Only a few proud individuals want to spend a weekend pouring through the Securities Exchange Commission (SEC) Rule 17a-4 for fun. For the rest of us, we’d rather do long division while stuck in traffic.
However, data storage managers working in financial services can’t ignore this critical 14-page document. It outlines how financial services companies must keep records to be compliant with the SEC and other regulatory bodies.
Focusing on subsection (f), we find details about long-term data storage: Data accuracy, write-once-read-many storage, record accessibility, and so forth. As you architect your long-term storage solution, adhering to SEC Rule 17a-4(f) enables you to keep your archival records in order.
What you need for subsection (f)
To help familiarize you with the requirements of subsection (f), we’ve outlined nine of the most critical aspects on how to manage archival data. The following key point regulators are required of financial services companies:
-
Ensure that deleting or overwriting data is impossible. This idea is a no-brainer for archival storage, but a non-rewritable, non-erasable record format ensures that you can accurately reproduce records when needed. This assurance prevents accidental rm -rf catastrophes.
-
Verify the accuracy of data. Data corruption, whether obvious or silent, is serious. Use checksums and hash values, so surprises arise during an audit or recovery.
-
Specify the record order. When original and duplicate storage units are properly serialized, finding, and authenticating original and duplicate records is faster and easier. (Anything to make your job easier, right?)
-
Make records download-friendly. When your storage has the capacity to download both indexes and records, regulators can quickly take possession of records without a lot of fuss.
-
Make backups of your backups. A reproduction of data, such as a physical copy, ensures that regulators can get records if computers are down.
-
Keep duplicates separate. A wise storage manager keeps duplicate records and copies apart. If primary data is lost or damaged, you can access the duplicate backup. Don’t forget to copy and store the indexes too.
-
Track the changes. Ensure that you have a solid audit system that tracks changes like when, by whom, and what changes were made, for both originals and duplicates.
-
Make the audit accessible. An audit trail is not helpful to regulators if it’s unavailable for review. If it’s easy to access and review, it makes your life easier.
-
Put records in escrow with a third party. Make the records available to the regulatory body, regardless of the situation. That way, if something doesn’t go according to plan, the regulatory body can still do its job.
How can Oracle Cloud Infrastructure (OCI) help?
OCI provides various services to enable financial services customers to move their sensitive workloads to the cloud.
To ensure data integrity and meet high regulatory requirements, the locked retention rule was introduced to OCI Object Storage. This write once, read many (WORM) format ensures that data can’t be overwritten, deleted, or tampered with in any way.
A recent independent, third-party compliance assessment done by Cohasset Associates found that when OCI’s Object Storage was properly configured, it met all the locked retention model guidelines, outlined by the SEC, FINRA, CFTC, and MiFID.
Next steps
Want to learn more about OCI Object Storage and the Cohasset compliance assessment report? To read the details of how OCI Object Storage meets all their requirements, download the assessment.
To learn more about Oracle Cloud Infrastructure’s global compliance programs, including programs specific to the financial services industry, visit the Oracle compliance page.