SEC Rule 17a-4: WORM storage vs the audit-trail alternative
SEC Rule 17a-4 governs how broker-dealers preserve their books and records, and since October 2022 it offers two paths for electronic records: the traditional WORM standard, or an audit-trail alternative under which a system may allow changes provided it keeps a complete, time-stamped, tamper-evident trail of every change and can re-create the original record. Understanding what the alternative actually demands is the difference between modernising your recordkeeping and failing an examination with newer technology.
This guide covers what changed in 2022, what the audit-trail alternative requires in engineering terms, and how to evaluate a recordkeeping system against either path. It is written for the people who build and buy these systems rather than for securities lawyers, though the primary sources are linked throughout and nothing here substitutes for counsel.
What Rule 17a-4 covers
Rule 17a-4 is the Securities Exchange Act rule requiring broker-dealers to preserve specified books and records, including communications sent and received, trade and order records, and customer account documents, for defined periods and in a form regulators can promptly obtain.
The rule has three practical dimensions. Scope: what counts as a record, which is broad, famously including business communications on any channel, the provision behind the roughly $289 million in penalties the SEC imposed on eleven firms in August 2023 over unarchived messaging-app communications. Retention: how long each record class is kept, commonly three years, with central books and customer account records generally at six, and the first two years of any required record in an easily accessible place. Form: the requirements an electronic recordkeeping system must meet, which is where WORM and the audit-trail alternative live, in Rule 17a-4(f).
For decades the form requirement had one answer. Records had to be preserved exclusively in a non-rewriteable, non-erasable format, the WORM standard, written in an era of optical disks and carried forward into compliant disk arrays and object-storage retention locks. WORM is conceptually simple and remains fully valid. It is also rigid: it forces a separate compliance-only storage estate, makes legitimate corrections awkward, and describes how storage media behaves rather than what actually makes a record trustworthy.
What the 2022 amendments changed
On 12 October 2022 the SEC adopted amendments to Rule 17a-4 (Release No. 34-96034) that kept the WORM standard as an option and added an audit-trail alternative, alongside related changes including the removal of the requirement to notify a firm's designated examining authority before using an electronic recordkeeping system, and more flexible undertakings for third-party recordkeeping arrangements. The Commission's stated aim was to modernise requirements that predated two decades of technological change.
The audit-trail alternative, set out in Rule 17a-4(f)(2)(ii)(A), requires an electronic recordkeeping system that preserves records in a manner maintaining a complete time-stamped audit trail including:
- all modifications to and deletions of a record or any part of it;
- the date and time of operator entries and actions that create, modify or delete the record;
- the individual or individuals creating, modifying or deleting the record; and
- any other information needed to maintain an audit trail of each distinct record in a way that maintains the record's security, signatures and data to ensure its authenticity and reliability, and that permits re-creation of the original record if it is modified or deleted.
Read as an engineering specification, that is: capture every write as an attributed, timestamped event; never lose a prior state; and be able to prove both the sequence and the content of what happened. A firm electing the alternative must meet all of it, and the retention periods, accessibility requirements and prompt-production obligations of the wider rule apply unchanged.
WORM vs audit trail: how to think about the choice
| WORM | Audit-trail alternative | |
|---|---|---|
| Core idea | Records cannot be changed, by construction of the storage | Records can change, but every change is captured and the original is re-creatable |
| Where integrity lives | In the storage medium's write-once property | In the completeness and trustworthiness of the trail |
| Corrections and lifecycle | Awkward; corrections become new records beside immutable originals | Natural; amendments are events in the trail |
| Typical implementation | Object-lock storage, compliant archive platforms | Event-sourced or versioned systems with attributed change capture |
| The hard question an examiner asks | Is every in-scope record actually landing in the WORM store? | Could the trail itself have been altered without detection? |
The last row is the one that matters. WORM's weakness is coverage: the storage is trustworthy, but only for what reaches it, and the gap between a record's creation and its archival is where problems live. The audit-trail alternative's weakness is circularity: it proves record history by reference to a trail, so the entire compliance claim now rests on the integrity of the trail itself. An audit trail held as ordinary rows in a database that administrators can quietly rewrite does not "maintain security... to ensure the authenticity and reliability of the record". It merely relocates the original problem.
What makes an audit trail trustworthy
An audit trail can carry the weight the alternative places on it only if it is tamper-evident: constructed so that any alteration, deletion or reordering of trail entries is detectable after the fact.
A tamper-evident audit trail is one in which each entry is cryptographically linked to its predecessors, typically by hash chaining, and batches of entries are sealed under digital signatures, so that recomputation reveals any change to historical entries.
The engineering ladder runs from access controls (necessary, insufficient, because someone always holds the higher privilege), through write-once storage of the trail (which quietly reintroduces WORM one layer down, and still leaves verification as an act of trust in the operator), to cryptographic tamper-evidence, where the trail's integrity is a property anyone can check by computation. The strongest version makes that check independently runnable: an examiner, an auditor or a counterparty verifies the trail's completeness and the re-creatability of original records without trusting the firm or its vendor. This is the design Sigilbase implements for application-level records and events: every entry is hash-chained on write, sealed into signed checkpoints, and exportable as an evidence bundle that verifies offline with an open-source verifier, so "the trail is intact" is a demonstrable fact rather than an assertion.
The honest boundary matters here: an event-integrity layer of this kind is a component of an audit-trail-alternative architecture, the part that makes the trail itself defensible, not a turnkey books-and-records platform. Communications archiving, record classification, retention scheduling and the rule's undertaking arrangements are their own problems, and a firm's overall system is what an examiner evaluates.
Evaluating a system against the alternative
Whether building or buying, the questions that map directly to the rule's four elements:
Completeness. Does every create, modify and delete of an in-scope record produce a trail entry, enforced at the system level rather than by application discipline? Can anything write to the record store without writing to the trail?
Attribution and time. Does each entry carry the acting individual (not a shared service identity) and a timestamp from synchronised clocks? Cross-system timelines fail at exactly the moment an examination needs them.
Re-creation. Given any record and any point in its history, can the system reproduce the original content, not merely report that a change occurred? Deltas without recoverable originals fail the plain text of the requirement.
Trail integrity. If someone with the highest level of access had altered a trail entry last year, what would detect it? This is the question that separates an audit trail from a log table, and the one worth asking every vendor whose brochure says "17a-4 compliant".
Production. Can records and their trails be extracted, for a regulator, promptly and in a usable form, with their integrity demonstrable outside the system that produced them?
Where this is heading
The 2022 amendments describe trustworthy records by their properties rather than their storage media, and that framing is spreading: examiners increasingly ask how any record system, WORM or not, would evidence its own integrity. Firms replatforming their recordkeeping have a rare alignment available, where the architecture that satisfies the regulator, event-sourced records with a cryptographically verifiable trail, is also simply better engineering than a compliance-only archive bolted alongside production systems.
Primary sources: the SEC's adopting release and summary of the amendments, the text of Rule 17a-4, and FINRA Rule 4511. For the broader question of what makes audit logs defensible across frameworks, see our guide to audit log requirements.
Sigilbase turns audit logs into provable evidence. Join the waitlist for early access.
Frequently asked questions
What is SEC Rule 17a-4?
Rule 17a-4 under the Securities Exchange Act sets out how broker-dealers must preserve their books and records, including communications, trade records and customer account documents. It defines what must be kept, for how long, in what form, and how quickly records must be produced to regulators on request.
Is WORM storage still required for 17a-4 compliance?
No, not exclusively. The SEC's October 2022 amendments kept WORM (write once, read many) as one permitted approach but added an audit-trail alternative. A firm's electronic recordkeeping system must now meet either the WORM requirement or the audit-trail requirement.
What does the 17a-4 audit-trail alternative require?
The system must maintain a complete time-stamped audit trail covering all modifications to and deletions of a record, the date, time and identity of the individuals creating, modifying or deleting records, and any other information needed to maintain the record's authenticity and reliability and to permit re-creation of the original record if it is altered, overwritten or erased.
How long must broker-dealer records be retained under 17a-4?
It varies by record type. Many records carry a three-year period, while central books and records and customer account documents are generally retained for six years, with the first two years in an easily accessible place. The retention clock and accessibility requirements apply regardless of whether a firm uses WORM or the audit-trail alternative.
What is tamper-evident recordkeeping?
Recordkeeping where any alteration to a stored record is detectable after the fact, typically through append-only storage, cryptographic hash chains linking records in sequence, and digital signatures over sealed batches. Tamper-evidence is the property the audit-trail alternative depends on, because an audit trail that could itself be silently edited proves nothing.
Does FINRA have the same requirements?
FINRA Rule 4511 requires members to preserve books and records in a format and media that complies with SEA Rule 17a-4, so the SEC amendments flow through to FINRA members directly. A system evaluated against 17a-4's requirements is being evaluated against FINRA's too.
Join the waitlist
Building now. Early access for teams preparing SOC 2, ISO 27001, or PCI DSS evidence.
Could not save your email. Try again or write to [email protected].
No spam, one email when it opens.