MinIO Object Storage: SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d)
Compliance Assessment
The objective of this section is to document Cohasset’s assessment of the capabilities of MinIO Object Storage, as described in Section 1.3, MinIO Object Storage Overview and Assessment Scope, in comparison to the CFTC requirements.
The individual relevant requirements cited in Section 2, Assessment of Compliance with SEC Rule 17a-4(f), are based on the wording in SEC Rule 17a-4(f) and Cohasset’s interpretation of the requirements, given the associated SEC Interpretive Releases. Specifically, the SEC’s 2003 Interpretive Release reiterates that the Rule sets forth standards that the electronic storage media must satisfy to be considered an acceptable method of storage under SEC Rule 17a-4:
A broker-dealer would not violate the requirement in paragraph (f)(2)(ii)(A) of the rule if it used an electronic storage system that prevents the overwriting, erasing or otherwise altering of a record during its required retention period through the use of integrated hardware and software control codes. [emphasis added]
Accordingly, it is Cohasset’s opinion that the requirements set forth in SEC Rule 17a-4(f) are technology-neutral and apply to any electronic solution with (a) integrated control codes that extend to the electronic storage system and (b) features that deliver capabilities that meet the requirements of the Rule.
The August 28, 2017, amendments to CFTC Rule 1.31 establish technology-neutral, principle-based requirements. As illustrated in the table in this section, it is Cohasset’s opinion that the requirements of the modernized CFTC Rule may be achieved by meeting the SEC requirements.
When comparing the capabilities of MinIO Object Storage that align with the SEC requirements to the principles- based CFTC requirements, it is essential to recognize that the SEC Rule separately describes requirements for index data and audit trail, whereas the CFTC in 17 CFR § 1.31(a) establishes an expanded definition of an electronic regulatory record to include the information as specified in paragraph (i) and (ii) below.
Definitions. For purposes of this section:
Electronic regulatory records means all regulatory records other than regulatory records exclusively created and maintained by a records entity on paper.
Records entity means any person required by the Act or Commission regulations in this chapter to keep regulatory records.
Regulatory records means all books and records required to be kept by the Act or Commission regulations in this chapter, including any record of any correction or other amendment to such books and records, provided that, with respect to such books and records stored electronically, regulatory records shall also include:
(i) Any data necessary to access, search, or display any such books and records; and
(ii) All data produced and stored electronically describing how and when such books and records were created, formatted, or modified. [emphasis added]
The focus of Cohasset’s assessment, presented in Section 2, pertains to MinIO Object Storage, when Object Lock mode is set to Compliance, which is highly restricted and assures that the storage solution applies controls to (a) protect immutability of the record content and certain system metadata and (b) prevent deletion over the applied retention period.
In the following table, Cohasset correlates the capabilities of MinIO Object Storage, when Object Lock mode is set to Compliance, to the principles-based CFTC requirements related to the form and manner of retention and the inspection and production of regulatory records. In addition, Cohasset contends that MinIO Object Storage, with record objects stored in Governance Mode (which is less restrictive), meets these principles-based CFTC requirements, when the regulated entity applies appropriate procedural controls to oversee operations that may allow content to be modified or deleted prior to expiration of the retention period. This less restrictive Governance Mode option provides flexibility to remove retention controls, which may be beneficial for compliance with privacy and data protection requirements.
The left-hand column lists the principles-based CFTC requirements. The middle column provides Cohasset’s analysis and opinion regarding the ability of MinIO Object Storage, with Object Lock to meet the requirements for electronic regulatory records in CFTC Rule 1.31(c)-(d). In addition, for ease of reference, the right-hand column lists the correlated SEC requirements.