Why carry around cash when you can buy everything with digital payments or credit cards from parking meters to cars? Digital transactions are not new to the financial services industry although the explosion of digital uses in our daily lives has indeed broadened their digital footprint.
Historically, the industry has been highly regulated with evolving requirements to address electronic records management and retention throughout the data lifecycle. As such, financial services organizations must validate their data protection compliance with current regulations. Mission-critical data resides in Oracle Databases so it’s not surprising that a large percentage of Oracle’s Zero Data Loss Recovery Appliancecustomers are in highly regulated industries.
Co-engineered with Oracle Database, Recovery Appliance delivers unique capabilities for zero data loss recovery and data-aware backup validation along with policy-based management to address compliance requirements. While these are key reasons customers chose Recovery Appliance, regulators don’t want to take our or the customer’s word for it – nor should they. Internal and regulatory auditors need an independent and objective compliance assessment of products that are currently or planned to be deployed.
We engaged Cohasset Associates, a leading professional consulting firm, specializing in records management and information governance to perform a comprehensive Recovery Appliance compliance assessment related to electronic storage requirements specified in regulations Securities and Exchange Commission (SEC) in 17 CFR § 240.17a-4(f), Financial Industry Regulatory Authority (FINRA) Rule 4511(c), Commodity Futures Trading Commission (CFTC) in 17 CFR § 1.31(c)-(d) and Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing MiFID II (the MiFID II Delegated Regulation), Article 72(1).
An excerpt from Cohasset’s Compliance Assessment report summarizes their analysis of Recovery Appliance capabilities for compliance with the five requirements related to recording and non-rewriteable, non-erasable storage of electronic records, as stipulated in SEC Rule 17a-4(f) is below:
Cohasset determined that the Recovery Appliance, when properly configured for compliance, as described in Section 2 Assessment of Compliance with SEC Rule 17a-4(f)), has the following capabilities, which meet the regulatory requirements:
- Immutably maintains record backups and associated system metadata for time-based retention periods.
- Prohibits deletion of a record backup and its immutable metadata until the retention period has expired.
- Preserves all record backups that are stored on the Recovery Appliance as immutable and prohibits deletion or overwrites, while a Compliance Hold attribute is applied. (Separately, Indefinite Retention Rules may be applied to effectuate holds in Object Storage buckets.)
- Verifies the accuracy and quality of the recording process through the use of checksums and Recovery Appliance post-recording validation processes.
- Uniquely serializes each record backup and all duplicate copies with a unique ID and a date/time stamp.
- Automatically mirrors each record backup across three storage servers during the write process, which allows for automatic self-healing of record backups that become lost or damaged. Additionally, supports scheduled copying of record backups to tertiary storage as well as geographically dispersed replication of record backups.
- Provides the capacity and tools to (a) search for record backups, (b) list record backups, and (c) restore record backups to a designated location, after which a local application may be used to view content and/or transfer to a medium acceptable under the Rule.
Cohasset also correlated the assessed capabilities of the Recovery Appliance to the principles-based technology requirements of CFTC Rule 1.31(c)-(d), Medium and retention of records requirements in Article 72(1) of the Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing MiFID II (the MiFID II Delegated Regulation).
Accordingly, Cohasset concludes that the Recovery Appliance, when properly configured for compliance, as described in Section 2, and utilized to retain time-based records, meets the five requirements of SEC Rule 17a-4(f) and FINRA Rule 4511(c), which relate to the recording and non-rewriteable, non-erasable storage of electronic records. In addition, the assessed capabilities meet the principles-based electronic records requirements of CFTC Rule 1.31(c)-(d) and the medium and retention of records requirements of the MiFID II Delegated Regulation (72)(1).
In many ways, a Cohasset Compliance Assessment is like a product audit dotting all the “i’s” and crossing all the “t’s” as it relates to regulation requirements. While we knew our customers were using the Recovery Appliance to meet strict regulations, it’s nice to have its capabilities validated by compliance experts!
Whether or not these specific regulations are applicable to your organization, you may want to review our recent AskTOM Office Hours session on SEC Rule 17a-4(f) and how Recovery Appliance meets these requirements for ways to enhance your data management strategy across the data’s lifecycle. For existing and future customers who must adhere to these regulations, the Recovery Appliance Compliance Assessment report can be provided to auditors when your processes are under review.
Look for future blogs on how you can learn from compliance assessments to avoid pitfalls down the road.