MinIO Object Storage: SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) Compliance Assessment
Download PDFRegulators, world-wide, establish explicit requirements for regulated entities that elect to retain books and records1 on electronic storage media. Given the prevalence of electronic books and records, these requirements apply to most broker-dealer and commodity futures trading firms and other organizations with similarly regulated operations.
This Introduction briefly summarizes the regulatory environment pertaining to this assessment, explains the purpose and approach for Cohasset’s assessment, and provides an overview of MinIO Object Storage and the scope of this assessment.
In 17 CFR §§ 240.17a-3 and 240.17a-4, the SEC stipulates recordkeeping requirements, including retention periods, for the securities broker-dealer industry. On February 12, 1997, the SEC adopted amendments to 17 CFR
The Commission is adopting a rule today which, instead of specifying the type of storage technology that may be used, sets forth standards that the electronic storage media must satisfy to be considered an acceptable method of storage under Rule17a–42. [emphasis added]
Further, the SEC issued two Interpretive Releases (No. 34-44238 on May 1, 2001, and No. 34-47806 on May 7, 2003), which pertain specifically to the electronic storage media requirements of paragraph (f).
For additional information, refer to Section 5.1, Overview of SEC Rule 17a-4(f) Electronic Records Storage Requirements.
Financial Industry Regulatory Authority (FINRA) Rule 4511(c) explicitly defers to the format and media requirements of SEC Rule 17a-4, for the books and records it requires.
All books and records required to be made pursuant to the FINRA rules shall be preserved in a format and media that complies with SEA [Securities Exchange Act] Rule 17a-4.
Effective August 28, 2017, 17 CFR § 1.31 (the CFTC Rule), the Commodity Futures Trading Commission (CFTC) promulgated principles-based requirements for organizations electing to retain electronic regulatory records. These amendments modernize and establish technology-neutral requirements for the form and manner of retention and the inspection and production of regulatory records.
Refer to Section 3, Summary Assessment of Compliance with CFTC Rule 1.31(c)-(d), which, correlates the CFTC principles-based requirements to the capabilities of MinIO Object Storage with Object Lock. Additionally, refer to Section 5.3, Overview of CFTC Rule 1.31(c)-(d) Electronic Regulatory Records Requirements.
To obtain an independent and objective assessment of the compliance capabilities of MinIO Object Storage, MinIO engaged Cohasset Associates, Inc. (Cohasset). As a highly respected consulting firm, Cohasset has recognized expertise and more than 40 years of experience with the legal, technical and operational issues associated with the records management practices of companies regulated by the SEC and the CFTC. Additional information about Cohasset is provided in the last section of this report.
MinIO engaged Cohasset to:
In addition to applying the information in this Assessment Report, regulated entities must ensure that the combination of its policies, procedures and regulatory submissions, in conjunction with the capabilities of implemented electronic recordkeeping solutions, meet all applicable requirements.
This assessment represents the professional opinion of Cohasset and should not be construed as either an endorsement or a rejection, by Cohasset, of MinIO Object Storage and its capabilities or other MinIO products or services. The information utilized by Cohasset to conduct this assessment consisted of: (a) oral discussions, (b) system documentation, (c) user and system administrator guides, and (d) other directly related materials provided by MinIO or obtained from publicly available resources.
The content and conclusions of this assessment are not intended, and must not be construed, as legal advice. Relevant laws and regulations constantly evolve, and legal advice is tailored to the specific circumstances of the organization. Therefore, nothing stated herein should be substituted for the advice of competent legal counsel.
MinIO Object Storage is a high performance, distributed, private cloud object storage system that is designed for compatibility with the Amazon Simple Storage Service (S3) protocol. The MinIO Object Storage environment runs on industry standard hardware and is fully open source. MinIO supports traditional object storage, such as secondary storage, disaster recovery and archiving as well as modern use cases, such as advanced analytics, AI (artificial intelligence)/ML (machine learning) and high-performance primary storage for Kubernetes environments.
MinIO Object Storage architecture (illustrated in the diagram) consists of the following components:
Cohasset assessed the capabilities of MinIO Object Storage, Release 172, configured with Object Lock enabled and Object Lock mode set to Compliance, when on-premises, running on MinIO qualified hardware.
Note: Deploying MinIO in Gateway mode or on public cloud storage are outside of the scope of this Assessment Report.
The following section documents Cohasset’s assessment of MinIO, relative to the pertinent requirements in SEC Rule 17a-4(f). Throughout this report, the above described operating environment of MinIO will be assessed.