SEC Rule 17a-4 Collage Graphic

Exchange Act Rule 17a-4 – An Old Rule in a New World

/by

Mitchell Atkins, former FINRA executive and founder of FirstMark Regulatory Solutions

The electronic recordkeeping requirements for broker-dealers are spelled out in Exchange Act Rule 17a-4, also known as SEC Rule 17a-4. For many years, the shorthand for the rule was simple: broker-dealer records had to be preserved in WORM format — write once, read many. In the old days, that meant paper, microfilm, microfiche, optical disk, CD-ROM, or some other storage medium that could not be rewritten or erased.

That was the world I was writing about when I first addressed this topic in 2014. Back then, the basic point was straightforward: broker-dealers could not simply save emails in Outlook, back up files at the end of the day, or keep documents in a cloud folder and assume they had satisfied SEA Rule 17a-4(f). Records had to be preserved, indexed, accessible, and protected from alteration or deletion.

The rule is still old. But the world around it has changed again.

Today, broker-dealers live in Microsoft 365, Google Workspace, Salesforce, Teams, Zoom, text messaging platforms, archive vendors, compliance dashboards, cloud servers, and third-party fintech systems. Registered representatives work from home, supervisors review correspondence remotely, firms use outsourced technology providers, and the SEC and FINRA continue to bring major enforcement cases involving off-channel communications and recordkeeping failures.

At the same time, the rule itself has been modernized. The SEC’s 2022 amendments to Rule 17a-4(f) did something important: they kept WORM as an available approach, but added an audit-trail alternative. That means the modern question is no longer simply, “Is this WORM?” The better question is: “Can the firm preserve, locate, recreate, produce, and defend the record if an examiner asks for it?”

Back to Basics: What Rule 17a-4 Is Trying to Accomplish

SEA Rule 17a-4 is the broker-dealer record retention rule. In simple terms, it tells broker-dealers what records must be preserved, how long they must be preserved, and what must happen when regulators ask for them.

One of the most important provisions remains Rule 17a-4(b)(4), which requires a broker-dealer to preserve originals of all communications received and copies of all communications sent by the broker-dealer, including inter-office memoranda and communications, relating to its business as such. For broker-dealers, this includes business-related emails, written correspondence, chat messages, instant messages, text messages, social media messages, collaboration-platform messages, and other written electronic communications that relate to the firm’s broker-dealer business.

That is where firms still get into trouble. The communication method changes. The regulatory concept does not.

When I was at NASD in the early days, I spent plenty of time looking at boxes of paper, microfiche, and imaged records. If you ask many people today what microfiche is, you may get a blank look. But the core regulatory expectation has not changed all that much. Whether the record is a paper blotter, a microfiche image, an email, a Teams message, or a customer account approval sitting inside a cloud application, the firm must be able to preserve it for the required retention period and produce it promptly when asked.

That is the point of the rule. It is not about technology for technology’s sake. It is about regulator access, examiner review, enforcement integrity, and the firm’s ability to prove what happened.

The Old WORM Rule and the New Audit-Trail Alternative

For many years, Rule 17a-4(f) required broker-dealers that used electronic storage media to preserve electronic records exclusively in a non-rewriteable, non-erasable format. That is the WORM standard.

WORM is still permitted. A firm may still use an electronic recordkeeping system that preserves records in a non-rewriteable, non-erasable format. For many small firms, that remains the easiest and cleanest answer because the vendor has built its business around broker-dealer archive requirements.

But WORM is no longer the only way to comply.

SEC Rule 17a-4 WORM storage versus audit-trail archive illustration

The SEC’s 2022 amendments added an audit-trail alternative. Under that alternative, an electronic recordkeeping system must preserve records in a way that maintains a complete time-stamped audit trail. That audit trail must capture modifications and deletions, the date and time of actions that create, modify, or delete the record, the identity of the person making the change if applicable, and the information needed to maintain authenticity and reliability and permit recreation of the original record if it is modified or deleted.

That is a major modernization. It reflects the way many modern systems actually work. A properly designed system may not be “WORM” in the old optical-disk sense, but if it can preserve the record, maintain a complete audit trail, and recreate the original if something changes, it may satisfy the modern rule.

The practical point: WORM is still valid, but it is no longer the only option. A broker-dealer may use either a non-rewriteable, non-erasable system or an audit-trail-compliant electronic recordkeeping system. What it cannot use is a normal business system with ordinary delete, edit, overwrite, and retention settings and pretend that is enough.

What an Electronic Recordkeeping System Must Do Today

The modern version of Rule 17a-4(f) is more technology-neutral than the older rule, but it is not loose. An electronic recordkeeping system must do several things that ordinary storage systems often do not do.

First, it must preserve records for the applicable retention period. The system must either preserve the records in a non-rewriteable, non-erasable format or maintain the kind of audit trail described above.

Second, the system must be able to verify automatically the completeness and accuracy of the processes for storing and retaining records electronically. That means the firm should understand whether the system actually captures the records it is supposed to capture and whether there are exceptions, failed captures, skipped sources, disabled users, or configuration gaps.

Third, the system must be able to download and transfer records, and the audit trail if applicable, in both a human-readable format and a reasonably usable electronic format. This is where some firms make a costly mistake. A system that lets a user view a record on screen is not necessarily a compliant recordkeeping system. Regulators may ask for records in a format that can be reviewed, searched, exported, analyzed, and tied back to the source system.

Fourth, the system must include a backup electronic recordkeeping system or other redundancy capabilities designed to ensure access to required records. A broker-dealer cannot have a single point of failure where records disappear because a vendor terminates service, an administrator deletes an account, a license lapses, or a cloud configuration changes.

Fifth, the firm must be ready at all times to provide requested records. The rule is not satisfied by telling an examiner that the vendor is looking into it, the IT consultant is unavailable, or the person who knows the archive left the firm. If the firm is required to preserve the record, the firm must be able to produce it.

Why “Secure Cloud Storage” Is Not the Same Thing as 17a-4 Compliance

This is one of the most common misunderstandings I still see.

There is a difference between secure storage and compliant preservation. A system can be encrypted, password-protected, backed up, redundant, and professionally managed — and still fail Rule 17a-4.Cloud With Padlock and Files Inside

For example, a normal cloud folder is not enough if users can delete files, overwrite files, rename files without accountability, purge files after a short retention period, or terminate the account in a way that removes access to the records. The same is true for ordinary email storage. Microsoft 365, Google Workspace, Dropbox, ShareFile, OneDrive, Box, Salesforce, Slack, Teams, Zoom, or any other platform may be part of a compliant architecture, but only if it is configured, retained, supervised, archived, and tested in a way that satisfies the rule.

That is the key distinction. The product name does not make the system compliant. The configuration, retention controls, capture scope, audit trail, supervision, and production capability determine compliance.

I have seen firms assume that because something is in the cloud, it is safer than a local server and therefore compliant. That is not the rule. The question is not whether the cloud provider has strong cybersecurity. The question is whether the broker-dealer’s required records are preserved for the required period and can be produced promptly, completely, and in the required format.

The Old Problems Have Not Gone Away

Many of the non-compliant systems I saw years ago still have modern equivalents.

  • Email saved in local PST files or ordinary mailboxes that users can delete or alter.
  • End-of-day backups that miss messages deleted during the day.
  • Cloud folders used as document archives without retention locks or audit-trail controls.
  • Text messages, chats, and collaboration-platform messages that are used for business but not captured.
  • Customer communications conducted through personal devices or personal messaging apps.
  • Vendors that host records but have not signed the required undertakings.
  • Systems that preserve records but cannot export them in a reasonably usable format.
  • Archives that capture email but not attachments, calendar entries, approvals, metadata, or supervisory comments.
  • Retention policies that can be changed by local administrators without compliance review.

These are not technical foot faults. They go directly to the regulator’s ability to reconstruct what happened. If an examiner asks for communications about a customer complaint, a private placement, a rollover recommendation, a suspicious wire, a branch inspection, or a supervisory approval, the firm cannot answer by saying, “We think it was in Teams, but we did not archive that channel.”

Off-Channel Communications: The New Version of an Old Problem

The recordkeeping problem that has received the most attention in recent years is off-channel communications. This is not a new concept, but the scale is different.

Years ago, the concern was that a registered representative might use a personal email account to avoid firm review. Today, the same problem shows up through personal text messages, WhatsApp, Signal, social media direct messages, unapproved collaboration tools, personal devices, and customer communications conducted outside the firm’s monitored systems.

The rule is still the rule. If the communication relates to the broker-dealer’s business as such, the firm must preserve it if it is the type of communication covered by the recordkeeping rules. A firm’s policies should make clear what systems may be used, what systems may not be used, how exceptions are handled, and what happens when personnel use an unapproved channel.

Training alone is not enough. Firms should also test. That means looking for signs of off-channel activity: email signatures listing mobile numbers used for business, customer references to text exchanges, representatives sending “call or text me” language, calendars showing client meetings arranged outside approved systems, or complaint files referring to communications not found in the archive.

The problem is not solved by telling representatives, “Do not text clients.” If the firm knows or should know that business communications are occurring through unapproved channels, the supervisory issue becomes much larger.

Rule 17a-4(i): The Outside Service Provider Problem

The 2022 amendments also matter because of modern vendor relationships. Broker-dealers now rely on outside service providers for email archiving, cloud storage, CRM systems, document management, cybersecurity, order management, accounting, compliance workflows, and other systems that may contain required books and records.

Rule 17a-4(i) addresses situations where required records are prepared or maintained by an outside service bureau, depository, bank, or other recordkeeping service. The amended rule explicitly recognizes modern recordkeeping services, including services that own and operate the servers or storage devices on which records are preserved or maintained.

The old practical question was often, “Does the third-party vendor have access to the WORM archive?” The modern question is broader: “Is an outside entity preparing, maintaining, hosting, or preserving records the broker-dealer is required to keep, and has the required undertaking been addressed?”

Rule 17a-4(i) generally requires the outside entity to file a written undertaking with the SEC acknowledging that the records are the property of the broker-dealer and that they will be surrendered promptly on request. The undertaking must also permit SEC examination of the books and records and require the outside entity to furnish complete and current hard copies upon request.

The amended rule also provides an alternative undertaking for certain outside entities where the broker-dealer has independent access to the records. In that case, the outside entity’s undertaking is more limited. It acknowledges the broker-dealer’s ownership of the records and undertakes not to impede or prevent SEC access, download, transfer, or SIPA trustee access as permitted by law.

The point for firms is simple: do not assume that a vendor relationship is “just IT.” If the vendor prepares, maintains, hosts, or preserves required broker-dealer records, the firm needs to evaluate Rule 17a-4(i), the required undertaking, the firm’s independent access, and the firm’s ability to produce the records without the vendor becoming a bottleneck.

The Designated Third Party and Designated Executive Officer Undertakings

There is another undertaking issue under Rule 17a-4(f). Historically, broker-dealers using electronic storage had to have a third party with access to the records provide an undertaking to produce records if the firm failed to do so. There were also limitations on who could be the third party.

The amended rule gives firms more flexibility. A broker-dealer using an electronic recordkeeping system must have the required undertaking filed with its designated examining authority, signed by either a designated third party or a designated executive officer.

A designated third party is a person not affiliated with the broker-dealer who has access to and the ability to provide records maintained and preserved on the electronic recordkeeping system. A designated executive officer is a member of senior management who has access to and the ability to provide the records directly or through designated specialists.

This is an important change, especially for firms with mature internal technology and compliance functions. But it is not a paperwork shortcut. If the firm uses a designated executive officer, that executive officer must actually have the ability to provide the records, either directly or through designated personnel. A name on a form is not enough.

The designated executive officer may appoint up to two designated officers to act if the executive officer cannot fulfill the undertaking, and up to three designated specialists. But the appointment of those persons does not relieve the designated executive officer of the obligations in the undertaking.

For small firms, the old third-party model may still be cleaner. For larger firms, the designated executive officer approach may make sense. But either way, the firm should be able to answer three basic questions:

  • Who is responsible for producing records if the firm receives a regulatory request?
  • Does that person actually have access to the records and the audit trail, if applicable?
  • Has the required undertaking been filed and kept current?

The DEA Notice Requirement Is Gone — But the Responsibility Is Not

One of the practical changes in the 2022 amendments is that the SEC eliminated the old requirement that a broker-dealer notify its designated examining authority before employing an electronic recordkeeping system. That requirement made sense when electronic recordkeeping was new. It makes much less sense today, when nearly every broker-dealer uses electronic systems in some form.

But firms should not misunderstand the change. The fact that the old notice requirement is gone does not mean electronic recordkeeping has become informal. It means the burden has shifted even more squarely to the firm to know what systems it uses, what records they contain, how those records are preserved, and how they will be produced.

In other words, the firm may not need to send the same kind of advance notice before using electronic recordkeeping, but it still needs to get the system right.

What Records Are We Really Talking About?

When firms think about Rule 17a-4, they often think first about email. Email is important, but it is only one piece of the recordkeeping architecture.

Depending on the firm’s business, required records may include:

  • Business-related emails and attachments.
  • Internal memoranda and inter-office communications.
  • Correspondence with customers.
  • Retail communications and approvals.
  • Text messages and instant messages relating to broker-dealer business.
  • Social media messages and direct messages used for business.
  • CRM notes and customer-contact records.
  • Order tickets, trade blotters, confirmations, and account records.
  • New account documents and account updates.
  • Customer complaints and complaint investigations.
  • Supervisory reviews, exception reports, and approvals.
  • AML surveillance alerts, investigations, alert resolution notes, and SAR support materials.
  • WSPs, compliance manuals, and procedure updates.
  • Reg BI records, rollover documentation, and Form CRS delivery records.
  • Cybersecurity and Regulation S-P incident response records required to be preserved.

The exact retention period depends on the record. Some records are three-year records. Some are six-year records. Some must be preserved for the life of the enterprise. The mistake is assuming that one blanket retention period or one archive setting solves everything.

A good recordkeeping program begins with a record inventory. What records does the firm create? Where are they created? Who owns the system? What rule requires retention? What is the retention period? Is the record captured automatically? Can it be altered? Can it be deleted? Can the firm produce it in usable form?

Rule 17a-4(f) applies when required broker-dealer records are preserved on an electronic recordkeeping system. A working copy of a record that is already properly preserved elsewhere may not itself be the firm’s required preserved record. But if the copy is annotated, approved, stamped, revised, or otherwise becomes evidence of a separate business action, it may become a new required record that must be preserved under the applicable recordkeeping rule.

Where Small Firms Still Get This Wrong

Small broker-dealers often have an advantage: fewer people, fewer systems, and less complexity. But they also tend to have fewer internal technology resources, and that creates predictable problems.

The most common issues I see are:

  • Assuming Microsoft 365 or Google Workspace is automatically compliant. These platforms can be part of a compliant environment, but ordinary mailbox retention is not the same as broker-dealer record preservation.
  • Archiving email but ignoring chats and texts. If representatives use text messaging, Teams, Zoom chat, Slack, WhatsApp, or other messaging tools for business, the firm must address preservation and supervision.
  • Using a vendor without reviewing the undertaking. A vendor’s marketing page is not the undertaking required by the rule.
  • Not testing production. The firm may believe records are preserved until FINRA asks for a date range, a custodian, attachments, metadata, or export format and the firm cannot produce it.
  • Failing to capture terminated users. When a representative leaves, mailbox and archive retention must be controlled. Deactivating or deleting the account without preserving required records is a serious mistake.
  • Letting IT control retention without compliance review. Retention settings are compliance settings, not merely IT preferences.
  • Not documenting system changes. If the firm changes email vendors, CRM systems, archive vendors, or storage architecture, someone must document what happened to historical records and how they will be produced.

What I Would Expect to See in a Recordkeeping Review

If I were reviewing a broker-dealer’s electronic recordkeeping program today, I would not stop at asking whether the firm has a WORM archive. That question is now too narrow.

I would ask for the firm’s recordkeeping map. I would want to see every system that creates or stores required records. I would ask whether the firm is relying on WORM or the audit-trail alternative for each relevant system. I would ask for the third-party or designated executive officer undertaking. I would ask whether any outside service provider is covered by Rule 17a-4(i). I would ask how the firm captures text messages, chats, CRM notes, approvals, and supervisory reviews. I would ask whether the firm has tested production.

I would also ask how the firm knows its archive is complete. That is not a trick question. It is the question.

A firm should be able to demonstrate:

  • A current inventory of systems that create or preserve required records.
  • The applicable retention period for each major record type.
  • Whether the firm is using WORM or the audit-trail alternative.
  • How records are captured from each communication channel.
  • How off-channel communications are prohibited, detected, escalated, and remediated.
  • How terminated-user records are preserved.
  • How the firm can export records and audit trails in human-readable and reasonably usable electronic formats.
  • What undertaking has been filed and who is responsible for production.
  • What outside entities prepare, maintain, host, or preserve required records.
  • When the firm last tested a regulatory-style production request.

A Practical Compliance Checklist

For firms trying to get this right, I would start with the following checklist:

  • Build a record inventory. Identify required records, systems, owners, retention periods, and production methods.
  • Identify communication channels. Include email, chat, text, social media, CRM, collaboration tools, video-conference chats, and mobile messaging.
  • Decide whether each system relies on WORM or the audit-trail alternative. Do not assume. Document the basis.
  • Review vendor contracts and undertakings. Confirm whether Rule 17a-4(f) and 17a-4(i) undertakings are required and have been completed.
  • Test export capability. Pull a sample date range, a sample custodian, a sample customer name, and a sample attachment set. Confirm that the results are complete and usable.
  • Test audit trails if using the audit-trail alternative. Confirm that modifications and deletions can be identified and that original records can be recreated.
  • Review retention settings after employee departures. Make sure terminated users’ records are not lost when licenses or accounts are removed.
  • Control administrator permissions. Limit who can change retention, delete archives, alter legal holds, or modify capture settings.
  • Update WSPs. The written supervisory procedures should describe the actual systems used, the channels permitted, the channels prohibited, the archive process, and the escalation process.
  • Train personnel. Representatives and supervisors should know what systems they may use and what systems they may not use.
  • Document exceptions. If a channel fails to capture, a vendor outage occurs, or a representative uses an unapproved channel, document the issue and remediation.
  • Conduct periodic testing. Recordkeeping should be tested as part of the firm’s supervisory controls, annual compliance review, or another documented review process.

One Common Misunderstanding: Backups Are Not Archives

This point is worth saying plainly: a backup is not the same thing as a compliant archive.

A backup is designed to restore a system after a failure. An archive is designed to preserve records for retention, supervision, search, review, and regulatory production. A backup may overwrite older versions, may not be indexed for compliance review, may not preserve audit trails, and may not allow targeted production in the format regulators expect.

I still see firms that believe they are compliant because “everything is backed up.” That may be good disaster recovery. It is not necessarily Rule 17a-4 compliance.

Another Common Misunderstanding: The Vendor Does Not Own the Obligation

Broker-dealers often rely on vendors, and there is nothing wrong with that. In fact, for many small firms, using a reputable archive vendor is the most practical way to satisfy the rule.

But an agreement with an outside entity does not relieve the broker-dealer of its responsibility to prepare, maintain, preserve, and produce its books and records. Rule 17a-4(i) says that directly. The firm owns the obligation even when a vendor owns the servers.

That means the firm should not simply buy a tool and move on. It should understand what the tool captures, what it does not capture, how retention is configured, how production works, what undertakings exist, and what happens if the vendor relationship ends.

What Has Not Changed Since 2014

When I wrote about this topic in 2014, I made a simple point: broker-dealer records must be permanent, indexed, and accessible. The technical vocabulary has changed. The technology has changed. The rule has changed. But that basic point remains true.

Records must be preserved for the required period. They must be protected from improper alteration or deletion. They must be organized so the firm can find them. And when FINRA or the SEC asks for them, the firm must be able to produce them promptly.

The most expensive recordkeeping systems are not the ones that cost money every month. The most expensive systems are the ones that fail during an examination.

Final Thoughts

SEA Rule 17a-4 is an old rule in a new world, but it is not a dead rule. If anything, it matters more now because broker-dealer records are scattered across more systems than ever before. Email is only the beginning. The modern recordkeeping program has to account for cloud platforms, messaging tools, CRM systems, supervisory workflows, mobile devices, third-party vendors, and off-channel communications.

The SEC’s modernization of Rule 17a-4(f) was helpful because it acknowledged that WORM is no longer the only technological answer. But the modernization did not lower the bar. It changed the way firms can meet the bar.

For broker-dealers, the practical question is not whether the record sits on paper, microfiche, optical disk, a WORM archive, an audit-trail-compliant cloud system, or a third-party platform. The practical question is whether the firm can prove that the record was preserved, locate it, produce it, and explain the controls around it.

That is what FINRA and the SEC care about. And that is what firms should be testing before an examiner asks.

Mitchell Atkins, CRCP, is a former FINRA executive and the founder of FirstMark Regulatory Solutions. FirstMark assists broker-dealers with written supervisory procedures, supervisory controls testing, AML independent testing, electronic recordkeeping reviews, branch office issues, FINRA membership applications, and broader broker-dealer compliance matters. If you have questions about SEA Rule 17a-4, electronic communications retention, WORM or audit-trail recordkeeping systems, or vendor undertaking requirements, contact FirstMark at 561-948-6511 or through the FirstMark contact form.