Cohasset Associates Report

MinIO Object Storage: SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) Compliance Assessment

Download PDF

1 | Introduction

Regulators, world-wide, establish explicit requirements for regulated entities that elect to retain books and records1 on electronic storage media. Given the prevalence of electronic books and records, these requirements apply to most broker-dealer and commodity futures trading firms and other organizations with similarly regulated operations.

This Introduction briefly summarizes the regulatory environment pertaining to this assessment, explains the purpose and approach for Cohasset’s assessment, and provides an overview of MinIO Object Storage and the scope of this assessment.

1.1Overview of the Regulatory Requirements

1.1.1SEC Rule 17a-4(f) Requirements

In 17 CFR §§ 240.17a-3 and 240.17a-4, the SEC stipulates recordkeeping requirements, including retention periods, for the securities broker-dealer industry. On February 12, 1997, the SEC adopted amendments to 17 CFR

The Commission is adopting a rule today which, instead of specifying the type of storage technology that may be used, sets forth standards that the electronic storage media must satisfy to be considered an acceptable method of storage under Rule17a–42. [emphasis added]

Further, the SEC issued two Interpretive Releases (No. 34-44238 on May 1, 2001, and No. 34-47806 on May 7, 2003), which pertain specifically to the electronic storage media requirements of paragraph (f).

For additional information, refer to Section 5.1, Overview of SEC Rule 17a-4(f) Electronic Records Storage Requirements.

1.1.2FINRA Rule 4511(c) Requirements

Financial Industry Regulatory Authority (FINRA) Rule 4511(c) explicitly defers to the format and media requirements of SEC Rule 17a-4, for the books and records it requires.

All books and records required to be made pursuant to the FINRA rules shall be preserved in a format and media that complies with SEA [Securities Exchange Act] Rule 17a-4.

1.1.3CFTC Rule 1.31(c)-(d) Requirements

Effective August 28, 2017, 17 CFR § 1.31 (the CFTC Rule), the Commodity Futures Trading Commission (CFTC) promulgated principles-based requirements for organizations electing to retain electronic regulatory records. These amendments modernize and establish technology-neutral requirements for the form and manner of retention and the inspection and production of regulatory records.

Refer to Section 3, Summary Assessment of Compliance with CFTC Rule 1.31(c)-(d), which, correlates the CFTC principles-based requirements to the capabilities of MinIO Object Storage with Object Lock. Additionally, refer to Section 5.3, Overview of CFTC Rule 1.31(c)-(d) Electronic Regulatory Records Requirements.

1.2Purpose and Approach

To obtain an independent and objective assessment of the compliance capabilities of MinIO Object Storage, MinIO engaged Cohasset Associates, Inc. (Cohasset). As a highly respected consulting firm, Cohasset has recognized expertise and more than 40 years of experience with the legal, technical and operational issues associated with the records management practices of companies regulated by the SEC and the CFTC. Additional information about Cohasset is provided in the last section of this report.

MinIO engaged Cohasset to:

  • Assess the capabilities of MinIO Object Storage in comparison to the five requirements of SEC Rule 17a-4(f) for the recording and non-rewriteable, non-erasable storage of electronic records; see Section 2, Assessment of Compliance with SEC Rule 17a-4(f); and
  • Associate the principles-based requirements of CFTC Rule 1.31(c)-(d) to the assessed capabilities of MinIO Object Storage; see Section 3, Summary Assessment of Compliance with CFTC Rule 1.31(c)-(d); and
  • Prepare this Assessment Report, enumerating the results of its assessment.

In addition to applying the information in this Assessment Report, regulated entities must ensure that the combination of its policies, procedures and regulatory submissions, in conjunction with the capabilities of implemented electronic recordkeeping solutions, meet all applicable requirements.

This assessment represents the professional opinion of Cohasset and should not be construed as either an endorsement or a rejection, by Cohasset, of MinIO Object Storage and its capabilities or other MinIO products or services. The information utilized by Cohasset to conduct this assessment consisted of: (a) oral discussions, (b) system documentation, (c) user and system administrator guides, and (d) other directly related materials provided by MinIO or obtained from publicly available resources.

The content and conclusions of this assessment are not intended, and must not be construed, as legal advice. Relevant laws and regulations constantly evolve, and legal advice is tailored to the specific circumstances of the organization. Therefore, nothing stated herein should be substituted for the advice of competent legal counsel.

1.3MinIO Object Storage Overview and Assessment Scope

MinIO Object Storage is a high performance, distributed, private cloud object storage system that is designed for compatibility with the Amazon Simple Storage Service (S3) protocol. The MinIO Object Storage environment runs on industry standard hardware and is fully open source. MinIO supports traditional object storage, such as secondary storage, disaster recovery and archiving as well as modern use cases, such as advanced analytics, AI (artificial intelligence)/ML (machine learning) and high-performance primary storage for Kubernetes environments.

MinIO Object Storage architecture (illustrated in the diagram) consists of the following components:

  • The S3 APIs (application programming interface) natively support Amazon S3 APIs, which can be used for data management, collaboration and archiving.
  • Object Layer performs erasure code, bitrot check, and encryption functions.
  • Storage Layer is responsible for storing and retrieving objects, stored in Buckets, from physical media.
  • Node is an instance of a MinIO Server.
  • Node Cluster is an unlimited collection of distributed Nodes.
  • Buckets are cluster spanning logical containers that store record objects, including individual versions of a given record object. Each object consists of the content and its descriptive metadata.

MinIO Object Storage Overview and Assessment Scope

Cohasset assessed the capabilities of MinIO Object Storage, Release 172, configured with Object Lock enabled and Object Lock mode set to Compliance, when on-premises, running on MinIO qualified hardware.

Note: Deploying MinIO in Gateway mode or on public cloud storage are outside of the scope of this Assessment Report.

The following section documents Cohasset’s assessment of MinIO, relative to the pertinent requirements in SEC Rule 17a-4(f). Throughout this report, the above described operating environment of MinIO will be assessed.

  • 1 Regulators use the phrase books and records to describe information about certain business transactions, customers, personnel and other administrative activities that must be retained. Accordingly, Cohasset has used the term record object (versus data or object) to consistently recognize that the content is a required record.
  • 2 Exchange Act Release No. 38245 (Feb. 5, 1997), 62 FR 6470 (Feb. 12, 1997) (“Adopting Release”).
1 2 3 4 5 6 7

You are using Internet Explorer version 11 or lower. Due to security issues and lack of support for web standards, it is highly recommended that you upgrade to a modern browser.