Securities and Exchange Commission (SEC) Rule 17a-4(f) United States

About SEC Rule 17a-4(f)

The US Securities and Exchange Commission (SEC) is an independent agency of the US federal government and the primary overseer and regulator of US securities markets. It wields enforcement authority over federal securities laws, proposes new securities rules, and oversees market regulation of the securities industry.

The SEC defines rigorous and explicit requirements for regulated entities that elect to retain books and records on electronic storage media. It established 17 CFR 240.17a-3 and 17 CFR 240.17a-4 to regulate recordkeeping, including retention periods, for securities broker-dealers. Later, the SEC amended 17 CFR 240.17a-4 paragraph (f), issuing two interpretive releases expressly to allow books and records to be retained on electronic storage media as long as certain conditions were met.

An electronic storage system meets those conditions if it prevents the alteration or erasure of records for the required retention period. Retention periods vary from three to six years based on record types, with immediate accessibility mandated for the first two years. Moreover, one of the interpretive releases requires that the storage system be capable of retaining records beyond the SEC-established retention period to comply with subpoenas, legal hold, or other such requirements.

Microsoft and SEC Rule 17a-4(f)

Financial services customers, representing one of the most heavily regulated industries in the world, are subject to complex provisions like the retention of financial transactions and related communication in a non-erasable and non-modifiable state. Among the most prescriptive is Rule 17a-4(f) of the US Security and Exchange Commission (SEC) that stipulates stringent requirements for regulated entities that elect to retain books and records on electronic storage media. Records stored must be tamper-proof with no ability to alter or delete them until after the designated retention period.

Microsoft Azure Immutable Blob Storage with Policy Lock and Microsoft Office 365 with Preservation Lock can help financial institutions meet the immutable storage requirements of SEC Rule 17a-4(f).

To evaluate Azure and Office 365 compliance with SEC Rule 17a-4(f), Microsoft retained an independent assessment firm that specializes in records management and information governance, Cohasset Associates. In the resulting report for:

  • Azure: SEC 17a-4(f) Compliance Assessment: Microsoft Azure Storage, Cohasset validated that Azure Immutable Blob Storage with the Policy Lock option, when used to retain time-based Blobs in a non-erasable and non-rewritable (WORM) format, meets the immutable storage requirements of the SEC rule. Each Blob (record) is protected from being modified, overwritten, or deleted until the required retention period has expired and any associated legal holds have been released. Software providers and partners with sensitive workloads can now rely on Azure Immutable Blob Storage as a onestop-shop cloud solution for records retention and immutable storage. Financial institutions can now build their own applications taking advantage of these features while remaining compliant.
  • Microsoft 365: For SEC 17a-4(f) requirements, Cohasset validated that Microsoft 365 includes archiving features that enable regulated customers, including broker-dealers, to store data in a manner that helps them comply with SEC requirements for records retention. Retention features in Microsoft 365 help preserve a wide range of data, including email, voicemail, shared documents, instant messages, and third-party data. In particular, archiving in Microsoft 365 enables customers to set global or granular messaging retention policies to store data for a defined period and beyond in a non-rewriteable, non-erasable format.

Microsoft in-scope cloud services

Audits, reports, and certificates

Azure & SEC Rule 17

SEC 17a-4(f) & CFTC 1.31 (c-d) Compliance Assessment of Azure Storage

Office 365 & SEC Rule 17

SEC 17a-4(f) Compliance Assessment: Microsoft Security & Compliance Center with SharePoint, OneDrive, Teams, Exchange, and Skype for Business

How to implement

Financial services regulation

Compliance map of key US regulatory principles for cloud computing and Microsoft online services. Learn more

Risk Assessment & Compliance Guide

Create a governance model for risk assessment of Microsoft cloud services, and regulator notification. Learn more

Financial use cases

Use case overviews, tutorials, and other resources to build Azure solutions for financial services. Learn more

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.