Editor’s note: This post was updated in February 2023 to reflect the most up-to-date information regarding this topic.
While investing in digital strategies related to the customer experience is critical, financial services companies must also “digitize” when dealing with how data from those interactions is being stored and accessed. Under SEC 17a-4, the permissible medium of storage has evolved with technology, which now allows financial institutions to preserve records on electronic storage media, including CRM systems like Salesforce.
But like all customers in the industry, Salesforce customers within financial services are subject to strict audit and storage requirements that could confuse even the savviest IT and compliance professionals. These include SEC 17a-4, the Financial Industry Regulation Authority (FINRA), and the Sarbanes-Oxley Act (SOX).
In this post, we’ll cover some of the requirements specified by these regulations and how Own enables Salesforce customers to meet these requirements.
1. Preserve records optionally using audit-trail or non-rewritable, non-erasable Format
This requirement, part of SEC 17a-4, is designed to ensure that electronic records are capable of being accurately reproduced for later reference by maintaining an audit-trail or storing the records in an unalterable form.
For additional guidance, FINRA Rule 4511(c) specifies that “all books and records required to be made pursuant to the FINRA rules shall be preserved in a format and media that complies with SEA (Securities Exchange Act) Rule 17a-4.” FINRA Rule 4511(c) also requires firms to preserve for a period of at least six years those books and records for which there is no specified retention period under applicable FINRA or SEA rules.
To help customers satisfy this requirement, Own backs up, indexes, and stores customer data with an immutable lock. This prevents customer data from being technically overwritten, updated, or altered by any process or any Own user activity. Own also defaults to FINRA’s required 6-year retention period, which is customizable to align with the retention period of the customer’s specific corporate requirements.
Another relevant regulation is Sarbanes-Oxley Act (SOX) which stipulates how long certain audit records should be kept. For example, receivable or payable ledgers and tax returns must be kept for seven years, while customer invoices must be retained for five years.
While organizations must remain compliant with these regulations, storing all of this information in Salesforce for this length of time can become costly and cumbersome. To help customers avoid paying for additional storage space or having to delete records they shouldn’t, Own Archive is another way financial services companies can keep their records compliant and secure.
2. Automatically verify the quality and accuracy of the storage media recording process
In addition to setting standards for records themselves, SEC Rule 17a-4 also requires that companies “verify automatically the quality and accuracy of the storage media records process.” This means that you must preserve data integrity and quality for examination by auditors.
To enable this, the backup process compares an algorithmic, computational hash of the file before and after it has been written to storage in order to validate the backup and match it to the source. Furthermore, Own stores the backup in a compressed form, which has built-in cyclic redundancy checks (CRC) to provide error detection and integrity verification. Industry-standard security protocols of Transport Layer Security (TLS 1.2) are utilized when uploading data, reducing the risk of network-level errors during transmission.
Blockchain Verify registers a SHA265 hash value in a public blockchain to support independent verification that a backup has not been altered since the time it was archived.
3. Serialize and time-date for the required retention period
SEC 17a-4 further requests that financial services companies serialize their electronic storage media and time-date this media for its required retention period. This makes it easy for auditors to identify records and establish a timeline for each record as it goes through its lifecycle.
To assist customers in fulfilling this request, Own ensures metadata has been created for each backup, including an index, unique ID, backup hash, and a serialized timestamp. Additionally, our solution collects data points about the backup, including when it started and completed, warnings, errors, size, records count, and record IDs.
4. Have the capacity to readily download indexes and records
To comply with SEC 17a-4, a firm’s electronic storage media must “have the capacity to readily download indexes and any records preserved on the storage media to any medium acceptable.” This means that the records management solution you choose needs to make its records downloadable in an accessible format.
Blockchain Verify provides customers and authorized auditors with multiple capabilities for downloading and exporting the data:
- Export full indexes of all backups over specific periods of time.
- Export specific files and metadata from within a backup into .CSV or industry standard MySQL format.
- Export indexes, timestamps, and associated hashes to validate that the data’s integrity has been maintained throughout the data lifecycle.
5. Store separate, duplicate copies of all retained data
Under SEC 17a-4, financial services companies must “store a duplicate copy of the record, separately from the original, on any medium acceptable” under § 240.17a-4 for the time required. The intent of this requirement is to provide an alternate storage source for accessing the records, should the primary source be lost or damaged.
The Own infrastructure leverages encrypted, distributed object stores in multiple zones, spanning multiple data centers, within the customer's storage region. Own then ensures the replicated data's integrity is maintained through the data lifecycle across multiple zones.
Get an additional layer of security and compliance with Own Governance Plus
To this point, we’ve focused on how Own Blockchain Verify helps financial services companies meet compliance requirements for electronic storage, record-keeping, and integrity of salesforce records. The SEC Compliance Assessment ebook provides more details about how Own solutions help customers comply with SEC Rule 17a-4, including technical details about Blockchain Verify.
Blockchain Verify is just one feature of Own Governance Plus though, which was designed for larger enterprises with enhanced security and compliance requirements.
In addition to everything included in the Unlimited version of our plan, Governance Plus also includes:
-SEC Regulatory Compliance Letter: If asked, Own can provide a letter confirming that a customer is compliant with SEC 17a-4 specific to electronic storage requirements.
-Legal Hold: Own enables customers to find and label relevant “legal hold” backups in their backup history to preserve relevant data when litigation is reasonably anticipated.
-Bring Your Own Key (BYOK) and Bring Your Own Key Management System (BYOKMS) for AWS users or Bring Your Own Key Vault (BYOKV) for Azure users: Own's BYOK provides additional security controls over the keys used to encrypt and decrypt data stored on Own. Or, organizations can use their own encryption keys for data encryption at the bucket/vault level.