Question: In 1937, the Securities and Exchange Commission (SEC) set out rules that stipulated records retention requirements for securities brokers and dealers. The SEC's concern was (and is) that records of financial transactions not be altered after the fact, that they be retained for a stipulated period of time, and that indexes be created so that the records can be readily searched. In 1937, the rules assumed that such records were recorded on paper media. With the rise of information systems storage, the SEC updated the rules in 1997 by stating that such records can be kept electronically, provided that the storage devices are write once, read many times (WORM) devices. This rule was readily accepted by the financial services industry because the first CDs and DVDs were WORM devices. However, as technology developed, broker-dealers and other financial institutions wanted to store records using regular disk storage and petitioned the SEC for guidance on how they might do that.
In May 2003, the SEC interpreted the rule to enable the storage of such records on read-write medium, provided that the storage mechanism included software that would prohibit data alternation: A broker-dealer would not violate the requirement in paragraph (f)(2)(ii)(A) of the rule if it used an electronic storage system that prevents the overwriting, erasing or otherwise altering of a record during its required retention period through the use of integrated hardware and software control codes. Rule 17a-4 requires brokerdealers to retain records for specified lengths of time. Therefore, it follows that the non-erasable and non-rewriteable aspect of their storage need not continue beyond that period. The Commission's interpretation does not include storage systems that only mitigate the risk a record will be overwritten or erased. Such systems-which may use software applications to protect electronic records, such as authentication and approval policies, passwords or other extrinsic security controls-do not maintain the records in a manner that is non-rewriteable and non-erasable. The external measures used by these other systems do not prevent a record from being changed or deleted.
For example, they might limit access to records through the use of passwords. Additionally, they might create a "finger print" of the record based on its content. If the record is changed, the fingerprint will indicate that it was altered (but the original record would not be preserved). The ability to overwrite or erase records stored on these systems makes them non-compliant with Rule 17a-4(f).6 Notice the SEC specifically excludes extrinsic controls such as authentication, passwords, and manual procedures because it believes it would be possible for such systems to be readily misused to overwrite records. The SEC is striking a fine line in this ruling; if, for example, someone were to tamper with the storage systems' software, it would be possible to overwrite data. Apparently, the SEC assumes such tampering would be illegal and so rare as to not be a concern. Given this ruling, organizations began to develop systems in compliance. The NASDAQ OMX Group, a multinational corporation that owns and operates the NASDAQ stock market as well as eight European exchanges, developed FinQloud, a cloud-based storage system that is compliant with the SEC's (and other regulating organizations') rulings.
NASDAQ OMX operates in 70 different markets, in 50 countries worldwide, and claims that it processes one out of 10 stock transactions worldwide.7 Figure 6-13 shows the fundamental structure of the FinQloud system. On the back end, it uses Amazon's S3 product to provide scalable, elastic storage. When financial institutions submit records to FinQloud for storage, FinQloud processes the data in such a way that it cannot be updated, encrypts the data, and transmits the processed, encrypted data to AWS, where it is encrypted yet again and stored on S3 devices. Data is indexed on S3 and can be readily read by authorized users. When development was complete, NASDAQ OMS claimed that FinQloud's processing and encryption were done in such a way that the system meets the SEC requirement. Of course, NASDAQ OMX's knew that this statement would be perceived as self-serving, so it hired two independent companies to verify it: Jordan & Jordan, a securities industry consulting company, and Cohasset Associates, a documentprocessing consulting company. According to The Wall Street Journal, both organizations concluded that when properly configured, FinQloud meets the requirements of the SEC's rule (Rule 17a-3) as well as a similar rule set out by the Commodities Futures Trading Commission.8 Consequently, NASDAQ OMX customers can use FinQloud; as long as the customers demonstrate that they have properly configured FinQloud, auditors will find it to be in compliance with the SEC rulings.
1. In your own words, summarize the dealer-broker record retention requirements.
2. Reread the SEC's 2003 interpretation. In your own words, explain the difference between "integrated hardware and 8 Greg MacSweeney, "Nasdaq OMX FinQloud R3 Meets SEC/CFTC Regulatory Requirements, Say Consultants," April 15, 2013, https://www.wallstreetandtech. com/data-management/nasdaq-omx-finqloud-r3-meets-seccftc-reg/240152909. software control codes" and software applications that use "authentication and approval policies, passwords, or other extrinsic controls." Give an example of each.
3. Clearly, in the view of the SEC, the likelihood of compromise of an integrated system of hardware and software is considerably less than the likelihood of compromise of a system of authentication, passwords, and procedures. Justify this view.
4. Do you agree with the view in question 6? Why or why not?
5. Investigate Jordan & Jordan (www.jandj.com/) and Cohasset Associates (www.cohasset.com). If you were a consultant to a financial institution, to what extent would you rely on the statements of these organizations?
6. If you were a consultant to a financial institution, what else might you do to verify that FinQloud complies with the SEC ruling and its 2003 interpretation?
7. Explain how the knowledge that you have gained so far in this course helps you understand the SEC's 2003 interpretation. Summarize how your knowledge would help you if you worked for a financial institution. Cast your answers to this question in a way that you could use in a job interview.