Steelgate Cloud Backup for SEC Compliance

HIPPA Compliance

Steelgate is the right choice for organizations who must comply with SEC Rule 17-a and NASD requirements.

Try it Free!

SEC Rule 17a and NASD Compliance

In 1934, Congress passed the Securities and Exchange Act to regulate the securities industry. Among other things, the Act requires the creation and maintenance of records of securities transactions for the purpose of review and audit in order to better protect investors and the U.S. economy.

SEC Rule 17a-4 is a Rule created by the SEC under the Exchange Act that stipulates specific record keeping requirements for certain exchange members, brokers, and dealers in the securities industry. The Rule was updated in 1997 to expressly allow for the storage, retention, and reproduction of records by means of “electronic storage media,” subject to certain conditions. For example, 17a-4 requires that:

  • members, brokers and dealers “preserve for a period of not less than three years, the first two years in an easily accessible place…. originals of all communications received and copies of all communications sent” related to their business as broker-dealers, including electronic communications such as email and instant messaging.
  • electronic media used to store these records preserve them “exclusively in a non-rewriteable, non-erasable format” such as WORM (Write Once Read Many) technology.
  • the electronic storage media “...verify automatically the quality and accuracy of the storage media recording process.”
  • members, brokers and dealers have specific electronic records available for SEC review “ all times…for immediate, easily readable projection or production.”
  • the member, broker or dealer “ separately from the original, a duplicate copy of the record stored on any medium acceptable… for the time required.”

Rule 17a-4 impacts individuals and organizations that trade or act as brokers for traders that sell securities. This includes any financial institution whose business units trade securities regulated by the Securities and Exchange Commission (SEC) and the National Association of Securities Dealers (NASD).

Business Impact

Compliance with Rule 17a-4 requires that members, brokers and dealers carefully evaluate their information management processes and architecture to ensure that the relevant e-records and communications are maintained in a trustworthy state for the duration required by the Rule, and that they are retrievable for review on demand for the time required. In light of this, organizations subject to the Rule’s requirements that do business electronically may need to implement new technologies to comply.

For example, 17a-4 requires responsive e-records and communications to be readily accessible and available for review to allow for a prompt response to SEC inquiries. Organizations need to assess their IT systems to determine whether or not they allow for a timely response to such requests. Are emails to and from clients available for review on demand, or are they stored on backup tapes that can take a great deal of time to search and restore? Simply retaining responsive messages on backup tapes may violate 17a-4’s requirement to retain such messages for “the first two years in an easily accessible place,” and at the very least, will likely hinder the organization’s ability to comply in a timely manner.

Similarly, impacted organizations must consider whether their systems meet the Rule’s mandates to store records in a non-rewriteable, non-erasable format; automatically verify the trustworthiness of the recording process; create and store duplicate copies of records; and accurately index their information, among other things.

Real World Impact

The SEC has imposed fines on broker-dealers under investigation that fail to cooperate in complying with 17a-4 and other rules. For example, one financial institution was fined $10 million by the SEC for multiple failings involving the production of emails. The organization failed to produce the messages in a timely manner, taking two years to produce the emails of seven individuals, and failed to promptly contact the Commission when emails that were thought to be lost were recovered.

In another recent example, a financial institution was fined $2.1 million when it failed to comply with 17a-4’s requirement to retain all email communications sent and received by its employees that related to its business as a broker-dealer. The SEC stated that the organization “lacked adequate systems or procedures for the preservation of electronic mail communications.” The emails in question were stored on backup tapes – some of which went missing, were damaged, contained errors or couldn’t be restored for other reasons. Furthermore, the organization failed to inform the SEC of its failure to preserve these emails.

To read the entire rule, visit