Skip to navigation Skip to main content Skip to footer

26 October 2022

Final update to SEC Rule 17a-4

Article by Shawn Brazeau


SEC 17a-4 Final Rule

In the first change to its recordkeeping requirements in 25 years, the Securities and Exchange Commission (SEC), has updated its electronic recordkeeping requirements and published its final rule for SEC 17a-4, under SEC 18a-6.

As summarized in the SEC fact sheet on final amendments to electronic recordkeeping requirements, the Securities and Exchange Commission adopted amendments to the electronic recordkeeping requirements for broker-dealers, security-based swap dealers (“SBSDs”), and major security-based swap participants (“MSBSPs”).

The amendments to SEC rule 17a-4, under SEC 18a-6, modernize recordkeeping requirements and are adaptable to new technologies in electronic recordkeeping. The amendments will also facilitate examinations of broker-dealers, SBSDs, and MSBSPs.

The update, found under SEC 18a-6, was issued on October 12, 2022 and will go into effect 60 days later.

SEC Rule 17a-4 updates

The amendments to SEC rule 17a-4 modify requirements regarding the maintenance and preservation of electronic records, the use of third-party recordkeeping services to hold records, and the prompt production of records. Review the amendments to SEC rule 17a-4 in more detail below:

  • WORM requirement eliminated - A major reason for the rule change was to keep up with technology. The prior recordkeeping rule, written in 1997, required firms to preserve electronic records exclusively in a non-rewriteable, and non-erasable format, such as a CD-ROM. This write-once/read-many (WORM) format will no longer be required, so firms can store information on their own servers – or those of a third party – as long as the SEC has a way to access the data and the system preserves electronic records in a manner that permits recreation of the original. This includes the ability to save their records to the cloud along with an audit trail to record changes.

  • Assign a Designated Third Party (D3P) or Designated Executive Officer (DEO) to provide access to the firm’s electronic records – In lieu of outsourcing this requirement to a third party, the firm may elect to have a Designated Executive Officer of the firm as an alternative in this role and insource this function. The goal is that either the DEO or D3P, pending who has filed the Letter of Undertaking and provides representation, can access the firm’s electronic records, and provide the records to securities regulators if the firm fails or is unable to do so.

  • SBSDs and MSBSPs need to take notice - For the first time, these requirements will apply to nonbank security-based swap dealers and major security-based swap participants.

How will the SEC Rule 17a-4 changes impact broker-dealers & SBS entities?

The new SEC 17a-4 rules require a revised undertaking that may be prepared by either a Designated Third Party (D3P) or a Designated Executive Officer (DEO) who is in senior management. The requirements of the undertaking are demanding and require access and the ability to provide records maintained and preserved on the electronic recordkeeping system. This includes knowledge not only of all repositories containing covered records but also passwords, credentials, and other information required to access such records and, if applicable, audit trails for such records.

The requirements of the rule will need to be actively managed in terms of monitoring the technical requirements to access records and key personnel on the DEO’s team. Accordingly, insourcing the D3P function and being responsible for compliance is no small matter, especially since senior officers of the firm must focus on pressing business requirements.

Firms must seriously consider if this is a recordkeeping requirement they want to manage.

Does it make sense to insource this function, or to continue to keep it in the hands of the experts?

Responsibilities of the Designated Executive Officer (DEO)

If you are the person who is called upon to be the Designated Executive Officer (DEO) for your firm, you are taking on the burden of actively managing and monitoring the technical requirements to access records, as well as ensuring there are backup specialists on your team if you are out. In short, you are on the hook for compliance.

The challenge for the DEO is creating their own version of an internal D3P service. Importantly, mechanisms with the new rule point to a high expectation from the SEC that such a team has robust technical capabilities to provide timely access to records and employ redundancy with multiple technical resources if needed. For instance, due to the scope of the new rules access requirements, the DEO may rely on up to three designated specialists with the requisite knowledge to access records.  Such specialists must report directly or indirectly to the DEO.

Despite the option to rely on these specialists, the DEO is nevertheless “at all times responsible for fulfilling the obligations set forth in the undertakings” which means the DEO is responsible for the success of their team. In addition, the DEO may appoint up to two designated officers to stand in for the DEO if the DEO is unavailable to fulfill their obligations. Such designated officers must also report directly or indirectly to the DEO.

Letters of Undertaking are Still a Requirement

One thing that has not changed in SEC rule 17a-4 is the requirement for a Letter of Undertaking. The Letter of Undertaking is filed by the Broker-Dealer with the regulators through the EDGAR upload and details the system and entity covered.

If you handle compliance with SEC Rule 17a-4 in-house (18a-6 for in-house), you’ll be responsible for the Letter of Undertaking. If you outsource this function to a Designated Third Party, the D3P will provide and sign this letter in which it represents that it will access the records at the request of the Commission.

When do SEC Rule 17a-4 changes come into effect?

The final amendments to SEC rule 17a-4 will become effective 60 days after they are published in the Federal Register. The compliance dates for the new requirements will be six months after publication in the Federal Register for broker-dealers and 12 months after publication in the Federal Register for SBSDs and MSBSPs.


In our view, this is a vote of confidence for the Designated Third Party (D3P) requirement. Instead of eliminating it as proposed, the role of the D3P has been expanded to serve regulatory requirements for SBS entities as well as broker-dealers.

Historically, even with the help of Designated Third Parties under the existing rule, a surprising number of firms have struggled with the comparatively minimal internal requirements for compliance. Firms choosing the Designated Executive Officer option will have even more responsibility, which risks noncompliance with the requirements of the new rules.

Fortunately, the D3P option provides a means to definitively address these requirements through a team of specialists with the knowledge and expertise required to meet the obligations of the new rule without creating additional internal burdens.

SEC Rule 17a-4 D3P Compliance Service

NCC Group SEC 17a-4 D3P Compliance Service

Our comprehensive 17a-4 D3P Compliance service is available for all types of electronic records. It offers compliance for an extraordinarily broad range of document management applications, including client-server to mainframe systems.

Learn more     Contact Us

Skip to navigation Skip to main content Skip to footer