Skip to main content

AWS Cloud Security

SEC Rules 17a-4 and 18a-6

What AWS Offers?

AWS offers separate contractual addenda to help customers address certain recordkeeping requirements set forth in SEC Rules 17a-4 and 18a-6. You may review and accept the appropriate addendum in the Agreements section of AWS Artifact using the AWS account(s) you use to maintain and preserve your regulated records.

After you accept the terms of the appropriate addendum, AWS will ask you to provide certain information which we will use to prepare and submit a Letter of Undertaking to the SEC.   AWS will file a Letter of Undertaking directly with the SEC on behalf of eligible AWS customers, in accordance with Section 17 CFR 240.17a-4(i)(1)(ii)(A)) or 17 CFR 240.18a-6(f)(1)(ii)(A), as applicable.  AWS does not act as a Designated Third Party (“D3P”), or file undertakings pursuant to Section 17 CFR 240.17a-4(f)(3)(v)(A) or 17 CFR 240.18a-6(e)(3)(v)(A).

If you are an AWS customer who has customers that are regulated pursuant to SEC Rules 17a-4 or 18a-6, contact your AWS account team with your questions.

Overview - SEC Recordkeeping on AWS

Broker-dealers (BDs), security-based swap dealers (SBSDs), and major security-based swap participants (MSBSPs) are using AWS’s cloud services to produce, maintain, and preserve electronic records.

The US Securities and Exchange Commission (SEC), Commodities Futures Trading Commission (CFTC) and the Financial Industry Financial Authority (FINRA) have recordkeeping rules that establish the types of records that covered entities must maintain. SEC and FINRA rules also set out requirements that covered entities must meet if they store these records on “electronic storage media” (ESM) such as Amazon S3Amazon FSx for NetApp ONTAP, or AWS Backup. For customers in the financial services industry, Amazon S3 Object LockAmazon S3 Glacier Vault LockAmazon FSx for NetApp ONTAP with SnapLock, or AWS Backup Vault Lock provide added support for customers who choose to retain records in a non-erasable and non-rewritable (WORM) format. Customers can easily designate the records retention timeframe to retain regulatory archives in the original form for the required duration, and also place legal holds to retain data until the hold is removed. Please note that the latest version of Rule 17a-4 adds an audit-trail alternative to the non-erasable and non-rewritable requirement.

Cohasset Associates, a third-party management consulting firm that specializes in records management and information governance, has produced reports describing how Amazon S3 Object LockAmazon S3 Glacier Vault LockAmazon FSx for NetApp ONTAP with SnapLock, and AWS Backup Vault Lock, when properly configured, can help customers meet their compliance requirements described in SEC, CFTC and FINRA rules. AWS customers can also use AWS services to store or replicate data in multiple regions, encrypt their data in motion and at rest, and use tools such as AWS CloudTrail to enable governance, compliance, and auditing of their AWS account. AWS understands financial services institutions have unique security, regulatory, and compliance obligations. AWS’s financial services industry specialists are ready to assist customers in building with AWS technologies.

For technical implementation considerations, please see our documentation for S3 Object LockS3 Glacier Vault LockAmazon FSx for ONTAP with SnapLock, and AWS Backup Vault Lock.

AWS offers its customers separate contractual addenda for 17a-4 and 18a-6.  After the appropriate addendum in AWS Artifact is electronically accepted by the Customer, AWS will send a signed Letter of Undertaking to the SEC, pursuant to Section 17 CFR 240.17a-4(i)(1)(ii)(A) or 17 CFR 240.18a-6(f)(1)(ii)(A), as applicable. For information on how to accept contractual addenda terms for your eligible AWS Account(s) containing 17a-4 or 18a-6 records, please see the instructions within the Agreements section of AWS Artifact.

Contact your AWS account team to explore broker-dealer recordkeeping on AWS today.

FAQs

Rules 17a-4 and 18a-6 describe electronic recordkeeping requirements for broker-dealers, security-based swap dealers, and major security-based swap participants. Rule 17a-4 applies to broker-dealers, including those registered as SBSDs and MSBSPs. Rule 18a-6 applies to SBSDs and MSBSPs that are not also registered as broker-dealers (“SBS Entities”).

AWS offers customers separate 17a-4 and 18a-6 contractual addenda to their Customer Agreement or Enterprise Agreement. You may review and electronically accept the appropriate addenda in the Agreements section of AWS Artifact. Provided you meet all terms and conditions listed when you electronically accept the agreement in AWS Artifact, AWS will file a Letter of Undertaking directly with the SEC, based upon the registrant information you provide to AWS, in accordance with  Section 17 CFR 240.17a-4(i)(1)(ii)(A) or 17 CFR 240.18a 6(f)(1)(ii)(A), as applicable. AWS does not act as a Designated Third Party (“D3P”), or file undertakings, pursuant to Section 17 CFR 240.17a-4(f)(3)(v)(A) or 17 CFR 240.18a-6(e)(3)(v)(A).

To review, accept, and view the status of the 17a-4 or 18a-6 addenda for your account, sign in to AWS Artifact in the AWS Management Console from the account(s) you use to maintain and preserve covered records. If you don’t have access to your account, request a free IAM account from your administrator and ask for access to Artifact IAM policies.

Contact your AWS account team with your questions. We will work with you to provide the appropriate paperwork or documents, as needed.

Yes. Please follow the instructions in AWS Artifact, and be ready to provide AWS your registrant name and registration number. AWS will use this information to complete the Letter before sending to the SEC.

AWS will file a Letter of Undertaking directly with the SEC on behalf of eligible customers, pursuant to Section 17 CFR 240.17a-4(i)(1)(ii)(A) or 17 CFR 240.18a 6(f)(1)(ii)(A), as applicable. AWS will make a copy of the Undertaking AWS files with the SEC available to you after submission. AWS does not act as a Designated Third Party (“D3P”), or file undertakings, pursuant to Section 17 CFR 240.17a-4(f)(3)(v)(A) or 17 CFR 240.18a-6(e)(3)(v)(A).