Theta Lake Blog

Regulatory Perspectives From Theta Lake: SEC 17a-4 Modernization

Posted by Marc Gilman on Nov 1, 2022 7:00:00 AM
Marc Gilman

Regulatory Perspective Marc Gilman

When it comes to dynamic messaging content from collaboration tools like Webex, Zoom, Slack, and Microsoft Teams as well as SMS, mobile messaging, and consumer applications like WhatsApp, the SEC’s updated recordkeeping Rule 17a-4 announced on October 12, 2022 signals a sea change for broker-dealers. The SEC replaced its antiquated “non-erasable, non-rewritable” electronic recordkeeping requirement in place since the late-90s with a technology-neutral approach centered around audit trail data, which provides far greater flexibility in implementation.

At Theta Lake, we welcome the modernization of Rule 17a-4 as it allows our financial services customers to more easily manage archiving controls for SEC-regulated electronic communications records.  In addition, the spirit and letter of the revised Rule aligns with Theta Lake’s modern approach to the capture, retention, and supervision of complex, interactive video, voice, chat, and email conversation data.

As we noted in our 2022 Modern Communications Security and Compliance Report, 97% of firms are using two or more communication tools, so the ability to seamlessly and compliantly capture dynamic data across a range of platforms is key.  With over 100+ platform integrations, Theta Lake enables easy and effective compliance with the SEC’s new recordkeeping requirements.

For customers, the updated Rule 17a-4(f) offers a flexible, audit trail-based option that makes it easier to retain dynamic data from electronic communications to databases and beyond.  The revised Rule 17a-4(f)(2)(i)(A) allows broker-dealers to:

Preserve a record for the duration of its applicable retention period in a manner that maintains a complete time-stamped audit trail that includes:

(1) All modifications to and deletions of the record or any part thereof;

(2) The date and time of actions that create, modify, or delete the record;

(3) If applicable, the identity of the individual creating, modifying, or deleting the record; and

(4) Any other information needed to maintain an audit trail of the record in a way that maintains security, signatures, and data to ensure the authenticity and reliability of the record and will permit re-creation of the original record if it is modified or deleted;”

No longer do customers need to comply with the integrated hardware- and software-based controls mandated as part of the “write once, read many” or “WORM” standard.  So long as customers can demonstrate that the audit trail controls described above are in place, the requirements of the new Rule are met.

At Theta Lake, baseline storage controls are built on our SOC 2, Type 2-audited STAR3 security architecture, which by default includes all of the audit trail controls articulated by the SEC as well as additional redundancy, cybersecurity, and confidentiality protections.  Theta Lake records all modifications and deletions of a record; the date, time, and identities of creations, modifications, or deletions; and the information needed to maintain the security, signatures, and data to ensure the authenticity and reliability of the communication record.  Theta Lake deploys these controls as a standard across all customer accounts, so there are no additional actions customers need to take to comply with the new SEC Rule.  Theta Lake is audited annually as part of its SOC 2, Type 2 commitments and also aligns its technical controls with the ISO 27001 and HIPAA standards.

Turn on Theta Lake, and you are SEC 17a-4 compliant.

The increased technical flexibility of the Rule facilitates more comprehensive and sophisticated electronic communications compliance, which perfectly aligns with Theta Lake’s forward-thinking strategic approach to compliance controls that have been part and parcel of the platform since day one.

The collaboration, chat, and consumer applications firms use to communicate have exponentially increased in popularity because of diverse feature sets that include screen sharing, webcams, whiteboards, and file transfers as well as the ability to include reactions, emojis, and GIFs throughout conversations.  Employees want to use these features to interact with customers, prospects, and peers; and these features make communication and collaboration more efficient and effective.

Theta Lake’s platform is purpose-built for these new communication capabilities–our API-based integrations capture every element of a dynamic conversation and present that conversation in an intuitive, native view that replicates the look and feel of the source system, without compromising any of the audit-trail data required to comply with the SEC Rule.  So, for example, Theta Lake’s integration with Zoom captures every aspect of a conversation from video and audio to file transfers, chat, and reactions, including edits and deletions to messages.  The Zoom meeting is preserved in its entirety for subsequent supervision and compliant archiving, including application of our AI-based risk detections where enabled.

Moreover, Theta Lake’s integrations are not simple technical widgets–all of the leading communications platforms are strategic investors, including CiscoRingCentral, Salesforce/Slack, and Zoom.  These strategic relationships allow us to build better integrations based on customer feedback at a speed and scale our competitors cannot match.

Theta Lake’s approach has clear advantages over legacy vendors who reduce every communication to an email message, often excluding or degrading the related video, voice, file transfers, reactions, and emojis, in an attempt to align with the dated WORM standard.  Legacy vendors will struggle with the SEC’s new standard, still mired in an archiving approach rooted in the ancient email age of the late-1990s. Those vendors also take a storage fee based approach- passing their storage costs onto the customer. With Theta Lake you have up to 1PB to use -free of charge.

In the Theta Lake Compliance platform, archived customer data is always available for export without any extra fees or assistance.  Customers can bring their own cloud storage infrastructure to manage data in AWS or Azure and apply the new Rule 17a-4 controls.

Deploying Theta Lake ensures that employees can use the full features of the business-critical communication platforms and compliance teams can be confident that communication records are archived in conformance with the SEC’s new audit trail-based requirements.

To learn more about Theta Lake please contact us.

Comment Here

Theta Lake provides security and compliance for modern collaboration platforms using frictionless partner integrations with Cisco Webex, Microsoft Teams, RingCentral, Slack, Zoom, and more. Using patented machine learning and NLP, Theta Lake detects risks in: video, voice, chat, and document content across what is shared, shown, spoken, and typed. Those risks are surfaced in an AI-assisted, patent-pending review workspace that adds consistency, efficiency, and scale for security and compliance teams. All of this enables organizations to safely realize the full ROI of a collaboration-first workplace while reducing the cost of security and compliance.

Subscribe here to stay up to date!