Gensler seeks to modernize recordkeeping with Rule 17a-4 amendments

The SEC has made amendments to recordkeeping Rule 17a-4 for the first time in 25 years. What do they mean, and how can firms prepare?

Think back to 1997, if you can. Did you have a mobile phone? What did your computer look like? Do you still remember your dial-up tone to connect to the internet?

Although many of us would not like to admit it, 1997 was a long time ago. Which is why it’s surprising that one of the SEC’s primary recordkeeping rules – Rule 17a-4 – has not been updated since then. That is, until now.

SEC Rule 17a-4 outlines the requirements for data retention, indexing, and accessibility for regulated entities who deal in the trade or brokering of financial securities.

Governing force

The rule obliges firms to ensure the retention and preservation of all transactions and official business records – including all communications. However, despite being the governing force behind record retention, the rule has not been updated since faxing was the most commonly used form of business communication. Fast forward 25 years, and we’ve seen technological growth worldwide roll out from WiFi to data storage on the cloud.

On October 12, 2022, SEC Chair Gary Gensler issued a Statement on Final Rule Amendments to Electronic Recordkeeping Requirements. Within that statement, he confirmed final changes that are designed to “modernize” the electronic recordkeeping requirements. He noted that the new Final Rule, if adopted, “would bring the Commission’s electronic recordkeeping requirements in line with technological innovation”.

What is changing?

Alongside the 146-page Final Rule, the SEC has published a Fact Sheet that clearly delineates the rules affected by the amendments. Those rules are:

  • Rules 17a-4(f) and (j) under the Securities Exchange Act of 1934 which govern the electronic recordkeeping and prompt production of records requirements for broker-dealers.
  • Rules 18a(6) and (g) that set out the electronic recordkeeping and prompt production of records requirements for security-based swap dealers (SBSDs) and major security-based swap participants (MSBSPs).
  • Rules 17a04(i) and 18a-6(f) concerning the provision of records to the SEC by a firm or third party.

Amendments to SEC Rule 17a-4 mean myriad changes for companies and the way they manage data. In particular, there are three big changes:

Removing the WORM requirement

Under the previous iteration of Rule 17a-4, firms had to ensure that their data was exclusively preserved in a non-rewritable and non-erasable format – known as the ‘Write Once, Read Many’ or ‘WORM’ format. This generally meant that recordkeeping should take place through the medium of pioneering technology such as CD-ROM.

But technology has evolved since then, and under the SEC’s amendments to Rule 17a-4, the WORM format will no longer be required. Instead, brokers are given alternative methods of data storage including storing it on their own servers or those of third parties. The critical points are that:

  • The preservation of records must have an audit trail.
  • The SEC will need to be able to access the firm’s data.
  • Any new system must ensure all business records (including communications data) is preserved in an electronic manner that allows for the recreation of the original, even if that original has been modified or erased.

Bring recordkeeping access in-house by electing a Designated Executive Officer (DEO)

Under the existing rules, broker-dealers are asked to hire a designated third party (D3P) who has access to the firm’s data.

However, amendments to SEC Rule 17a-4 now provide an alternative so that, instead of electing a D3P they can elect an internal DEO and bring the obligation in-house. This new rule adds greater flexibility to brokers when considering their recordkeeping requirements.

Whether having elected a DEO or a D3P, they will be required to have access to the firm’s electronic records and to provide those records to the regulator where the firms fails or is unable to.

New obligations for SBSDs and MSBSPs

Amendments to Rule 17a-4 now mean that, for the first time ever, SBSDs and MSBSPs will be subject to the SEC’s requirements.


The SEC’s amendments to SEC Rule 17a-4 are long overdue and will benefit many firms by offering flexibility and innovation in the way they retain, index, and access their electronic communication data.

For a long time, firms have struggled to understand and struggled to comply with the SEC’s recordkeeping rules, especially as technological solutions have developed. The modernization of Rule 17a-4 will likely offer much needed clarity, as well as “flexibility to address new technologies, such as the cloud, that firms use to store records”.

As well as providing the gift of flexibility, Gensler notes that the amendments could have cost advantages too.

For example, firms that already use audit-trail technology for their day-to-day records may now use that technology to comply with this rule, rather than feel on the ‘hook’ to keep separate, WORM-compliant records.”


The final amendments to the Rule come into effect 60 days after they are published in the Federal Register. The compliance date, however, differs for broker-dealers, MSBSPs, and SBSDs – presumably to give those less prepared more time to comply. Broker-dealers will have six months to comply from the date the amendments are published in the Federal Register, while MSBSPs and SBSDs will have 12 months to comply.

In this transitional time, firms should consider how best they want to utilize third parties to meet recordkeeping requirement obligations and whether they wish to elect a DEO as an alternative. It is likely that the new role of a DEO will be onerous given that they will be expected to maintain the same unwavering standards as a highly trained, experienced D3P firm.

Firms should also take stock of the technology they currently use to maintain recordkeeping requirements and explore its suitability to keep up with amended rules. Does your recordkeeping archive allow for functional searchability and eDiscovery? Do you have the tools you need to meet regulatory disclosure and audit trail requirements when requested?