SOX and FINRA Requirements Around Cloud Data


It is evident that browsers are gaining the importance of Operating Systems and Cloud is replacing every data storage utilities like Google Drive, Hard Disks, etc. But this advancement was not enough to make the confidential data secure. Few professions which involve Accountants, Lawyers and Bankers demand sensitive information exchange, if not which will make the information exchange vulnerable. So to regulate the Security of these types of information, SEC and FINRA rules were enacted.

SEC and Sarbanes-Oxley Compliance

Enacted in 2002 as a consequence of the financial abuse of companies ranging from Xerox to Tyco, Sarbanes-Oxley Act(SOX) plays a significant role in digital record keeping. As dependency on Cloud for businesses of different sizes scale up, the SOX compliance will become a mandatory requirement for using Cloud-based services. Since the utility is directly linked to computing services thereby to reporting purposes, the SOX Act will extend its influence on IT departments dealing with electronic records. The clauses which deal with these elements are listed below:

  1. Section 103 & 105 of SOX compliance act of digital data quotes that critical documents should be maintained for a fixed period not less than 7 years.
  2. Section 802 defines procedures to guard against misuses such as falsification, destruction or tampering of specific financial records.
  3. Section 404 expects management to establish and maintain adequate internal controls for financial reporting.


SOX Compliance for Data Achieving

  1. Irrespective of any shortcomings, the data should always be protected with 256-bit ASE encryption technology.
  2. Files should be securely stored at geographically diverse datacenters compliant with defined SOX standards.
  3. Data might be restored swiftly and accurately, along with any needed audit information.
  4. Data retention should be set for the prescribed length of time as mentioned in clauses of SOX.

SEC Regulations and Laws

Securities and Exchange(SEC) has a separate clause dedicated to digital data backup and archiving. It is categorically listed under Part 241 of rule 17 CFR. Popularly known as Exchange Act, it widely outlines the requirements for data retention, indexing, and accessibility for firms dealing with brokering, trade, bonds or stocks.

According to it, records in electronic format should be preserved in the non-rewritable and non-erasable format for a required duration period. Also, duplicate records must be retained until the same period of time. Paragraph (f)(2)(ii)(A) of Rule 17a-4 states that “It requires broker-dealers maintaining records electronically to use a digital storage medium or system that [p]reserve[s] the records exclusively in a non-rewriteable, non-erasable format

FINRA Compliance

Financial Industry Regulatory Authority(FINRA) is an authorized successor of National Association of Securities Dealers(NASD) started for arbitration operations, enforcement and member regulations related to the New York Stock Exchange. When concerned about Cloud hosting and its compliance for the financial service industry, protection of personal information and its processing attains prime importance than any other operations. Since brokerage firms and exchange markets are depending on Digital Cloud Data more than ever, FINRA exclusively states the clauses for it. Two FINRA regulations which emphasize this are

1. FINRA 3110: Requires every firm to preserve accounts and records in adherence to applicable SEC laws and specific FINRA rules. These regulations and policy statements are those prescribed by SEC Rule 17a-3.
2. FINRA 3010: Requires firms to unconditionally maintain a system to supervise transactions and correspondence with their users. Also, companies have to establish and maintain a supervisory system with written procedures, reviewing incoming and outgoing electronic correspondence on a regular basis.

Other regulations which give a gross idea on this are listed below:

  • NASD seeks to amend Rule 7010(k)(3) to make minor clarifying changes to the definition “Non-Professional” in Rule 7010(k)(3)(C)(i) and to add new Rule 7010(k)(3)(A)(iv).
  • It recently made minor clarifying amendments to the defined term, “Non-Professional,”. In Rule 7010(k)(C)(3)(i), to make an explicit definition of “Non-Professional,” such as registered persons employed by a broker-dealer, should not be liable for professional fees for TRACE market data. This amendment became effective on June 1, 2005.
  • NASD believes that the proposed rule change is consistent with Section 15A(b)(6), which requires that NASD rules must be designed to prevent fraudulent and manipulative acts. Section 15A(b)(5) of the Act provide the equitable allocation of reasonable dues, fees and other charges among members using any facility or system that NASD operates or controls.

Leave a Reply