of full backup index or export of any file, as well as associated metadata and hashes to validate that the data’s integrity has been maintained throughout the data lifecycle.
For more on this topic, download our SEC Compliance Assessment ebook, which provides more details about how Own solutions help customers comply with SEC Rule 17a-4, including technical details about Blockchain Verify, or request a demo below.