Deconstructing SEA FINRA 17a-4 (WORM Compliance)

March 8, 2017 Jonathan Fiur

Reducing risk, both reputational and financial, while providing peace of mind for marketing and compliance leaders, is the key benefit of a FINRA-compliant WORM solution for record retention. As marketers in Financial Services, we have a responsibility to maintain a record of a lot communications and information in a static, but searchable format that can be accessed at a moment’s notice. And we need to retain this for a minimum of several years. So how does a Financial Services marketing department ensure an effective strategy to comply with 17a-4?

Let’s Start with the Basics

Section 17(a) of the Securities Exchange Act of 1934, and more precisely, Rules 17a-3 and 17a-4 (“The Rules”), require that broker-dealers (the “Firm”) create and maintain a thorough record of not only each securities transaction effected by the Firm, but also of its securities business in general. These rules establish minimum requirements for recordkeeping:

  • Rule 17a-3 defines which records broker-dealers must retain securities records, order tickets, trade confirmations, account statements, trade blotters, ledgers: asset and liability, customer account, income, along with trial balances, and employment-related documents.
  • Rule 17a-4 defines the record retention policy—the time and manner in which these records must be maintained. Additionally, the Financial Industry Regulatory Authority (FINRA) imposes certain recordkeeping requirements firms who are members of that Self-Regulatory Organization (SRO).

It’s sub-part, SEC Rules 17a-4(b)(4), that specifically impacts marketers, as it imposes requirements of the preservation and content of internal and external communications by the Firm.

  • Internal Communications: The rules require the preservation of all inter-office message and other internal communications.

The Five “-abilities”

As Financial Services regulations go, FINRA 17a-4 is fairly straightforward. And, like most regulations, the devil is in the details. Originally, the rules applied to paper records and micro-film or microfiche. In 1997, the rules were amended to provide for the use of electronic storage for record retention. Although the rules do not specify any particular technology, they do set forth certain requirements for electronic storage. When I talk to a marketer about 17a-4 compliance, I deconstruct it into five elements that their firm’s approach must provide: the five "-abilities," if you will.

  • Immutability
  • Discoverability
  • Auditability
  • Retainability
  • Destructibility


Immutability means that the final version of the communications or marketing assets and related documentation—as well as any relevant metadata—must be written to an unchangeable archive device, such as a WORM (write once, read many) drive. This ensures that data cannot be changed once it’s written to the device.


Discoverability is the need to have this archive be indexed in a way that makes it fully searchable by the metadata and key attributes so that any information in the communication can be retrieved and reviewed.

Additionally, part of this, 17a-(a)(21), includes that there be “Persons to explain Records and their Content.” This means that there needs to be a listing of the personnel at a particular office who can, with no delay, explain the various information held in the archive and decode how the firm creates, stores, names, and organizes these records.


Auditability (my favorite made-up word) covers the need to log and record every event that occurs from the first writing of the data to the moment it is destroyed. Think of it as a “chain of custody” for your archived communications.


While 17a-4 specifies the minimum retention period of data (three years), your organization's timeframe may vary. Therefore, the system must support the ability to retain different records per your company's retention policies and procedures. When those policies expire, you end up at the last “-ability.”


The final step for retained records is their expiration and destruction. Financial institutions do not want to hold records for a moment longer than their policies require. So although it’s not explicitly called out in FINRA 17a-4, a key piece of this is the ability to destroy the records when they expire. Your organization will have record-destruction policies that dictate the method of destruction and how many times the device would be overwritten to eradicate any trace of data.

Be FINRA 17a-4 Ready with the Right Technology

How do you ensure that your company complies with SEA FINRA 17a-4 by putting the five “-abilities” to work? Through marketing operations technology. This is 2017, after all.

To make sure that your company’s technology helps you comply with FINRA 17a-4, consider these questions:

  1. Can I “lock down” all communications and marketing assets and their associated metadata to prevent further edits, but still provide search functionality?
  2. Can I quickly produce the required information to comply with Legal and Compliance audit requests?
  3. Does my technology have the capability to retain different records according to my company's retention policies and procedures?
  4. Can we back up these records to compliant storage at an offsite location?

If you’re at a firm that handles investments (broker-dealer) and your martech stack doesn’t include a WORM-compliant solution for marketing communications, it’s time to close that gap - before you incur penalties and fines. It’s time to invest in a marketing operations platform that automates these procedures. Of course, Aprimo can help.

For more information on these regulations, visit the following supporting sources:

SEC Interpretation: Electronic Storage of Broker-Dealer Records

(17a-3) Records to be Made by Certain Exchange Members, Brokers and Dealers

(17a-4) Records to be Preserved by Certain Exchange Members, Brokers and Dealers

This author is not a lawyer… he hasn’t even played one on TV. However, he has two decades of success operating at the intersection of Marketing, Technology, and CRM for global enterprises. Consult your corporate counsel or compliance officer to ensure that you understand your company’s policies and procedures as it relates to FINRA 17a-3 and 17a-4 compliance.

About the Author

Jonathan Fiur

Jonathan helps Financial Services customers sharpen their focus on and unlock the value of strategic, technology-enabled and compliant Marketing solutions that deliver measurable results in a regulated environment. With deep experience in planning and executing customer workshops, Jonathan has delivered numerous engagements for Aprimo customers across the globe. Having designed and led the marketing technology function for a Fortune 100 company, Jonathan brings considerable enterprise campaign management and operational marketing experience to every engagement. Jonathan has operated at the intersection of Marketing, CRM and IT for 18+ years. Prior to joining Aprimo, he served as the global marketing technology leader for Mercer, the HR consultancy.

Follow on Twitter Follow on Linkedin More Content by Jonathan Fiur
Previous Article
Market Smarter with Aprimo Academy
Market Smarter with Aprimo Academy

Aprimo Academy is the central school of learning for all Aprimo products. Join us for the upcoming Aprimo A...

Next Article
The Next Evolution: Marketing Automation Built for your Channel
The Next Evolution: Marketing Automation Built for your Channel

As more organizations begin to see the value of marketing through their channel partners, a new breed of ma...